From 3106ca29dd00a828cfdba2d167f6c27e8a87c833 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 13:05:40 -0300 Subject: [PATCH] Add ECS based description fields --- ecs/docs/inventory-hardware.md | 20 ++++----- ecs/docs/inventory-hotfixes.md | 8 ++-- ecs/docs/inventory-networks.md | 53 ++++++++++++----------- ecs/docs/inventory-packages.md | 40 +++++++++--------- ecs/docs/inventory-ports.md | 30 ++++++------- ecs/docs/inventory-processes.md | 74 ++++++++++++++++----------------- ecs/docs/inventory-system.md | 26 ++++++------ 7 files changed, 125 insertions(+), 126 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 4f8c2ade7bcd3..14165e8af2bc4 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -9,16 +9,16 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -| | Field name | ECS field name | Data type | Description | -| --- | ------------ | ----------------------------- | --------- | -------------------------------- | -| | scan_time | @timestamp | date | Timestamp of the scan | -| | board_serial | observer.serial_number | keyword | Serial number of the motherboard | -| * | cpu_name | host.cpu.name | keyword | Name of the CPU | -| * | cpu_cores | host.cpu.cores | long | Number of CPU cores | -| * | cpu_mhz | host.cpu.speed | long | Speed of the CPU in MHz | -| * | ram_total | host.memory.total | long | Total RAM in the system | -| * | ram_free | host.memory.free | long | Free RAM in the system | -| * | ram_usage | host.memory.used.percentage | long | RAM usage as a percentage | +| | Field name | Data type | Description | Example | +| --- | --------------------------- | --------- | ------------------------------------ | ------- | +| | @timestamp | date | Date/time when the event originated. | | +| | observer.serial_number | keyword | Observer serial number. | | +| * | host.cpu.name | keyword | Name of the CPU | | +| * | host.cpu.cores | long | Number of CPU cores | | +| * | host.cpu.speed | long | Speed of the CPU in MHz | | +| * | host.memory.total | long | Total RAM in the system | | +| * | host.memory.free | long | Free RAM in the system | | +| * | host.memory.used.percentage | long | RAM usage as a percentage | | \* Custom fields diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index 4ec3ddd48cbcb..c37ef8c5f2ec6 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -8,10 +8,10 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ------------------- | --------- | --------------------- | -| | scan_time | @timestamp | date | Timestamp of the scan | -| * | hotfix | package.hotfix.name | keyword | Name of the hotfix | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | --------------------- | ------- | +| | @timestamp | date | Timestamp of the scan | | +| * | package.hotfix.name | keyword | Name of the hotfix | | \* Custom fields diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index 536b8c57ced41..b287abd7d26a5 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -10,33 +10,32 @@ Based on ECS: - [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -| | Field name | ECS field name | Data type | Description | -| --- | ----------- | -------------------------------- | --------- | ---------------------------------------------------------------- | -| | adapter | observer.ingress.interface.alias | keyword | Adapter name of the network interface | -| | address | host.ip | ip | Network address | -| | iface | observer.ingress.interface.name | keyword | Name of the network interface | -| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | -| | mac | host.mac | keyword | MAC address of the network interface | -| | name | observer.ingress.interface.name | keyword | Name of the network interface | -| | proto | network.protocol | keyword | Type of network protocol | -| | rx_bytes | host.network.ingress.bytes | long | Number of received bytes | -| | rx_packets | host.network.ingress.packets | long | Number of received packets | -| | scan_time | @timestamp | date | Timestamp of the scan | -| | tx_bytes | host.network.egress.bytes | long | Number of transmitted bytes | -| | tx_packets | host.network.egress.packets | long | Number of transmitted packets | -| | type | network.type | keyword | IPv4 or IPv6 for protocols, interface type for interface records | -| * | broadcast | network.broadcast | ip | Broadcast address | -| * | dhcp | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | -| * | gateway | network.gateway | ip | Gateway address | -| * | metric | network.metric | long | Metric of the network protocol | -| * | mtu | interface.mtu | long | Maximum transmission unit size | -| * | netmask | network.netmask | ip | Network mask | -| * | rx_dropped | host.network.ingress.drops | long | Number of dropped received packets | -| * | rx_errors | host.network.ingress.errors | long | Number of reception errors | -| * | state | interface.state | keyword | State of the network interface | -| * | tx_dropped | host.network.egress.drops | long | Number of dropped transmitted packets | -| * | tx_errors | host.network.egress.errors | long | Number of transmission errors | -| * | type | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | +| | Field name | Data type | Description | Example | +| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------- | +| | @timestamp | date | Date/time when the event originated | | +| | device.id | keyword | The unique identifier of a device. | | +| | host.ip | ip | Host ip addresses | | +| | host.mac | keyword | Host MAC addresses. | | | +| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | +| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | +| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | +| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | +| | network.protocol | keyword | Application protocol name | | +| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | | +| | observer.ingress.interface.alias | keyword | Interface alias | | +| | observer.ingress.interface.name | keyword | Interface name | | +| * | host.network.egress.drops | long | Number of dropped transmitted packets | | +| * | host.network.egress.errors | long | Number of transmission errors | | +| * | host.network.ingress.drops | long | Number of dropped received packets | | +| * | host.network.ingress.errors | long | Number of reception errors | | +| * | interface.mtu | long | Maximum transmission unit size | | +| * | interface.state | keyword | State of the network interface | | +| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | +| * | network.broadcast | ip | Broadcast address | | +| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | +| * | network.gateway | ip | Gateway address | | +| * | network.metric | long | Metric of the network protocol | | +| * | network.netmask | ip | Network mask | | \* Custom fields diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index 127dc5cb10203..d2433eabf5b4b 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -8,32 +8,32 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| Field name | ECS field name | Data type | Description | -| ------------ | ---------------------- | --------- | ----------------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| scan_time | `@timestamp` | date | Timestamp of the scan | -| architecture | `package.architecture` | keyword | Package architecture. | -| description | `package.description` | keyword | Description of the package. | -| install_time | `package.installed` | date | Time when package was installed. | -| name | `package.name` | keyword | Package name. | -| location | `package.path` | keyword | Path where the package is installed. | -| size | `package.size` | long | Package size in bytes. | -| format | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | -| version | `package.version` | keyword | Package version. | +| | Field name | Data type | Description | Example | +| --- | ---------------------- | --------- | ----------------------------------------------------------------- | ------- | +| | `agent.id` | keyword | Agent's ID | | +| * | `agent.groups` | keyword | Agent's groups | | +| | `@timestamp` | date | Timestamp of the scan | | +| | `package.architecture` | keyword | Package architecture. | | +| | `package.description` | keyword | Description of the package. | | +| | `package.installed` | date | Time when package was installed. | | +| | `package.name` | keyword | Package name. | | +| | `package.path` | keyword | Path where the package is installed. | | +| | `package.size` | long | Package size in bytes. | | +| | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | | +| | `package.version` | keyword | Package version. | | \* Custom field
Fields not included in ECS

-| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------- | -| ? | priority | | | Priority of the program | -| ? | section | | | Section of the program category the package belongs to in DEB package managers | -| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | -| ? | multiarch | | | Multi-architecture compatibility | -| X | source | | | Source of the program - package manager | +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ----------------- | --------- | -------------------------------------------------------------------------------- | +| ? | priority | | | Priority of the program | +| ? | section | | | Section of the program category the package belongs to in DEB package managers | +| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | +| ? | multiarch | | | Multi-architecture compatibility | +| X | source | | | Source of the program - package manager |

diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 51a2009139240..8dd33d93726d9 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -10,21 +10,21 @@ Based on ECS: - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -| | Field name | ECS field name | Data type | Description | -| --- | ----------- | -------------------------- | --------- | -------------------------------------------------- | -| | inode | file.inode | keyword | The unix inode of the port | -| | item_id | device.id | keyword | Identifier of interface/protocol/address/port item | -| | local_ip | source.ip | ip | Local IP address | -| | local_port | source.port | long | Local port number | -| | pid | process.pid | long | Process ID | -| | process | process.name | keyword | Process name | -| | protocol | network.protocol | keyword | Protocol used | -| | remote_ip | destination.ip | ip | Remote IP address | -| | remote_port | destination.port | long | Remote port number | -| | scan_time | @timestamp | date | Timestamp of the scan | -| * | rx_queue | host.network.ingress.queue | long | Receive queue length | -| * | state | interface.state | keyword | State of the network interface | -| * | tx_queue | host.network.egress.queue | long | Transmit queue length | +| | Field name | Data type | Description | Example | +| --- | -------------------------- | --------- | --------------------------------------------- | ------- | +| | @timestamp | date | Timestamp of the scan | | +| | destination.ip | ip | IP address of the destination | | +| | destination.port | long | Port of the destination | | +| | device.id | keyword | The unique identifier of a device | | +| | file.inode | keyword | Inode representing the file in the filesystem | | +| | network.protocol | keyword | Application protocol name | | +| | process.name | keyword | Process name | | +| | process.pid | long | Process ID | | +| | source.ip | ip | IP address of the source | | +| | source.port | long | Port of the source | | +| * | host.network.egress.queue | long | Transmit queue length | | +| * | host.network.ingress.queue | long | Receive queue length | | +| * | interface.state | keyword | State of the network interface | | \* Custom fields diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index 6be9b7e790c0b..33e3e42ee6fd8 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -8,25 +8,25 @@ Based on ECS: - [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | ECS field name | Data type | Description | Comments | -| --- | ---------------- | ------------------------ | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| | scan_time | `@timestamp` | date | Date/time when the event originated. | | -| | pid | `process.pid` | long | Process ID. | | -| | name | `process.name` | keyword | Process name. | | -| | ppid | `process.parent.pid` | long | Parent process ID. | | -| | cmd | `process.command_line` | wildcard | Full command line that started the process, including the absolute path to the executable, and all arguments. | | -| | argvs | `process.args` | keyword | Array of process arguments, starting with the absolute path to the executable. | | -| | euser | `process.user.id` | keyword | Unique identifier of the effective user. | | -| | ruser | `process.real_user.id` | keyword | Unique identifier of the real user. | | -| | suser | `process.saved_user.id` | keyword | Unique identifier of the saved user. | | -| | egroup | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | -| | rgroup | `process.real_group.id` | keyword | Unique identifier for the real group on the system/platform. | | -| | sgroup | `process.saved_group.id` | keyword | Unique identifier for the saved group on the system/platform. | | -| | start_time | `process.start` | date | The time the process started. | | -| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | +| | Field name | Data type | Description | Comments | Examples | +| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------- | +| | `@timestamp` | date | Date/time when the event originated | | | +| | `process.args` | keyword | Array of process arguments | | | +| | `process.command_line` | wildcard | process.command_line | | | +| | `process.name` | keyword | Process name | | | +| | `process.parent.pid` | long | Parent process ID | | | +| | `process.pid` | long | Process ID | | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.real_user.id` | keyword | Unique identifier of the user | | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user | | | +| | `process.start` | date | The time the process started | | | +| | `process.user.id` | keyword | Unique identifier of the user | | | +| | agent.id | keyword | Unique identifier of this agent | | | +| ! | `process.thread.id` | long | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | | +| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | | +| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| * | agent.groups | keyword | Agent's groups | | | \* Custom field @@ -35,24 +35,24 @@ Based on ECS:
Fields not included in ECS

-| | Field name | ECS field name | Data type | Description | Comments | -| --- | ---------- | ------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -| x | state | `process.state` | **No ECS mapping** | State of the process | **Not part of ECS;** Maybe as a custom field. | -| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | **Not part of ECS;** Maybe as a custom field. | -| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | **Not part of ECS;** Maybe as a custom field. | -| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | -| x | priority | `process.priority` | **No ECS mapping** | Process priority | **Not part of ECS;** Maybe as a custom field. | -| x | nice | `process.nice` | **No ECS mapping** | Nice value | **Not part of ECS;** Maybe as a custom field. | -| x | size | `process.size` | **No ECS mapping** | Process size | **Not part of ECS;** Maybe as a custom field. | -| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | **Not part of ECS;** Maybe as a custom field. | -| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | **Not part of ECS;** Maybe as a custom field. | -| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | **Not part of ECS;** Maybe as a custom field. | -| ! | pgrp | `process.group.id` | keyword | Process group | Isn't it duplicated ?? | -| x | session | `process.session` | **No ECS mapping** | Session ID | **Not part of ECS;** Needs clarification. | -| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | **Not part of ECS;** Needs clarification. | -| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | -| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | No ECS field refers to the core number of the CPU. | +| | Field name | ECS field name | Data type | Description | Example | Comments | +| --- | ---------- | ------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------- | ------- | ---------------------------------------------------------- | +| x | state | `process.state` | **No ECS mapping** | State of the process | | **Not part of ECS;** Maybe as a custom field. | +| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | | **Not part of ECS;** Maybe as a custom field. | +| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | | **Not part of ECS;** Maybe as a custom field. | +| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | | +| x | priority | `process.priority` | **No ECS mapping** | Process priority | | **Not part of ECS;** Maybe as a custom field. | +| x | nice | `process.nice` | **No ECS mapping** | Nice value | | **Not part of ECS;** Maybe as a custom field. | +| x | size | `process.size` | **No ECS mapping** | Process size | | **Not part of ECS;** Maybe as a custom field. | +| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | | **Not part of ECS;** Maybe as a custom field. | +| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | | **Not part of ECS;** Maybe as a custom field. | +| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | | **Not part of ECS;** Maybe as a custom field. | +| ! | pgrp | `process.group.id` | keyword | Process group | | Isn't it duplicated ?? | +| x | session | `process.session` | **No ECS mapping** | Session ID | | **Not part of ECS;** Needs clarification. | +| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | | **Not part of ECS;** Needs clarification. | +| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | | No ECS field refers to the core number of the CPU. |

diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index ef53885ec1bc2..b1080bba62704 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -9,19 +9,19 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). -| Field name | ECS field name | Data type | Description | -| ------------ | ------------------- | --------- | ---------------------------------------------------------- | -| | `agent.id` | keyword | Agent's ID | -| | \*`agent.groups` | keyword | Agent's groups | -| scan_time | `@timestamp` | date | Date/time when the event originated. | -| architecture | `host.architecture` | keyword | Operating system architecture. | -| hostname | `host.hostname` | keyword | Hostname of the host. | -| os_build | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | -| os_codename | `host.os.full` | keyword | Operating system name, including the version or code name. | -| os_name | `host.os.name` | keyword | Operating system name, without the version. | -| os_platform | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | -| os_version | `host.os.version` | keyword | Operating system version as a raw string. | -| sysname | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | ---------------------------------------------------------- | ------- | +| | `@timestamp` | date | Date/time when the event originated. | | +| | `agent.id` | keyword | Agent's ID | | +| | `host.architecture` | keyword | Operating system architecture. | | +| | `host.hostname` | keyword | Hostname of the host. | | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | | +| | `host.os.name` | keyword | Operating system name, without the version. | | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | | +| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | | +| | `host.os.version` | keyword | Operating system version as a raw string. | | +| * | `agent.groups` | keyword | Agent's groups | | \* Custom field