From d5ea291e40a02eee48c4e6e40e2ecfaf4dd6d2e7 Mon Sep 17 00:00:00 2001
From: Maxwell Borden <Tacklebox@users.noreply.github.com>
Date: Tue, 27 Jun 2023 14:55:52 +0200
Subject: [PATCH] Added `container.privileged` field (#2219)

* added `container.privileged` field

* Added new field to CHANGELOG.next.md

* Rebuilt artifacts
---
 CHANGELOG.next.md                                |  1 +
 docs/fields/field-details.asciidoc               | 16 ++++++++++++++++
 experimental/generated/beats/fields.ecs.yml      |  5 +++++
 experimental/generated/csv/fields.csv            |  1 +
 experimental/generated/ecs/ecs_flat.yml          |  9 +++++++++
 experimental/generated/ecs/ecs_nested.yml        |  9 +++++++++
 .../composable/component/container.json          |  3 +++
 .../generated/elasticsearch/legacy/template.json |  3 +++
 generated/beats/fields.ecs.yml                   |  5 +++++
 generated/csv/fields.csv                         |  1 +
 generated/ecs/ecs_flat.yml                       |  9 +++++++++
 generated/ecs/ecs_nested.yml                     |  9 +++++++++
 .../composable/component/container.json          |  3 +++
 generated/elasticsearch/legacy/template.json     |  3 +++
 schemas/container.yml                            |  7 +++++++
 15 files changed, 84 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index c9bebd73c4..b527829e84 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `container.privileged` to indicated whether a container was started in privileged mode. #2219
 
 #### Improvements
 
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 28d6f700f0..80ec002df7 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -1213,6 +1213,22 @@ type: long
 
 
 
+| extended
+
+// ===============================================================
+
+|
+[[field-container-privileged]]
+<<field-container-privileged, container.privileged>>
+
+a| Indicates whether the container is running in privileged mode.
+
+type: bool
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index b7b1360826..8ff00d6980 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -944,6 +944,11 @@
       description: The number of bytes received (gauge) on all network interfaces
         by the container since the last metric collection.
       default_field: false
+    - name: privileged
+      level: extended
+      type: bool
+      description: Indicates whether the container is running in privileged mode.
+      default_field: false
     - name: runtime
       level: extended
       type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 810c86fbb8..2d62bf6910 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -99,6 +99,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,container,container.name,keyword,extended,,,Container name.
 8.10.0-dev+exp,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev+exp,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev+exp,true,container,container.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
 8.10.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 8a9b92abef..af895f4dd2 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1183,6 +1183,15 @@ container.network.ingress.bytes:
   normalize: []
   short: The number of bytes received on all network interfaces.
   type: long
+container.privileged:
+  dashed_name: container-privileged
+  description: Indicates whether the container is running in privileged mode.
+  flat_name: container.privileged
+  level: extended
+  name: privileged
+  normalize: []
+  short: Indicates whether the container is running in privileged mode.
+  type: bool
 container.runtime:
   dashed_name: container-runtime
   description: Runtime managing this container.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 0847697c3b..9cabccb95a 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1562,6 +1562,15 @@ container:
       normalize: []
       short: The number of bytes received on all network interfaces.
       type: long
+    container.privileged:
+      dashed_name: container-privileged
+      description: Indicates whether the container is running in privileged mode.
+      flat_name: container.privileged
+      level: extended
+      name: privileged
+      normalize: []
+      short: Indicates whether the container is running in privileged mode.
+      type: bool
     container.runtime:
       dashed_name: container-runtime
       description: Runtime managing this container.
diff --git a/experimental/generated/elasticsearch/composable/component/container.json b/experimental/generated/elasticsearch/composable/component/container.json
index 61b9d3fb50..fa7a0421ef 100644
--- a/experimental/generated/elasticsearch/composable/component/container.json
+++ b/experimental/generated/elasticsearch/composable/component/container.json
@@ -91,6 +91,9 @@
                 }
               }
             },
+            "privileged": {
+              "type": "bool"
+            },
             "runtime": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index e04671d803..fa866c0253 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -560,6 +560,9 @@
               }
             }
           },
+          "privileged": {
+            "type": "bool"
+          },
           "runtime": {
             "ignore_above": 1024,
             "type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1c99c802b3..958e7d5b05 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -894,6 +894,11 @@
       description: The number of bytes received (gauge) on all network interfaces
         by the container since the last metric collection.
       default_field: false
+    - name: privileged
+      level: extended
+      type: bool
+      description: Indicates whether the container is running in privileged mode.
+      default_field: false
     - name: runtime
       level: extended
       type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 4ccb5f6a15..6d53d28295 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -92,6 +92,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev,true,container,container.name,keyword,extended,,,Container name.
 8.10.0-dev,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces.
 8.10.0-dev,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces.
+8.10.0-dev,true,container,container.privileged,bool,extended,,,Indicates whether the container is running in privileged mode.
 8.10.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container.
 8.10.0-dev,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data.
 8.10.0-dev,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index e042d14ef4..f7c3d56957 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1114,6 +1114,15 @@ container.network.ingress.bytes:
   normalize: []
   short: The number of bytes received on all network interfaces.
   type: long
+container.privileged:
+  dashed_name: container-privileged
+  description: Indicates whether the container is running in privileged mode.
+  flat_name: container.privileged
+  level: extended
+  name: privileged
+  normalize: []
+  short: Indicates whether the container is running in privileged mode.
+  type: bool
 container.runtime:
   dashed_name: container-runtime
   description: Runtime managing this container.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index eae3f3498d..3505dd848e 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1482,6 +1482,15 @@ container:
       normalize: []
       short: The number of bytes received on all network interfaces.
       type: long
+    container.privileged:
+      dashed_name: container-privileged
+      description: Indicates whether the container is running in privileged mode.
+      flat_name: container.privileged
+      level: extended
+      name: privileged
+      normalize: []
+      short: Indicates whether the container is running in privileged mode.
+      type: bool
     container.runtime:
       dashed_name: container-runtime
       description: Runtime managing this container.
diff --git a/generated/elasticsearch/composable/component/container.json b/generated/elasticsearch/composable/component/container.json
index ae8d228433..a840e22ba5 100644
--- a/generated/elasticsearch/composable/component/container.json
+++ b/generated/elasticsearch/composable/component/container.json
@@ -91,6 +91,9 @@
                 }
               }
             },
+            "privileged": {
+              "type": "bool"
+            },
             "runtime": {
               "ignore_above": 1024,
               "type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 0e0297839c..c20ce4daef 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -518,6 +518,9 @@
               }
             }
           },
+          "privileged": {
+            "type": "bool"
+          },
           "runtime": {
             "ignore_above": 1024,
             "type": "keyword"
diff --git a/schemas/container.yml b/schemas/container.yml
index b538a4d485..85b888dfce 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -121,6 +121,13 @@
         The number of bytes (gauge) sent out on all network interfaces by the
         container since the last metric collection.
 
+    - name: privileged
+      type: bool
+      level: extended
+      short: Indicates whether the container is running in privileged mode.
+      description: >
+        Indicates whether the container is running in privileged mode.
+
     - name: runtime
       level: extended
       type: keyword