diff --git a/packages/azure_frontdoor/changelog.yml b/packages/azure_frontdoor/changelog.yml index beb805fe414..9b321ac70a8 100644 --- a/packages/azure_frontdoor/changelog.yml +++ b/packages/azure_frontdoor/changelog.yml @@ -1,9 +1,14 @@ -- version: 1.3.1 +- version: "1.3.2" + changes: + - description: Removing unused ECS field declarations. + type: bugfix + link: https://github.com/elastic/integrations/pull/7965 +- version: "1.3.1" changes: - description: Add null checks and ignore_missing checks to the rename processor type: bugfix link: https://github.com/elastic/integrations/pull/7953 -- version: 1.3.0 +- version: "1.3.0" changes: - description: ECS version updated to 8.10.0. type: enhancement diff --git a/packages/azure_frontdoor/data_stream/access/fields/ecs.yml b/packages/azure_frontdoor/data_stream/access/fields/ecs.yml index e31f665a9be..f2d91664dec 100644 --- a/packages/azure_frontdoor/data_stream/access/fields/ecs.yml +++ b/packages/azure_frontdoor/data_stream/access/fields/ecs.yml @@ -10,22 +10,6 @@ external: ecs - name: destination.as.organization.name external: ecs -- name: destination.geo.city_name - external: ecs -- name: destination.geo.continent_name - external: ecs -- name: destination.geo.country_iso_code - external: ecs -- name: destination.geo.country_name - external: ecs -- name: destination.geo.location - external: ecs -- name: destination.geo.name - external: ecs -- name: destination.geo.region_iso_code - external: ecs -- name: destination.geo.region_name - external: ecs - name: destination.ip external: ecs - name: destination.port @@ -66,16 +50,6 @@ external: ecs - name: source.as.organization.name external: ecs -- name: geo.continent_name - external: ecs -- name: geo.country_iso_code - external: ecs -- name: geo.country_name - external: ecs -- name: geo.location - external: ecs -- name: geo.city_name - external: ecs - name: log.level external: ecs - name: source.geo.city_name diff --git a/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml b/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml index cf0c9319672..7e9667634cb 100644 --- a/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml +++ b/packages/azure_frontdoor/data_stream/waf/fields/ecs.yml @@ -10,22 +10,6 @@ external: ecs - name: destination.as.organization.name external: ecs -- name: destination.geo.city_name - external: ecs -- name: destination.geo.continent_name - external: ecs -- name: destination.geo.country_iso_code - external: ecs -- name: destination.geo.country_name - external: ecs -- name: destination.geo.location - external: ecs -- name: destination.geo.name - external: ecs -- name: destination.geo.region_iso_code - external: ecs -- name: destination.geo.region_name - external: ecs - name: destination.ip external: ecs - name: destination.port @@ -66,16 +50,6 @@ external: ecs - name: source.as.organization.name external: ecs -- name: geo.continent_name - external: ecs -- name: geo.country_iso_code - external: ecs -- name: geo.country_name - external: ecs -- name: geo.location - external: ecs -- name: geo.city_name - external: ecs - name: log.level external: ecs - name: source.geo.city_name diff --git a/packages/azure_frontdoor/docs/README.md b/packages/azure_frontdoor/docs/README.md index 825c50e470a..09930e849bf 100644 --- a/packages/azure_frontdoor/docs/README.md +++ b/packages/azure_frontdoor/docs/README.md @@ -96,14 +96,6 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | @@ -116,11 +108,6 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -228,14 +215,6 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | @@ -248,11 +227,6 @@ Users can also use this in case of a Hybrid Cloud model, where one may define th | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | diff --git a/packages/azure_frontdoor/manifest.yml b/packages/azure_frontdoor/manifest.yml index 88a8e473525..8326ff5505c 100644 --- a/packages/azure_frontdoor/manifest.yml +++ b/packages/azure_frontdoor/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: azure_frontdoor title: "Azure Frontdoor" -version: "1.3.1" +version: "1.3.2" description: "This Elastic integration collects logs from Azure Frontdoor." type: integration categories: diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml index 387b9ae80bf..c3bbb0116cd 100644 --- a/packages/carbonblack_edr/changelog.yml +++ b/packages/carbonblack_edr/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top -- version: 1.14.0 +- version: "1.14.1" + changes: + - description: Removing unused ECS field declarations. + type: bugfix + link: https://github.com/elastic/integrations/pull/7965 +- version: "1.14.0" changes: - description: ECS version updated to 8.10.0. type: enhancement diff --git a/packages/carbonblack_edr/data_stream/log/fields/ecs.yml b/packages/carbonblack_edr/data_stream/log/fields/ecs.yml index 337f2e224da..e490e93cb9f 100644 --- a/packages/carbonblack_edr/data_stream/log/fields/ecs.yml +++ b/packages/carbonblack_edr/data_stream/log/fields/ecs.yml @@ -64,8 +64,6 @@ external: ecs - name: observer.version external: ecs -- name: os.type - external: ecs - name: process.command_line external: ecs - name: process.entity_id diff --git a/packages/carbonblack_edr/docs/README.md b/packages/carbonblack_edr/docs/README.md index 8c04a8e6487..01db8a85800 100644 --- a/packages/carbonblack_edr/docs/README.md +++ b/packages/carbonblack_edr/docs/README.md @@ -319,7 +319,6 @@ An example event for `log` looks as following: | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | | observer.vendor | Vendor name of the observer. | keyword | | observer.version | Observer version. | keyword | -| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml index bd971f55b8e..37cccb01dc9 100644 --- a/packages/carbonblack_edr/manifest.yml +++ b/packages/carbonblack_edr/manifest.yml @@ -1,6 +1,6 @@ name: carbonblack_edr title: VMware Carbon Black EDR -version: "1.14.0" +version: "1.14.1" description: Collect logs from VMware Carbon Black EDR with Elastic Agent. type: integration format_version: 2.11.0 diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index df5d4e26e09..a108fd7918e 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Removing unused ECS field declarations. + type: bugfix + link: https://github.com/elastic/integrations/pull/7965 - version: "1.15.0" changes: - description: Add event.action and message to specific events. diff --git a/packages/cisco_meraki/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/data_stream/events/fields/ecs.yml index 124f81c6c37..4a063f496f5 100644 --- a/packages/cisco_meraki/data_stream/events/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/events/fields/ecs.yml @@ -22,12 +22,6 @@ name: destination.bytes - external: ecs name: destination.domain -- external: ecs - name: destination.geo.city_name -- external: ecs - name: destination.geo.country_name -- external: ecs - name: destination.geo.location - external: ecs name: destination.ip - external: ecs @@ -90,14 +84,6 @@ name: file.size - external: ecs name: file.type -- external: ecs - name: geo.city_name -- external: ecs - name: geo.country_name -- external: ecs - name: geo.name -- external: ecs - name: geo.region_name - external: ecs name: group.id - external: ecs @@ -200,12 +186,6 @@ name: source.bytes - external: ecs name: source.domain -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.country_name -- external: ecs - name: source.geo.location - external: ecs name: source.ip - external: ecs @@ -246,22 +226,6 @@ name: user_agent.original - external: ecs name: observer.hostname -- external: ecs - name: destination.geo.continent_name -- external: ecs - name: destination.geo.country_iso_code -- external: ecs - name: destination.geo.region_iso_code -- external: ecs - name: destination.geo.region_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name - external: ecs name: network.vlan.id - external: ecs @@ -276,22 +240,6 @@ name: threat.indicator.file.name - external: ecs name: threat.indicator.file.hash.sha256 -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location.lat -- external: ecs - name: client.geo.location.lon -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name - external: ecs name: organization.id - external: ecs diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index e8ce1e59a77..71a40755dde 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -90,14 +90,6 @@ name: file.size - external: ecs name: file.type -- external: ecs - name: geo.city_name -- external: ecs - name: geo.country_name -- external: ecs - name: geo.name -- external: ecs - name: geo.region_name - external: ecs name: group.id - external: ecs diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index ddf7c36573e..b584984777f 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -168,10 +168,6 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | file.path.text | Multi-field of `file.path`. | match_only_text | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | @@ -421,14 +417,6 @@ An example event for `log` looks as following: | cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | | cisco_meraki.event.version | Current version of webhook format | keyword | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location.lat | Longitude and latitude. | geo_point | -| client.geo.location.lon | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | @@ -456,13 +444,6 @@ An example event for `log` looks as following: | destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | @@ -497,10 +478,6 @@ An example event for `log` looks as following: | file.path.text | Multi-field of `file.path`. | match_only_text | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.type | File type (file, dir, or symlink). | keyword | -| geo.city_name | City name. | keyword | -| geo.country_name | Country name. | keyword | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_name | Region name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | | host.architecture | Operating system architecture. | keyword | @@ -578,13 +555,6 @@ An example event for `log` looks as following: | source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | source.bytes | Bytes sent from the source to the destination. | long | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 43f9ec46094..588b01b8ba2 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: cisco_meraki title: Cisco Meraki -version: "1.15.0" +version: "1.15.1" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index dff800a510e..d2026962f21 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top -- version: 1.16.0 +- version: "1.16.1" + changes: + - description: Removing unused ECS field declarations. + type: bugfix + link: https://github.com/elastic/integrations/pull/7965 +- version: "1.16.0" changes: - description: ECS version updated to 8.10.0. type: enhancement diff --git a/packages/juniper_srx/data_stream/log/fields/ecs.yml b/packages/juniper_srx/data_stream/log/fields/ecs.yml index fde822e6633..4401633b5d5 100644 --- a/packages/juniper_srx/data_stream/log/fields/ecs.yml +++ b/packages/juniper_srx/data_stream/log/fields/ecs.yml @@ -12,36 +12,16 @@ name: agent.type - external: ecs name: agent.version -- external: ecs - name: as.number - external: ecs name: as.organization.name - external: ecs name: client.address -- external: ecs - name: client.as.number - external: ecs name: client.as.organization.name - external: ecs name: client.bytes - external: ecs name: client.domain -- external: ecs - name: client.geo.city_name -- external: ecs - name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code -- external: ecs - name: client.geo.country_name -- external: ecs - name: client.geo.location -- external: ecs - name: client.geo.name -- external: ecs - name: client.geo.region_iso_code -- external: ecs - name: client.geo.region_name - external: ecs name: client.ip - external: ecs @@ -378,70 +358,6 @@ name: file.type - external: ecs name: file.uid -- external: ecs - name: file.x509.alternative_names -- external: ecs - name: file.x509.issuer.common_name -- external: ecs - name: file.x509.issuer.country -- external: ecs - name: file.x509.issuer.distinguished_name -- external: ecs - name: file.x509.issuer.locality -- external: ecs - name: file.x509.issuer.organization -- external: ecs - name: file.x509.issuer.organizational_unit -- external: ecs - name: file.x509.issuer.state_or_province -- external: ecs - name: file.x509.not_after -- external: ecs - name: file.x509.not_before -- external: ecs - name: file.x509.public_key_algorithm -- external: ecs - name: file.x509.public_key_curve -- external: ecs - name: file.x509.public_key_exponent -- external: ecs - name: file.x509.public_key_size -- external: ecs - name: file.x509.serial_number -- external: ecs - name: file.x509.signature_algorithm -- external: ecs - name: file.x509.subject.common_name -- external: ecs - name: file.x509.subject.country -- external: ecs - name: file.x509.subject.distinguished_name -- external: ecs - name: file.x509.subject.locality -- external: ecs - name: file.x509.subject.organization -- external: ecs - name: file.x509.subject.organizational_unit -- external: ecs - name: file.x509.subject.state_or_province -- external: ecs - name: file.x509.version_number -- external: ecs - name: geo.city_name -- external: ecs - name: geo.continent_name -- external: ecs - name: geo.country_iso_code -- external: ecs - name: geo.country_name -- external: ecs - name: geo.location -- external: ecs - name: geo.name -- external: ecs - name: geo.region_iso_code -- external: ecs - name: geo.region_name - external: ecs name: group.domain - external: ecs @@ -460,22 +376,6 @@ name: host.architecture - external: ecs name: host.domain -- external: ecs - name: host.geo.city_name -- external: ecs - name: host.geo.continent_name -- external: ecs - name: host.geo.country_iso_code -- external: ecs - name: host.geo.country_name -- external: ecs - name: host.geo.location -- external: ecs - name: host.geo.name -- external: ecs - name: host.geo.region_iso_code -- external: ecs - name: host.geo.region_name - external: ecs name: host.hostname - external: ecs @@ -522,12 +422,6 @@ name: http.response.status_code - external: ecs name: http.version -- external: ecs - name: interface.alias -- external: ecs - name: interface.id -- external: ecs - name: interface.name - external: ecs name: labels - external: ecs @@ -596,22 +490,6 @@ name: observer.egress.vlan.name - external: ecs name: observer.egress.zone -- external: ecs - name: observer.geo.city_name -- external: ecs - name: observer.geo.continent_name -- external: ecs - name: observer.geo.country_iso_code -- external: ecs - name: observer.geo.country_name -- external: ecs - name: observer.geo.location -- external: ecs - name: observer.geo.name -- external: ecs - name: observer.geo.region_iso_code -- external: ecs - name: observer.geo.region_name - external: ecs name: observer.hostname - external: ecs @@ -634,18 +512,6 @@ name: observer.mac - external: ecs name: observer.name -- external: ecs - name: observer.os.family -- external: ecs - name: observer.os.full -- external: ecs - name: observer.os.kernel -- external: ecs - name: observer.os.name -- external: ecs - name: observer.os.platform -- external: ecs - name: observer.os.version - external: ecs name: observer.product - external: ecs @@ -660,18 +526,6 @@ name: organization.id - external: ecs name: organization.name -- external: ecs - name: os.family -- external: ecs - name: os.full -- external: ecs - name: os.kernel -- external: ecs - name: os.name -- external: ecs - name: os.platform -- external: ecs - name: os.version - external: ecs name: package.architecture - external: ecs @@ -880,30 +734,12 @@ name: rule.version - external: ecs name: server.address -- external: ecs - name: server.as.number - external: ecs name: server.as.organization.name - external: ecs name: server.bytes - external: ecs name: server.domain -- external: ecs - name: server.geo.city_name -- external: ecs - name: server.geo.continent_name -- external: ecs - name: server.geo.country_iso_code -- external: ecs - name: server.geo.country_name -- external: ecs - name: server.geo.location -- external: ecs - name: server.geo.name -- external: ecs - name: server.geo.region_iso_code -- external: ecs - name: server.geo.region_name - external: ecs name: server.ip - external: ecs @@ -1058,54 +894,6 @@ name: tls.client.subject - external: ecs name: tls.client.supported_ciphers -- external: ecs - name: tls.client.x509.alternative_names -- external: ecs - name: tls.client.x509.issuer.common_name -- external: ecs - name: tls.client.x509.issuer.country -- external: ecs - name: tls.client.x509.issuer.distinguished_name -- external: ecs - name: tls.client.x509.issuer.locality -- external: ecs - name: tls.client.x509.issuer.organization -- external: ecs - name: tls.client.x509.issuer.organizational_unit -- external: ecs - name: tls.client.x509.issuer.state_or_province -- external: ecs - name: tls.client.x509.not_after -- external: ecs - name: tls.client.x509.not_before -- external: ecs - name: tls.client.x509.public_key_algorithm -- external: ecs - name: tls.client.x509.public_key_curve -- external: ecs - name: tls.client.x509.public_key_exponent -- external: ecs - name: tls.client.x509.public_key_size -- external: ecs - name: tls.client.x509.serial_number -- external: ecs - name: tls.client.x509.signature_algorithm -- external: ecs - name: tls.client.x509.subject.common_name -- external: ecs - name: tls.client.x509.subject.country -- external: ecs - name: tls.client.x509.subject.distinguished_name -- external: ecs - name: tls.client.x509.subject.locality -- external: ecs - name: tls.client.x509.subject.organization -- external: ecs - name: tls.client.x509.subject.organizational_unit -- external: ecs - name: tls.client.x509.subject.state_or_province -- external: ecs - name: tls.client.x509.version_number - external: ecs name: tls.curve - external: ecs @@ -1134,54 +922,6 @@ name: tls.server.not_before - external: ecs name: tls.server.subject -- external: ecs - name: tls.server.x509.alternative_names -- external: ecs - name: tls.server.x509.issuer.common_name -- external: ecs - name: tls.server.x509.issuer.country -- external: ecs - name: tls.server.x509.issuer.distinguished_name -- external: ecs - name: tls.server.x509.issuer.locality -- external: ecs - name: tls.server.x509.issuer.organization -- external: ecs - name: tls.server.x509.issuer.organizational_unit -- external: ecs - name: tls.server.x509.issuer.state_or_province -- external: ecs - name: tls.server.x509.not_after -- external: ecs - name: tls.server.x509.not_before -- external: ecs - name: tls.server.x509.public_key_algorithm -- external: ecs - name: tls.server.x509.public_key_curve -- external: ecs - name: tls.server.x509.public_key_exponent -- external: ecs - name: tls.server.x509.public_key_size -- external: ecs - name: tls.server.x509.serial_number -- external: ecs - name: tls.server.x509.signature_algorithm -- external: ecs - name: tls.server.x509.subject.common_name -- external: ecs - name: tls.server.x509.subject.country -- external: ecs - name: tls.server.x509.subject.distinguished_name -- external: ecs - name: tls.server.x509.subject.locality -- external: ecs - name: tls.server.x509.subject.organization -- external: ecs - name: tls.server.x509.subject.organizational_unit -- external: ecs - name: tls.server.x509.subject.state_or_province -- external: ecs - name: tls.server.x509.version_number - external: ecs name: tls.version - external: ecs @@ -1244,24 +984,8 @@ name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.os.family -- external: ecs - name: user_agent.os.full -- external: ecs - name: user_agent.os.kernel -- external: ecs - name: user_agent.os.name -- external: ecs - name: user_agent.os.platform -- external: ecs - name: user_agent.os.version - external: ecs name: user_agent.version -- external: ecs - name: vlan.id -- external: ecs - name: vlan.name - external: ecs name: vulnerability.category - external: ecs @@ -1288,51 +1012,3 @@ name: vulnerability.score.version - external: ecs name: vulnerability.severity -- external: ecs - name: x509.alternative_names -- external: ecs - name: x509.issuer.common_name -- external: ecs - name: x509.issuer.country -- external: ecs - name: x509.issuer.distinguished_name -- external: ecs - name: x509.issuer.locality -- external: ecs - name: x509.issuer.organization -- external: ecs - name: x509.issuer.organizational_unit -- external: ecs - name: x509.issuer.state_or_province -- external: ecs - name: x509.not_after -- external: ecs - name: x509.not_before -- external: ecs - name: x509.public_key_algorithm -- external: ecs - name: x509.public_key_curve -- external: ecs - name: x509.public_key_exponent -- external: ecs - name: x509.public_key_size -- external: ecs - name: x509.serial_number -- external: ecs - name: x509.signature_algorithm -- external: ecs - name: x509.subject.common_name -- external: ecs - name: x509.subject.country -- external: ecs - name: x509.subject.distinguished_name -- external: ecs - name: x509.subject.locality -- external: ecs - name: x509.subject.organization -- external: ecs - name: x509.subject.organizational_unit -- external: ecs - name: x509.subject.state_or_province -- external: ecs - name: x509.version_number diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index bda140a2608..ad6ef84eab2 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -50,23 +50,13 @@ The following processes and tags are supported: | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | -| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | as.organization.name | Organization name. | keyword | | as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | | client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | | client.bytes | Bytes sent from the client to the server. | long | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | @@ -253,38 +243,6 @@ The following processes and tags are supported: | file.target_path.text | Multi-field of `file.target_path`. | match_only_text | | file.type | File type (file, dir, or symlink). | keyword | | file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | -| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.issuer.country | List of country \(C) codes | keyword | -| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| file.x509.issuer.locality | List of locality names (L) | keyword | -| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| file.x509.public_key_size | The size of the public key space in bits. | long | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| file.x509.subject.country | List of country \(C) code | keyword | -| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| file.x509.subject.locality | List of locality names (L) | keyword | -| file.x509.subject.organization | List of organizations (O) of subject. | keyword | -| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| file.x509.version_number | Version of x509 format. | keyword | -| geo.city_name | City name. | keyword | -| geo.continent_name | Name of the continent. | keyword | -| geo.country_iso_code | Country ISO code. | keyword | -| geo.country_name | Country name. | keyword | -| geo.location | Longitude and latitude. | geo_point | -| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| geo.region_iso_code | Region ISO code. | keyword | -| geo.region_name | Region name. | keyword | | group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | group.id | Unique identifier for the group on the system/platform. | keyword | | group.name | Name of the group. | keyword | @@ -295,14 +253,6 @@ The following processes and tags are supported: | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | @@ -333,9 +283,6 @@ The following processes and tags are supported: | http.response.status_code | HTTP response status code. | long | | http.version | HTTP version. | keyword | | input.type | Input type. | keyword | -| interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| interface.name | Interface name as reported by the system. | keyword | | juniper.srx.action | action | keyword | | juniper.srx.action_detail | action detail | keyword | | juniper.srx.admin_status | | keyword | @@ -523,14 +470,6 @@ The following processes and tags are supported: | observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | | observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.continent_name | Name of the continent. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| observer.geo.region_iso_code | Region ISO code. | keyword | -| observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | | observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | @@ -542,14 +481,6 @@ The following processes and tags are supported: | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| observer.os.full | Operating system name, including the version or code name. | keyword | -| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | -| observer.os.kernel | Operating system kernel version as a raw string. | keyword | -| observer.os.name | Operating system name, without the version. | keyword | -| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | -| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| observer.os.version | Operating system version as a raw string. | keyword | | observer.product | The product name of the observer. | keyword | | observer.serial_number | Observer serial number. | keyword | | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | @@ -558,14 +489,6 @@ The following processes and tags are supported: | organization.id | Unique identifier for the organization. | keyword | | organization.name | Organization name. | keyword | | organization.name.text | Multi-field of `organization.name`. | match_only_text | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| os.full | Operating system name, including the version or code name. | keyword | -| os.full.text | Multi-field of `os.full`. | match_only_text | -| os.kernel | Operating system kernel version as a raw string. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| os.version | Operating system version as a raw string. | keyword | | package.architecture | Package architecture. | keyword | | package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | | package.checksum | Checksum of the installed package for verification. | keyword | @@ -680,19 +603,10 @@ The following processes and tags are supported: | rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | | rule.version | The version / revision of the rule being used for analysis. | keyword | | server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | server.as.organization.name | Organization name. | keyword | | server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | | server.bytes | Bytes sent from the server to the client. | long | | server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.geo.city_name | City name. | keyword | -| server.geo.continent_name | Name of the continent. | keyword | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.country_name | Country name. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| server.geo.region_iso_code | Region ISO code. | keyword | -| server.geo.region_name | Region name. | keyword | | server.ip | IP address of the server (IPv4 or IPv6). | ip | | server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | @@ -777,30 +691,6 @@ The following processes and tags are supported: | tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | | tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | | tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country \(C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country \(C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | | tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | | tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | | tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | @@ -815,30 +705,6 @@ The following processes and tags are supported: | tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | | tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | | tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country \(C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country \(C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | | tls.version | Numeric part of the version parsed from the original string. | keyword | | tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | | trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | @@ -874,17 +740,7 @@ The following processes and tags are supported: | user_agent.name | Name of the user agent. | keyword | | user_agent.original | Unparsed user_agent string. | keyword | | user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | | user_agent.version | Version of the user agent. | keyword | -| vlan.id | VLAN ID as reported by the observer. | keyword | -| vlan.name | Optional VLAN name as reported by the observer. | keyword | | vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | | vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | | vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | @@ -899,27 +755,3 @@ The following processes and tags are supported: | vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | | vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | | vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | -| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| x509.issuer.country | List of country \(C) codes | keyword | -| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| x509.issuer.locality | List of locality names (L) | keyword | -| x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| x509.not_after | Time at which the certificate is no longer considered valid. | date | -| x509.not_before | Time at which the certificate is first considered valid. | date | -| x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| x509.public_key_size | The size of the public key space in bits. | long | -| x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| x509.subject.common_name | List of common names (CN) of subject. | keyword | -| x509.subject.country | List of country \(C) code | keyword | -| x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| x509.subject.locality | List of locality names (L) | keyword | -| x509.subject.organization | List of organizations (O) of subject. | keyword | -| x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| x509.version_number | Version of x509 format. | keyword | diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index 0731cb3b8ba..acd8cc9c501 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: juniper_srx title: Juniper SRX -version: "1.16.0" +version: "1.16.1" description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration diff --git a/packages/netflow/changelog.yml b/packages/netflow/changelog.yml index 94937e5f4b5..ade023ca42f 100644 --- a/packages/netflow/changelog.yml +++ b/packages/netflow/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top -- version: 2.15.0 +- version: "2.15.1" + changes: + - description: Removing unused ECS field declarations. + type: bugfix + link: https://github.com/elastic/integrations/pull/7965 +- version: "2.15.0" changes: - description: ECS version updated to 8.10.0. type: enhancement diff --git a/packages/netflow/data_stream/log/fields/ecs.yml b/packages/netflow/data_stream/log/fields/ecs.yml index 14af0d3e6c1..9c884fc4ecc 100644 --- a/packages/netflow/data_stream/log/fields/ecs.yml +++ b/packages/netflow/data_stream/log/fields/ecs.yml @@ -10,14 +10,10 @@ name: agent.type - external: ecs name: agent.version -- external: ecs - name: as.number - external: ecs name: as.organization.name - external: ecs name: client.address -- external: ecs - name: client.as.number - external: ecs name: client.as.organization.name - external: ecs @@ -536,8 +532,6 @@ name: related.ip - external: ecs name: server.address -- external: ecs - name: server.as.number - external: ecs name: server.as.organization.name - external: ecs diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index fda9bc4ab8d..3ec28a5a5e3 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -30,11 +30,9 @@ The `log` dataset collects netflow logs. | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | | agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | | agent.version | Version of the agent. | keyword | -| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | as.organization.name | Organization name. | keyword | | as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | | client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | | client.bytes | Bytes sent from the client to the server. | long | @@ -1661,7 +1659,6 @@ The `log` dataset collects netflow logs. | process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | related.ip | All of the IPs seen on your event. | ip | | server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | server.as.organization.name | Organization name. | keyword | | server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | | server.bytes | Bytes sent from the server to the client. | long | diff --git a/packages/netflow/manifest.yml b/packages/netflow/manifest.yml index 00ba02bd6cb..3f4bc23d5d2 100644 --- a/packages/netflow/manifest.yml +++ b/packages/netflow/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: netflow title: NetFlow Records -version: "2.15.0" +version: "2.15.1" description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. type: integration categories: