From 819a9a609e437daba500f4c1c87434d6d5a36be0 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 11 Nov 2020 14:01:31 -0500 Subject: [PATCH 01/10] Add os.commercial_family field --- code/go/ecs/os.go | 5 ++ docs/field-details.asciidoc | 15 ++++++ generated/beats/fields.ecs.yml | 44 +++++++++++++++++ generated/csv/fields.csv | 3 ++ generated/ecs/ecs_flat.yml | 45 ++++++++++++++++++ generated/ecs/ecs_nested.yml | 63 +++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 12 +++++ generated/elasticsearch/7/template.json | 12 +++++ schemas/os.yml | 10 ++++ 9 files changed, 209 insertions(+) diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index a118950bbf..eb3a321de3 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -21,6 +21,11 @@ package ecs // The OS fields contain information about the operating system. type Os struct { + // Categorize the operating system in one of the broad commercial families. + // One of these following values should be used (lowercase): linux, macos, + // unix, windows. + CommercialFamily string `ecs:"commercial_family"` + // Operating system platform (such centos, ubuntu, windows). Platform string `ecs:"platform"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ddcb587a24..3f052177c5 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3853,6 +3853,21 @@ The OS fields contain information about the operating system. // =============================================================== +| os.commercial_family +| Categorize the operating system in one of the broad commercial families. + +One of these following values should be used (lowercase): linux, macos, unix, windows. + +type: keyword + + + +example: `macos` + +| extended + +// =============================================================== + | os.family | OS family (such as redhat, debian, freebsd, windows). diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b2d3e4ef5a..1fa983db8a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2174,6 +2174,17 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: os.family level: extended type: keyword @@ -2933,6 +2944,17 @@ If no custom name is needed, the field can be left empty.' example: 1_proxySG + - name: os.commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: os.family level: extended type: keyword @@ -3041,6 +3063,17 @@ description: The OS fields contain information about the operating system. type: group fields: + - name: commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: family level: extended type: keyword @@ -5546,6 +5579,17 @@ description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + - name: os.commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: os.family level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2a8688c22b..77fde23e73 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -244,6 +244,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. +2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -335,6 +336,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -660,6 +662,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 2.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9447fa982b..0d7ba60b42 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3385,6 +3385,21 @@ host.name: normalize: [] short: Name of the host. type: keyword +host.os.commercial_family: + dashed_name: host-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: host.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4532,6 +4547,21 @@ observer.name: normalize: [] short: Custom name of the observer. type: keyword +observer.os.commercial_family: + dashed_name: observer-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: observer.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8433,6 +8463,21 @@ user_agent.original: normalize: [] short: Unparsed user_agent string. type: keyword +user_agent.os.commercial_family: + dashed_name: user-agent-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: user_agent.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ca9424eaed..cbcac03e01 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4050,6 +4050,22 @@ host: normalize: [] short: Name of the host. type: keyword + host.os.commercial_family: + dashed_name: host-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: host.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5314,6 +5330,22 @@ observer: normalize: [] short: Custom name of the observer. type: keyword + observer.os.commercial_family: + dashed_name: observer-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: observer.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5525,6 +5557,21 @@ organization: os: description: The OS fields contain information about the operating system. fields: + os.commercial_family: + dashed_name: os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.family: dashed_name: os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -9731,6 +9778,22 @@ user_agent: normalize: [] short: Unparsed user_agent string. type: keyword + user_agent.os.commercial_family: + dashed_name: user-agent-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: user_agent.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 0f6e8dfb83..1e23304c93 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1135,6 +1135,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1601,6 +1605,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3129,6 +3137,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 8583630fb1..15d2828289 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1134,6 +1134,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1600,6 +1604,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3128,6 +3136,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/os.yml b/schemas/os.yml index 71bf1dd36e..56b2269b7d 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -13,6 +13,16 @@ type: group fields: + - name: commercial_family + level: extended + type: keyword + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + description: > + Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, windows. + example: macos + - name: platform level: extended type: keyword From 2f48172085390a036edf6a12f0742827c899848f Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 11 Nov 2020 14:33:48 -0500 Subject: [PATCH 02/10] Update experimental artifacts --- experimental/generated/beats/fields.ecs.yml | 44 +++++++++++++ experimental/generated/csv/fields.csv | 3 + experimental/generated/ecs/ecs_flat.yml | 45 +++++++++++++ experimental/generated/ecs/ecs_nested.yml | 63 +++++++++++++++++++ .../generated/elasticsearch/7/template.json | 12 ++++ 5 files changed, 167 insertions(+) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 5352e2bb18..79e885c5aa 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2131,6 +2131,17 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: os.family level: extended type: keyword @@ -2879,6 +2890,17 @@ If no custom name is needed, the field can be left empty.' example: 1_proxySG + - name: os.commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: os.family level: extended type: keyword @@ -2984,6 +3006,17 @@ description: The OS fields contain information about the operating system. type: group fields: + - name: commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: family level: extended type: keyword @@ -5666,6 +5699,17 @@ description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + - name: os.commercial_family + level: extended + type: keyword + ignore_above: 1024 + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + default_field: false - name: os.family level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 67053f2d9c..92c4eab841 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -243,6 +243,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. +2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -334,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -695,6 +697,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 7a92b47716..c1c674cc80 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3337,6 +3337,21 @@ host.name: normalize: [] short: Name of the host. type: keyword +host.os.commercial_family: + dashed_name: host-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: host.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4473,6 +4488,21 @@ observer.name: normalize: [] short: Custom name of the observer. type: keyword +observer.os.commercial_family: + dashed_name: observer-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: observer.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8710,6 +8740,21 @@ user_agent.original: normalize: [] short: Unparsed user_agent string. type: wildcard +user_agent.os.commercial_family: + dashed_name: user-agent-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: user_agent.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index da428dae70..0eae24f380 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4000,6 +4000,22 @@ host: normalize: [] short: Name of the host. type: keyword + host.os.commercial_family: + dashed_name: host-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: host.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5253,6 +5269,22 @@ observer: normalize: [] short: Custom name of the observer. type: keyword + observer.os.commercial_family: + dashed_name: observer-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: observer.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5461,6 +5493,21 @@ organization: os: description: The OS fields contain information about the operating system. fields: + os.commercial_family: + dashed_name: os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.family: dashed_name: os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -10024,6 +10071,22 @@ user_agent: normalize: [] short: Unparsed user_agent string. type: wildcard + user_agent.os.commercial_family: + dashed_name: user-agent-os-commercial-family + description: 'Categorize the operating system in one of the broad commercial + families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows.' + example: macos + flat_name: user_agent.os.commercial_family + ignore_above: 1024 + level: extended + name: commercial_family + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 6782a5638f..dfef1b8a91 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1103,6 +1103,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1558,6 +1562,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3206,6 +3214,10 @@ }, "os": { "properties": { + "commercial_family": { + "ignore_above": 1024, + "type": "keyword" + }, "family": { "ignore_above": 1024, "type": "keyword" From 3db68d7d8789b0ecb6cfcf0f35b85c50b3d55930 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 11 Nov 2020 14:34:27 -0500 Subject: [PATCH 03/10] Changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index c05fd1c2f7..25f1ad9ad4 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,6 +18,7 @@ Thanks, you're awesome :-) --> * Added `event.category` "registry". #1040 * Added `event.category` "session". #1049 +* Added `os.commercial_family`. #1111 #### Improvements From 32e8489ea4fa4b5faa977816c89051d33cc6c969 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 14:03:21 -0500 Subject: [PATCH 04/10] Give guidance on OSes that don't fall in any of these categories --- code/go/ecs/os.go | 3 +++ docs/field-details.asciidoc | 2 ++ experimental/generated/beats/fields.ecs.yml | 20 ++++++++++++++++---- experimental/generated/ecs/ecs_flat.yml | 15 ++++++++++++--- experimental/generated/ecs/ecs_nested.yml | 20 ++++++++++++++++---- generated/beats/fields.ecs.yml | 20 ++++++++++++++++---- generated/ecs/ecs_flat.yml | 15 ++++++++++++--- generated/ecs/ecs_nested.yml | 20 ++++++++++++++++---- schemas/os.yml | 3 +++ 9 files changed, 96 insertions(+), 22 deletions(-) diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index eb3a321de3..be46e849df 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -24,6 +24,9 @@ type Os struct { // Categorize the operating system in one of the broad commercial families. // One of these following values should be used (lowercase): linux, macos, // unix, windows. + // If the OS is not part of any of these families, the field should not be + // populated. Please let us know by opening an issue with ECS, to have it + // added to the list. CommercialFamily string `ecs:"commercial_family"` // Operating system platform (such centos, ubuntu, windows). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 3f052177c5..8b879e684f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3858,6 +3858,8 @@ The OS fields contain information about the operating system. One of these following values should be used (lowercase): linux, macos, unix, windows. +If the OS is not part of any of these families, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. + type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 79e885c5aa..84d603ded7 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2139,7 +2139,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: os.family @@ -2898,7 +2901,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: os.family @@ -3014,7 +3020,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: family @@ -5707,7 +5716,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: os.family diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index c1c674cc80..0ac446c782 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3342,7 +3342,10 @@ host.os.commercial_family: description: 'Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: host.os.commercial_family ignore_above: 1024 @@ -4493,7 +4496,10 @@ observer.os.commercial_family: description: 'Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: observer.os.commercial_family ignore_above: 1024 @@ -8745,7 +8751,10 @@ user_agent.os.commercial_family: description: 'Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: user_agent.os.commercial_family ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0eae24f380..0c2b7be9a2 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4006,7 +4006,10 @@ host: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: host.os.commercial_family ignore_above: 1024 @@ -5275,7 +5278,10 @@ observer: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: observer.os.commercial_family ignore_above: 1024 @@ -5499,7 +5505,10 @@ os: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: os.commercial_family ignore_above: 1024 @@ -10077,7 +10086,10 @@ user_agent: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: user_agent.os.commercial_family ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1fa983db8a..65d74bfe95 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2182,7 +2182,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: os.family @@ -2952,7 +2955,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: os.family @@ -3071,7 +3077,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: family @@ -5587,7 +5596,10 @@ families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos default_field: false - name: os.family diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 0d7ba60b42..e960a9b5a2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3390,7 +3390,10 @@ host.os.commercial_family: description: 'Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: host.os.commercial_family ignore_above: 1024 @@ -4552,7 +4555,10 @@ observer.os.commercial_family: description: 'Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: observer.os.commercial_family ignore_above: 1024 @@ -8468,7 +8474,10 @@ user_agent.os.commercial_family: description: 'Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: user_agent.os.commercial_family ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index cbcac03e01..286b1d5542 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4056,7 +4056,10 @@ host: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: host.os.commercial_family ignore_above: 1024 @@ -5336,7 +5339,10 @@ observer: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: observer.os.commercial_family ignore_above: 1024 @@ -5563,7 +5569,10 @@ os: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: os.commercial_family ignore_above: 1024 @@ -9784,7 +9793,10 @@ user_agent: families. One of these following values should be used (lowercase): linux, macos, unix, - windows.' + windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' example: macos flat_name: user_agent.os.commercial_family ignore_above: 1024 diff --git a/schemas/os.yml b/schemas/os.yml index 56b2269b7d..5a704cb10d 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -21,6 +21,9 @@ Categorize the operating system in one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. + + If the OS is not part of any of these families, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list. example: macos - name: platform From 298ece3fe8b80b339cb0d12285b108922771318e Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 15:11:54 -0500 Subject: [PATCH 05/10] Rename the field to the more terse `os.type` --- code/go/ecs/os.go | 7 +- docs/field-details.asciidoc | 34 ++-- experimental/generated/beats/fields.ecs.yml | 112 ++++++------- experimental/generated/csv/fields.csv | 6 +- experimental/generated/ecs/ecs_flat.yml | 111 ++++++------- experimental/generated/ecs/ecs_nested.yml | 150 +++++++++--------- .../generated/elasticsearch/7/template.json | 24 +-- generated/beats/fields.ecs.yml | 112 ++++++------- generated/csv/fields.csv | 6 +- generated/ecs/ecs_flat.yml | 111 ++++++------- generated/ecs/ecs_nested.yml | 150 +++++++++--------- generated/elasticsearch/6/template.json | 24 +-- generated/elasticsearch/7/template.json | 24 +-- schemas/os.yml | 7 +- 14 files changed, 443 insertions(+), 435 deletions(-) diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index be46e849df..1aa0c39997 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -21,13 +21,14 @@ package ecs // The OS fields contain information about the operating system. type Os struct { - // Categorize the operating system in one of the broad commercial families. + // Use the `os.type` field to categorize the operating system in one of the + // broad commercial families. // One of these following values should be used (lowercase): linux, macos, // unix, windows. - // If the OS is not part of any of these families, the field should not be + // If the OS is not part of any of this list, the field should not be // populated. Please let us know by opening an issue with ECS, to have it // added to the list. - CommercialFamily string `ecs:"commercial_family"` + Type string `ecs:"type"` // Operating system platform (such centos, ubuntu, windows). Platform string `ecs:"platform"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 8b879e684f..26a31f0872 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3853,23 +3853,6 @@ The OS fields contain information about the operating system. // =============================================================== -| os.commercial_family -| Categorize the operating system in one of the broad commercial families. - -One of these following values should be used (lowercase): linux, macos, unix, windows. - -If the OS is not part of any of these families, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. - -type: keyword - - - -example: `macos` - -| extended - -// =============================================================== - | os.family | OS family (such as redhat, debian, freebsd, windows). @@ -3947,6 +3930,23 @@ example: `darwin` // =============================================================== +| os.type +| Use the `os.type` field to categorize the operating system in one of the broad commercial families. + +One of these following values should be used (lowercase): linux, macos, unix, windows. + +If the OS is not part of any of this list, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. + +type: keyword + + + +example: `macos` + +| extended + +// =============================================================== + | os.version | Operating system version as a raw string. diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 84d603ded7..b0f53ea2db 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2131,20 +2131,6 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -2183,6 +2169,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2893,20 +2893,6 @@ If no custom name is needed, the field can be left empty.' example: 1_proxySG - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -2945,6 +2931,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3012,20 +3012,6 @@ description: The OS fields contain information about the operating system. type: group fields: - - name: commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: family level: extended type: keyword @@ -3064,6 +3050,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5708,20 +5708,6 @@ description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -5760,6 +5746,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 92c4eab841..2a67a56a9c 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -243,7 +243,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -251,6 +250,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. 2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -335,7 +335,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -343,6 +342,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -697,7 +697,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -705,6 +704,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 0ac446c782..4e819397f5 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3337,24 +3337,6 @@ host.name: normalize: [] short: Name of the host. type: keyword -host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -3423,6 +3405,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4491,24 +4492,6 @@ observer.name: normalize: [] short: Custom name of the observer. type: keyword -observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4577,6 +4560,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8746,24 +8748,6 @@ user_agent.original: normalize: [] short: Unparsed user_agent string. type: wildcard -user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8832,6 +8816,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0c2b7be9a2..56e8d62558 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4000,25 +4000,6 @@ host: normalize: [] short: Name of the host. type: keyword - host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4087,6 +4068,25 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5272,25 +5272,6 @@ observer: normalize: [] short: Custom name of the observer. type: keyword - observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5359,6 +5340,25 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5499,24 +5499,6 @@ organization: os: description: The OS fields contain information about the operating system. fields: - os.commercial_family: - dashed_name: os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword os.family: dashed_name: os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5580,6 +5562,24 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -10080,25 +10080,6 @@ user_agent: normalize: [] short: Unparsed user_agent string. type: wildcard - user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -10167,6 +10148,25 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index dfef1b8a91..5247e36816 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1103,10 +1103,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1137,6 +1133,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1562,10 +1562,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1596,6 +1592,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3214,10 +3214,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3248,6 +3244,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 65d74bfe95..3e23c50736 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2174,20 +2174,6 @@ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -2228,6 +2214,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2947,20 +2947,6 @@ If no custom name is needed, the field can be left empty.' example: 1_proxySG - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -3001,6 +2987,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3069,20 +3069,6 @@ description: The OS fields contain information about the operating system. type: group fields: - - name: commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: family level: extended type: keyword @@ -3123,6 +3109,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5588,20 +5588,6 @@ description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - - name: os.commercial_family - level: extended - type: keyword - ignore_above: 1024 - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - default_field: false - name: os.family level: extended type: keyword @@ -5642,6 +5628,20 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 77fde23e73..784459a3cc 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -244,7 +244,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -252,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. 2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -336,7 +336,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -344,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -662,7 +662,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 2.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." 2.0.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." @@ -670,6 +669,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e960a9b5a2..3978ef88d7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3385,24 +3385,6 @@ host.name: normalize: [] short: Name of the host. type: keyword -host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -3473,6 +3455,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4550,24 +4551,6 @@ observer.name: normalize: [] short: Custom name of the observer. type: keyword -observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4638,6 +4621,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8469,24 +8471,6 @@ user_agent.original: normalize: [] short: Unparsed user_agent string. type: keyword -user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -8557,6 +8541,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 286b1d5542..422647f15a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4050,25 +4050,6 @@ host: normalize: [] short: Name of the host. type: keyword - host.os.commercial_family: - dashed_name: host-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: host.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword host.os.family: dashed_name: host-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -4139,6 +4120,25 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5333,25 +5333,6 @@ observer: normalize: [] short: Custom name of the observer. type: keyword - observer.os.commercial_family: - dashed_name: observer-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: observer.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword observer.os.family: dashed_name: observer-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5422,6 +5403,25 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5563,24 +5563,6 @@ organization: os: description: The OS fields contain information about the operating system. fields: - os.commercial_family: - dashed_name: os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword os.family: dashed_name: os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -5646,6 +5628,24 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -9787,25 +9787,6 @@ user_agent: normalize: [] short: Unparsed user_agent string. type: keyword - user_agent.os.commercial_family: - dashed_name: user-agent-os-commercial-family - description: 'Categorize the operating system in one of the broad commercial - families. - - One of these following values should be used (lowercase): linux, macos, unix, - windows. - - If the OS is not part of any of these families, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' - example: macos - flat_name: user_agent.os.commercial_family - ignore_above: 1024 - level: extended - name: commercial_family - normalize: [] - original_fieldset: os - short: 'Which commercial OS family (one of: linux, macos, unix or windows).' - type: keyword user_agent.os.family: dashed_name: user-agent-os-family description: OS family (such as redhat, debian, freebsd, windows). @@ -9876,6 +9857,25 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system in + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS is not part of any of this list, the field should not be populated. + Please let us know by opening an issue with ECS, to have it added to the list.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 1e23304c93..c80ed9eab5 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1135,10 +1135,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1171,6 +1167,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1605,10 +1605,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1641,6 +1637,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3137,10 +3137,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3173,6 +3169,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 15d2828289..2065369a1c 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1134,10 +1134,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1170,6 +1166,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1604,10 +1604,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -1640,6 +1636,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3136,10 +3136,6 @@ }, "os": { "properties": { - "commercial_family": { - "ignore_above": 1024, - "type": "keyword" - }, "family": { "ignore_above": 1024, "type": "keyword" @@ -3172,6 +3168,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/os.yml b/schemas/os.yml index 5a704cb10d..07a72dfb49 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -13,16 +13,17 @@ type: group fields: - - name: commercial_family + - name: type level: extended type: keyword short: 'Which commercial OS family (one of: linux, macos, unix or windows).' description: > - Categorize the operating system in one of the broad commercial families. + Use the `os.type` field to categorize the operating system in one of + the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of these families, the field should not be populated. + If the OS is not part of any of this list, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. example: macos From f6bfdb58a9a1818058e80e75892779f3cd7cc706 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 15:50:43 -0500 Subject: [PATCH 06/10] Update CHANGELOG.next.md Co-authored-by: Eric Beahan --- CHANGELOG.next.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 25f1ad9ad4..07872e22dd 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,7 +18,7 @@ Thanks, you're awesome :-) --> * Added `event.category` "registry". #1040 * Added `event.category` "session". #1049 -* Added `os.commercial_family`. #1111 +* Added `os.type`. #1111 #### Improvements From d054cd6806fc072ad6253aa0ac17c113da33386e Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 15:52:06 -0500 Subject: [PATCH 07/10] Clarify sentence when not part of the list Co-authored-by: Eric Beahan --- schemas/os.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/os.yml b/schemas/os.yml index 07a72dfb49..1911632f26 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -23,7 +23,7 @@ One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. + If the OS is not part of any family on this list, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. example: macos From 8d0b3f9e60ed546d9760c8958e98acf5d3b82f29 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 15:53:43 -0500 Subject: [PATCH 08/10] Adding it to the list is a proposal Co-authored-by: Eric Beahan --- schemas/os.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/os.yml b/schemas/os.yml index 1911632f26..0a5cea4409 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -24,7 +24,7 @@ One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS is not part of any family on this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list. + Please let us know by opening an issue with ECS, to propose adding it to the list. example: macos - name: platform From ccf61a7900d868ae47c8432a3f1d940eecb38a50 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 15:54:12 -0500 Subject: [PATCH 09/10] categorize into Co-authored-by: Eric Beahan --- schemas/os.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/os.yml b/schemas/os.yml index 0a5cea4409..348201d2de 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -18,7 +18,7 @@ type: keyword short: 'Which commercial OS family (one of: linux, macos, unix or windows).' description: > - Use the `os.type` field to categorize the operating system in one of + Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. From 6a7533e1f2a0aaa254cb4d7e95c737cdb05f6fc4 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 16:22:33 -0500 Subject: [PATCH 10/10] Try a rewrite of what to do when the OS is not in the list --- code/go/ecs/os.go | 10 ++++---- docs/field-details.asciidoc | 4 +-- experimental/generated/beats/fields.ecs.yml | 28 ++++++++++++--------- experimental/generated/ecs/ecs_flat.yml | 18 ++++++------- experimental/generated/ecs/ecs_nested.yml | 28 ++++++++++++--------- generated/beats/fields.ecs.yml | 28 ++++++++++++--------- generated/ecs/ecs_flat.yml | 18 ++++++------- generated/ecs/ecs_nested.yml | 28 ++++++++++++--------- schemas/os.yml | 4 +-- 9 files changed, 91 insertions(+), 75 deletions(-) diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index 1aa0c39997..3284a5357c 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -21,13 +21,13 @@ package ecs // The OS fields contain information about the operating system. type Os struct { - // Use the `os.type` field to categorize the operating system in one of the - // broad commercial families. + // Use the `os.type` field to categorize the operating system into one of + // the broad commercial families. // One of these following values should be used (lowercase): linux, macos, // unix, windows. - // If the OS is not part of any of this list, the field should not be - // populated. Please let us know by opening an issue with ECS, to have it - // added to the list. + // If the OS you're dealing with is not in the list, the field should not + // be populated. Please let us know by opening an issue with ECS, to + // propose its addition. Type string `ecs:"type"` // Operating system platform (such centos, ubuntu, windows). diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 26a31f0872..b980b32b93 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3931,11 +3931,11 @@ example: `darwin` // =============================================================== | os.type -| Use the `os.type` field to categorize the operating system in one of the broad commercial families. +| Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. -If the OS is not part of any of this list, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list. +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index b0f53ea2db..7db593105c 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2173,14 +2173,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: os.version @@ -2935,14 +2936,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: os.version @@ -3054,14 +3056,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: version @@ -5750,14 +5753,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: os.version diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 4e819397f5..59e2fc4733 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3407,14 +3407,14 @@ host.os.platform: type: keyword host.os.type: dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system in one + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' example: macos flat_name: host.os.type ignore_above: 1024 @@ -4562,14 +4562,14 @@ observer.os.platform: type: keyword observer.os.type: dashed_name: observer-os-type - description: 'Use the `os.type` field to categorize the operating system in one + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' example: macos flat_name: observer.os.type ignore_above: 1024 @@ -8818,14 +8818,14 @@ user_agent.os.platform: type: keyword user_agent.os.type: dashed_name: user-agent-os-type - description: 'Use the `os.type` field to categorize the operating system in one + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' example: macos flat_name: user_agent.os.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 56e8d62558..27b394ba24 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4070,14 +4070,15 @@ host: type: keyword host.os.type: dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: host.os.type ignore_above: 1024 @@ -5342,14 +5343,15 @@ observer: type: keyword observer.os.type: dashed_name: observer-os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: observer.os.type ignore_above: 1024 @@ -5564,14 +5566,15 @@ os: type: keyword os.type: dashed_name: os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: os.type ignore_above: 1024 @@ -10150,14 +10153,15 @@ user_agent: type: keyword user_agent.os.type: dashed_name: user-agent-os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: user_agent.os.type ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3e23c50736..06e7c5ce68 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2218,14 +2218,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: os.version @@ -2991,14 +2992,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: os.version @@ -3113,14 +3115,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: version @@ -5632,14 +5635,15 @@ level: extended type: keyword ignore_above: 1024 - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos default_field: false - name: os.version diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 3978ef88d7..78ef1eaec8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3457,14 +3457,14 @@ host.os.platform: type: keyword host.os.type: dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system in one + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' example: macos flat_name: host.os.type ignore_above: 1024 @@ -4623,14 +4623,14 @@ observer.os.platform: type: keyword observer.os.type: dashed_name: observer-os-type - description: 'Use the `os.type` field to categorize the operating system in one + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' example: macos flat_name: observer.os.type ignore_above: 1024 @@ -8543,14 +8543,14 @@ user_agent.os.platform: type: keyword user_agent.os.type: dashed_name: user-agent-os-type - description: 'Use the `os.type` field to categorize the operating system in one + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' example: macos flat_name: user_agent.os.type ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 422647f15a..ac3f079ba3 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4122,14 +4122,15 @@ host: type: keyword host.os.type: dashed_name: host-os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: host.os.type ignore_above: 1024 @@ -5405,14 +5406,15 @@ observer: type: keyword observer.os.type: dashed_name: observer-os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: observer.os.type ignore_above: 1024 @@ -5630,14 +5632,15 @@ os: type: keyword os.type: dashed_name: os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: os.type ignore_above: 1024 @@ -9859,14 +9862,15 @@ user_agent: type: keyword user_agent.os.type: dashed_name: user-agent-os-type - description: 'Use the `os.type` field to categorize the operating system in + description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any of this list, the field should not be populated. - Please let us know by opening an issue with ECS, to have it added to the list.' + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' example: macos flat_name: user_agent.os.type ignore_above: 1024 diff --git a/schemas/os.yml b/schemas/os.yml index 348201d2de..8b8cfcdad7 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -23,8 +23,8 @@ One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS is not part of any family on this list, the field should not be populated. - Please let us know by opening an issue with ECS, to propose adding it to the list. + If the OS you're dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition. example: macos - name: platform