Skip to content

Commit

Permalink
Add ECS based description fields
Browse files Browse the repository at this point in the history
  • Loading branch information
@f-galland @AlexRuiz7
f-galland authored and AlexRuiz7 committed Nov 18, 2024
1 parent 040cc5f commit 3106ca2
Show file tree
Hide file tree
Showing 7 changed files with 125 additions and 126 deletions.
20 changes: 10 additions & 10 deletions ecs/docs/inventory-hardware.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,16 @@ Based on ECS:
- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html).
- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html).

| | Field name | ECS field name | Data type | Description |
| --- | ------------ | ----------------------------- | --------- | -------------------------------- |
| | scan_time | @timestamp | date | Timestamp of the scan |
| | board_serial | observer.serial_number | keyword | Serial number of the motherboard |
| * | cpu_name | host.cpu.name | keyword | Name of the CPU |
| * | cpu_cores | host.cpu.cores | long | Number of CPU cores |
| * | cpu_mhz | host.cpu.speed | long | Speed of the CPU in MHz |
| * | ram_total | host.memory.total | long | Total RAM in the system |
| * | ram_free | host.memory.free | long | Free RAM in the system |
| * | ram_usage | host.memory.used.percentage | long | RAM usage as a percentage |
| | Field name | Data type | Description | Example |
| --- | --------------------------- | --------- | ------------------------------------ | ------- |
| | @timestamp | date | Date/time when the event originated. | |
| | observer.serial_number | keyword | Observer serial number. | |
| * | host.cpu.name | keyword | Name of the CPU | |
| * | host.cpu.cores | long | Number of CPU cores | |
| * | host.cpu.speed | long | Speed of the CPU in MHz | |
| * | host.memory.total | long | Total RAM in the system | |
| * | host.memory.free | long | Free RAM in the system | |
| * | host.memory.used.percentage | long | RAM usage as a percentage | |

\* Custom fields

Expand Down
8 changes: 4 additions & 4 deletions ecs/docs/inventory-hotfixes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ Based on ECS:

- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html).

| | Field name | ECS field name | Data type | Description |
| --- | ---------- | ------------------- | --------- | --------------------- |
| | scan_time | @timestamp | date | Timestamp of the scan |
| * | hotfix | package.hotfix.name | keyword | Name of the hotfix |
| | Field name | Data type | Description | Example |
| --- | ------------------- | --------- | --------------------- | ------- |
| | @timestamp | date | Timestamp of the scan | |
| * | package.hotfix.name | keyword | Name of the hotfix | |

\* Custom fields

Expand Down
53 changes: 26 additions & 27 deletions ecs/docs/inventory-networks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,33 +10,32 @@ Based on ECS:
- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html).
- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html).

| | Field name | ECS field name | Data type | Description |
| --- | ----------- | -------------------------------- | --------- | ---------------------------------------------------------------- |
| | adapter | observer.ingress.interface.alias | keyword | Adapter name of the network interface |
| | address | host.ip | ip | Network address |
| | iface | observer.ingress.interface.name | keyword | Name of the network interface |
| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item |
| | mac | host.mac | keyword | MAC address of the network interface |
| | name | observer.ingress.interface.name | keyword | Name of the network interface |
| | proto | network.protocol | keyword | Type of network protocol |
| | rx_bytes | host.network.ingress.bytes | long | Number of received bytes |
| | rx_packets | host.network.ingress.packets | long | Number of received packets |
| | scan_time | @timestamp | date | Timestamp of the scan |
| | tx_bytes | host.network.egress.bytes | long | Number of transmitted bytes |
| | tx_packets | host.network.egress.packets | long | Number of transmitted packets |
| | type | network.type | keyword | IPv4 or IPv6 for protocols, interface type for interface records |
| * | broadcast | network.broadcast | ip | Broadcast address |
| * | dhcp | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) |
| * | gateway | network.gateway | ip | Gateway address |
| * | metric | network.metric | long | Metric of the network protocol |
| * | mtu | interface.mtu | long | Maximum transmission unit size |
| * | netmask | network.netmask | ip | Network mask |
| * | rx_dropped | host.network.ingress.drops | long | Number of dropped received packets |
| * | rx_errors | host.network.ingress.errors | long | Number of reception errors |
| * | state | interface.state | keyword | State of the network interface |
| * | tx_dropped | host.network.egress.drops | long | Number of dropped transmitted packets |
| * | tx_errors | host.network.egress.errors | long | Number of transmission errors |
| * | type | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") |
| | Field name | Data type | Description | Example |
| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------- |
| | @timestamp | date | Date/time when the event originated | |
| | device.id | keyword | The unique identifier of a device. | |
| | host.ip | ip | Host ip addresses | |
| | host.mac | keyword | Host MAC addresses. | | |
| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | |
| | host.network.egress.packets | long | The number of packets sent on all network interfaces | |
| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | |
| | host.network.ingress.packets | long | The number of packets received on all network interfaces | |
| | network.protocol | keyword | Application protocol name | |
| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | |
| | observer.ingress.interface.alias | keyword | Interface alias | |
| | observer.ingress.interface.name | keyword | Interface name | |
| * | host.network.egress.drops | long | Number of dropped transmitted packets | |
| * | host.network.egress.errors | long | Number of transmission errors | |
| * | host.network.ingress.drops | long | Number of dropped received packets | |
| * | host.network.ingress.errors | long | Number of reception errors | |
| * | interface.mtu | long | Maximum transmission unit size | |
| * | interface.state | keyword | State of the network interface | |
| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | |
| * | network.broadcast | ip | Broadcast address | |
| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | |
| * | network.gateway | ip | Gateway address | |
| * | network.metric | long | Metric of the network protocol | |
| * | network.netmask | ip | Network mask | |

\* Custom fields

Expand Down
40 changes: 20 additions & 20 deletions ecs/docs/inventory-packages.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,32 +8,32 @@ Based on ECS:

- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html).

| Field name | ECS field name | Data type | Description |
| ------------ | ---------------------- | --------- | ----------------------------------------------------------------- |
| | `agent.id` | keyword | Agent's ID |
| | \*`agent.groups` | keyword | Agent's groups |
| scan_time | `@timestamp` | date | Timestamp of the scan |
| architecture | `package.architecture` | keyword | Package architecture. |
| description | `package.description` | keyword | Description of the package. |
| install_time | `package.installed` | date | Time when package was installed. |
| name | `package.name` | keyword | Package name. |
| location | `package.path` | keyword | Path where the package is installed. |
| size | `package.size` | long | Package size in bytes. |
| format | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. |
| version | `package.version` | keyword | Package version. |
| | Field name | Data type | Description | Example |
| --- | ---------------------- | --------- | ----------------------------------------------------------------- | ------- |
| | `agent.id` | keyword | Agent's ID | |
| * | `agent.groups` | keyword | Agent's groups | |
| | `@timestamp` | date | Timestamp of the scan | |
| | `package.architecture` | keyword | Package architecture. | |
| | `package.description` | keyword | Description of the package. | |
| | `package.installed` | date | Time when package was installed. | |
| | `package.name` | keyword | Package name. | |
| | `package.path` | keyword | Path where the package is installed. | |
| | `package.size` | long | Package size in bytes. | |
| | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | |
| | `package.version` | keyword | Package version. | |

\* Custom field

<details><summary>Fields not included in ECS</summary>
<p>

| | Field name | ECS field name | Data type | Description |
| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------- |
| ? | priority | | | Priority of the program |
| ? | section | | | Section of the program category the package belongs to in DEB package managers |
| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. |
| ? | multiarch | | | Multi-architecture compatibility |
| X | source | | | Source of the program - package manager |
| | Field name | ECS field name | Data type | Description |
| --- | ---------- | ----------------- | --------- | -------------------------------------------------------------------------------- |
| ? | priority | | | Priority of the program |
| ? | section | | | Section of the program category the package belongs to in DEB package managers |
| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. |
| ? | multiarch | | | Multi-architecture compatibility |
| X | source | | | Source of the program - package manager |

</p>
</details>
Expand Down
30 changes: 15 additions & 15 deletions ecs/docs/inventory-ports.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,21 @@ Based on ECS:
- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html).
- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html).

| | Field name | ECS field name | Data type | Description |
| --- | ----------- | -------------------------- | --------- | -------------------------------------------------- |
| | inode | file.inode | keyword | The unix inode of the port |
| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item |
| | local_ip | source.ip | ip | Local IP address |
| | local_port | source.port | long | Local port number |
| | pid | process.pid | long | Process ID |
| | process | process.name | keyword | Process name |
| | protocol | network.protocol | keyword | Protocol used |
| | remote_ip | destination.ip | ip | Remote IP address |
| | remote_port | destination.port | long | Remote port number |
| | scan_time | @timestamp | date | Timestamp of the scan |
| * | rx_queue | host.network.ingress.queue | long | Receive queue length |
| * | state | interface.state | keyword | State of the network interface |
| * | tx_queue | host.network.egress.queue | long | Transmit queue length |
| | Field name | Data type | Description | Example |
| --- | -------------------------- | --------- | --------------------------------------------- | ------- |
| | @timestamp | date | Timestamp of the scan | |
| | destination.ip | ip | IP address of the destination | |
| | destination.port | long | Port of the destination | |
| | device.id | keyword | The unique identifier of a device | |
| | file.inode | keyword | Inode representing the file in the filesystem | |
| | network.protocol | keyword | Application protocol name | |
| | process.name | keyword | Process name | |
| | process.pid | long | Process ID | |
| | source.ip | ip | IP address of the source | |
| | source.port | long | Port of the source | |
| * | host.network.egress.queue | long | Transmit queue length | |
| * | host.network.ingress.queue | long | Receive queue length | |
| * | interface.state | keyword | State of the network interface | |

\* Custom fields

Expand Down
Loading

0 comments on commit 3106ca2

Please sign in to comment.