From 6d73c3a0bc5b387ebda65470296b235604f0aef6 Mon Sep 17 00:00:00 2001 From: f-galland Date: Tue, 12 Nov 2024 13:16:17 -0300 Subject: [PATCH] Adding examples --- ecs/docs/inventory-hardware.md | 20 ++++++------- ecs/docs/inventory-hotfixes.md | 8 ++--- ecs/docs/inventory-networks.md | 52 ++++++++++++++++----------------- ecs/docs/inventory-packages.md | 26 ++++++++--------- ecs/docs/inventory-ports.md | 30 +++++++++---------- ecs/docs/inventory-processes.md | 38 ++++++++++++------------ ecs/docs/inventory-system.md | 26 ++++++++--------- 7 files changed, 100 insertions(+), 100 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 14165e8af2bc4..438b60ae1feb7 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -9,16 +9,16 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -| | Field name | Data type | Description | Example | -| --- | --------------------------- | --------- | ------------------------------------ | ------- | -| | @timestamp | date | Date/time when the event originated. | | -| | observer.serial_number | keyword | Observer serial number. | | -| * | host.cpu.name | keyword | Name of the CPU | | -| * | host.cpu.cores | long | Number of CPU cores | | -| * | host.cpu.speed | long | Speed of the CPU in MHz | | -| * | host.memory.total | long | Total RAM in the system | | -| * | host.memory.free | long | Free RAM in the system | | -| * | host.memory.used.percentage | long | RAM usage as a percentage | | +| | Field name | Data type | Description | Example | +| --- | --------------------------- | --------- | ------------------------------------ | ------------------------ | +| | @timestamp | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | +| | observer.serial_number | keyword | Observer serial number. | | +| * | host.cpu.name | keyword | Name of the CPU | | +| * | host.cpu.cores | long | Number of CPU cores | | +| * | host.cpu.speed | long | Speed of the CPU in MHz | | +| * | host.memory.total | long | Total RAM in the system | | +| * | host.memory.free | long | Free RAM in the system | | +| * | host.memory.used.percentage | long | RAM usage as a percentage | | \* Custom fields diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index c37ef8c5f2ec6..10b3f755c6df5 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -8,10 +8,10 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | --------------------- | ------- | -| | @timestamp | date | Timestamp of the scan | | -| * | package.hotfix.name | keyword | Name of the hotfix | | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | --------------------- | ------------------------ | +| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | +| * | package.hotfix.name | keyword | Name of the hotfix | | \* Custom fields diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index b287abd7d26a5..7c24a6bcf56dc 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -10,32 +10,32 @@ Based on ECS: - [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------- | -| | @timestamp | date | Date/time when the event originated | | -| | device.id | keyword | The unique identifier of a device. | | -| | host.ip | ip | Host ip addresses | | -| | host.mac | keyword | Host MAC addresses. | | | -| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | -| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | -| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | -| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | -| | network.protocol | keyword | Application protocol name | | -| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | | -| | observer.ingress.interface.alias | keyword | Interface alias | | -| | observer.ingress.interface.name | keyword | Interface name | | -| * | host.network.egress.drops | long | Number of dropped transmitted packets | | -| * | host.network.egress.errors | long | Number of transmission errors | | -| * | host.network.ingress.drops | long | Number of dropped received packets | | -| * | host.network.ingress.errors | long | Number of reception errors | | -| * | interface.mtu | long | Maximum transmission unit size | | -| * | interface.state | keyword | State of the network interface | | -| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | -| * | network.broadcast | ip | Broadcast address | | -| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | -| * | network.gateway | ip | Gateway address | | -| * | network.metric | long | Metric of the network protocol | | -| * | network.netmask | ip | Network mask | | +| | Field name | Data type | Description | Example | +| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------------------------------------ | +| | @timestamp | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | +| | device.id | keyword | The unique identifier of a device. | 00000000-54b3-e7c7-0000-000046bffd97 | +| | host.ip | ip | Host ip addresses | 192.168.0.100 | +| | host.mac | keyword | Host MAC addresses. | | | +| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | +| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | +| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | +| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | +| | network.protocol | keyword | Application protocol name | http | +| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | ipv4 | +| | observer.ingress.interface.alias | keyword | Interface alias | outside | +| | observer.ingress.interface.name | keyword | Interface name | eth0 | +| * | host.network.egress.drops | long | Number of dropped transmitted packets | | +| * | host.network.egress.errors | long | Number of transmission errors | | +| * | host.network.ingress.drops | long | Number of dropped received packets | | +| * | host.network.ingress.errors | long | Number of reception errors | | +| * | interface.mtu | long | Maximum transmission unit size | | +| * | interface.state | keyword | State of the network interface | | +| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | +| * | network.broadcast | ip | Broadcast address | | +| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | +| * | network.gateway | ip | Gateway address | | +| * | network.metric | long | Metric of the network protocol | | +| * | network.netmask | ip | Network mask | | \* Custom fields diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index d2433eabf5b4b..ae912f706096f 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -8,19 +8,19 @@ Based on ECS: - [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | Data type | Description | Example | -| --- | ---------------------- | --------- | ----------------------------------------------------------------- | ------- | -| | `agent.id` | keyword | Agent's ID | | -| * | `agent.groups` | keyword | Agent's groups | | -| | `@timestamp` | date | Timestamp of the scan | | -| | `package.architecture` | keyword | Package architecture. | | -| | `package.description` | keyword | Description of the package. | | -| | `package.installed` | date | Time when package was installed. | | -| | `package.name` | keyword | Package name. | | -| | `package.path` | keyword | Path where the package is installed. | | -| | `package.size` | long | Package size in bytes. | | -| | `package.type` | keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | | -| | `package.version` | keyword | Package version. | | +| | Field name | Data type | Description | Example | +| --- | ---------------------- | --------- | ------------------------------------ | ------- | +| | `@timestamp` | date | Timestamp of the scan | | +| | `agent.id` | keyword | Unique identifier of this agent | | +| | `package.architecture` | keyword | Package architecture. | | +| | `package.description` | keyword | Description of the package. | | +| | `package.installed` | date | Time when package was installed. | | +| | `package.name` | keyword | Package name. | | +| | `package.path` | keyword | Path where the package is installed. | | +| | `package.size` | long | Package size in bytes. | | +| | `package.type` | keyword | Package type | | +| | `package.version` | keyword | Package version | | +| * | `agent.groups` | keyword | Agent's groups | | \* Custom field diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 8dd33d93726d9..12aa286ce5021 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -10,21 +10,21 @@ Based on ECS: - [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------- | --------- | --------------------------------------------- | ------- | -| | @timestamp | date | Timestamp of the scan | | -| | destination.ip | ip | IP address of the destination | | -| | destination.port | long | Port of the destination | | -| | device.id | keyword | The unique identifier of a device | | -| | file.inode | keyword | Inode representing the file in the filesystem | | -| | network.protocol | keyword | Application protocol name | | -| | process.name | keyword | Process name | | -| | process.pid | long | Process ID | | -| | source.ip | ip | IP address of the source | | -| | source.port | long | Port of the source | | -| * | host.network.egress.queue | long | Transmit queue length | | -| * | host.network.ingress.queue | long | Receive queue length | | -| * | interface.state | keyword | State of the network interface | | +| | Field name | Data type | Description | Example | +| --- | -------------------------- | --------- | --------------------------------------------- | ------------------------------------ | +| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | +| | destination.ip | ip | IP address of the destination | 192.168.0.100 | +| | destination.port | long | Port of the destination | | +| | device.id | keyword | The unique identifier of a device | 00000000-54b3-e7c7-0000-000046bffd97 | +| | file.inode | keyword | Inode representing the file in the filesystem | 256383 | +| | network.protocol | keyword | Application protocol name | http | +| | process.name | keyword | Process name | ssh | +| | process.pid | long | Process ID | 4242 | +| | source.ip | ip | IP address of the source | | +| | source.port | long | Port of the source | | +| * | host.network.egress.queue | long | Transmit queue length | | +| * | host.network.ingress.queue | long | Receive queue length | | +| * | interface.state | keyword | State of the network interface | | \* Custom fields diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index 33e3e42ee6fd8..f0b00ee1123c3 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -8,25 +8,25 @@ Based on ECS: - [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | Data type | Description | Comments | Examples | -| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------- | -| | `@timestamp` | date | Date/time when the event originated | | | -| | `process.args` | keyword | Array of process arguments | | | -| | `process.command_line` | wildcard | process.command_line | | | -| | `process.name` | keyword | Process name | | | -| | `process.parent.pid` | long | Parent process ID | | | -| | `process.pid` | long | Process ID | | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.real_user.id` | keyword | Unique identifier of the user | | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user | | | -| | `process.start` | date | The time the process started | | | -| | `process.user.id` | keyword | Unique identifier of the user | | | -| | agent.id | keyword | Unique identifier of this agent | | | -| ! | `process.thread.id` | long | Thread ID | `thread.group` is **not part of ECS;** but `thread.id` is. | | -| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification | | -| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | -| * | agent.groups | keyword | Agent's groups | | | +| | Field name | Data type | Description | Examples | Comments | +| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------- | +| | `@timestamp` | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | | +| | `agent.id` | keyword | Unique identifier of this agent | 8a4f500d | | +| | `process.args` | keyword | Array of process arguments | ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] | | +| | `process.command_line` | wildcard | process.command_line | /usr/bin/ssh -l user 10.0.0.16 | | +| | `process.name` | keyword | Process name | ssh | | +| | `process.parent.pid` | long | Parent process ID | 4242 | | +| | `process.pid` | long | Process ID | 4242 | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.real_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | +| | `process.start` | date | The time the process started | 2016-05-23T08:05:34.853Z | | +| | `process.user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | +| ! | `process.thread.id` | long | Thread ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| * | agent.groups | keyword | Agent's groups | | | \* Custom field diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index b1080bba62704..28109f2d99599 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -9,19 +9,19 @@ Based on ECS: - [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | ---------------------------------------------------------- | ------- | -| | `@timestamp` | date | Date/time when the event originated. | | -| | `agent.id` | keyword | Agent's ID | | -| | `host.architecture` | keyword | Operating system architecture. | | -| | `host.hostname` | keyword | Hostname of the host. | | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | | -| | `host.os.name` | keyword | Operating system name, without the version. | | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | | -| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | | -| | `host.os.version` | keyword | Operating system version as a raw string. | | -| * | `agent.groups` | keyword | Agent's groups | | +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | ---------------------------------------------------------- | ------------------------ | +| | `@timestamp` | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | +| | `agent.id` | keyword | Unique identifier of this agent. | 8a4f500d | +| | `host.architecture` | keyword | Operating system architecture. | x86_64 | +| | `host.hostname` | keyword | Hostname of the host. | | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | Mac OS Mojave | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | 4.4.0-112-generic | +| | `host.os.name` | keyword | Operating system name, without the version. | Mac OS X | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | darwin | +| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | macos | +| | `host.os.version` | keyword | Operating system version as a raw string. | 10.14.1 | +| * | `agent.groups` | keyword | Agent's groups | | \* Custom field