diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 8ea506fe9d..cd8005fa6d 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -23,6 +23,7 @@ Thanks, you're awesome :-) --> * Fix ecs GitHub repo link source branch #1393 * Add --exclude flag to Generator to support field removal testing #1411 +* Explicitly include user identifiers in `relater.user` description. #1420 #### Deprecated diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go index 22acb9fee2..b32da1647c 100644 --- a/code/go/ecs/related.go +++ b/code/go/ecs/related.go @@ -31,7 +31,7 @@ type Related struct { // All of the IPs seen on your event. IP string `ecs:"ip"` - // All the user names seen on your event. + // All the user names or other user identifiers seen on the event. User string `ecs:"user"` // All the hashes seen on your event. Populating this field, then using it diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ea245be4c7..b11b2a4aef 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6638,7 +6638,7 @@ Note: this field should contain an array of values. [[field-related-user]] <> -| All the user names seen on your event. +| All the user names or other user identifiers seen on the event. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index c26f2d84ae..c4fb6fad01 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -6111,7 +6111,7 @@ level: extended type: keyword ignore_above: 1024 - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. default_field: false - name: rule title: Rule diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 74a6f6d60c..e8f45ec2ae 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -706,7 +706,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 1.11.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 1.11.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.11.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.11.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. 1.11.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author 1.11.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category 1.11.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index ef0bd55bed..e6dcabc8dd 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -8866,14 +8866,14 @@ related.ip: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword rule.author: dashed_name: rule-author diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index c972da00ae..e3593e5508 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -10800,14 +10800,14 @@ related: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword group: 2 name: related diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 467a08cc42..6c043d01d9 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5126,7 +5126,7 @@ level: extended type: keyword ignore_above: 1024 - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. default_field: false - name: rule title: Rule diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 6c038e916f..e0d656ce7e 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -582,7 +582,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 1.11.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 1.11.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.11.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.11.0-dev,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. 1.11.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author 1.11.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category 1.11.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index f0e93ec851..c7f65018b2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -7443,14 +7443,14 @@ related.ip: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword rule.author: dashed_name: rule-author diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 6dc80d80a7..63f21fd256 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9013,14 +9013,14 @@ related: type: ip related.user: dashed_name: related-user - description: All the user names seen on your event. + description: All the user names or other user identifiers seen on the event. flat_name: related.user ignore_above: 1024 level: extended name: user normalize: - array - short: All the user names seen on your event. + short: All the user names or other user identifiers seen on the event. type: keyword group: 2 name: related diff --git a/schemas/related.yml b/schemas/related.yml index 5e53009475..c40e339e7e 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -29,7 +29,8 @@ level: extended type: keyword description: > - All the user names seen on your event. + All the user names or other user identifiers seen on the event. + normalize: - array