Add related.hash (elastic#711)

dcode · Apr 15, 2020 · bae71b2 · bae71b2
1 parent 2fce271
commit bae71b2
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 5 deletions.
diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -3632,7 +3632,7 @@ This field set is meant to facilitate pivoting around a piece of data.
 
 Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.
 
-A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.
+A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.
 
 ==== Related Field Details
 
@@ -3642,6 +3642,17 @@ A concrete example is IP addresses, which can be under host, observer, source, d
 
 // ===============================================================
 
+| related.hash
+| All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+
+type: keyword
+
+
+
+| extended
+
+// ===============================================================
+
 | related.ip
 | All of the IPs seen on your event.
 

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -2705,9 +2705,17 @@
       A concrete example is IP addresses, which can be under host, observer, source,
       destination, client, server, and network.forwarded_ip. If you append all IPs
       to `related.ip`, you can then search for a given IP trivially, no matter where
-      it appeared, by querying `related.ip:a.b.c.d`.'
+      it appeared, by querying `related.ip:192.0.2.15`.'
     type: group
     fields:
+    - name: hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
+      default_field: false
     - name: ip
       level: extended
       type: ip

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -349,6 +349,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.5.0-dev,true,registry,registry.key,keyword,core,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys.
 1.5.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.5.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written.
+1.5.0-dev,true,related,related.hash,keyword,extended,,All the hashes seen on your event.
 1.5.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event.
 1.5.0-dev,true,related,related.user,keyword,extended,,All the user names seen on your event.
 1.5.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -4363,6 +4363,18 @@ registry.value:
   order: 2
   short: Name of the value written.
   type: keyword
+related.hash:
+  dashed_name: related-hash
+  description: All the hashes seen on your event. Populating this field, then using
+    it to search for hashes can help in situations where you're unsure what the hash
+    algorithm is (and therefore which key name to search).
+  flat_name: related.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  order: 2
+  short: All the hashes seen on your event.
+  type: keyword
 related.ip:
   dashed_name: related-ip
   description: All of the IPs seen on your event.

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -4789,8 +4789,20 @@ related:
     A concrete example is IP addresses, which can be under host, observer, source,
     destination, client, server, and network.forwarded_ip. If you append all IPs to
     `related.ip`, you can then search for a given IP trivially, no matter where it
-    appeared, by querying `related.ip:a.b.c.d`.'
+    appeared, by querying `related.ip:192.0.2.15`.'
   fields:
+    hash:
+      dashed_name: related-hash
+      description: All the hashes seen on your event. Populating this field, then
+        using it to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).
+      flat_name: related.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      order: 2
+      short: All the hashes seen on your event.
+      type: keyword
     ip:
       dashed_name: related-ip
       description: All of the IPs seen on your event.

diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
@@ -1664,6 +1664,10 @@
         },
         "related": {
           "properties": {
+            "hash": {
+              "ignore_above": 1024, 
+              "type": "keyword"
+            }, 
             "ip": {
               "type": "ip"
             },

diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
@@ -1663,6 +1663,10 @@
       },
       "related": {
         "properties": {
+          "hash": {
+            "ignore_above": 1024, 
+            "type": "keyword"
+          }, 
           "ip": {
             "type": "ip"
           },

diff --git a/schemas/related.yml b/schemas/related.yml
@@ -13,7 +13,7 @@
     A concrete example is IP addresses, which can be under host, observer, source,
     destination, client, server, and network.forwarded_ip.
     If you append all IPs to `related.ip`, you can then search for a given IP trivially,
-    no matter where it appeared, by querying `related.ip:a.b.c.d`.
+    no matter where it appeared, by querying `related.ip:192.0.2.15`.
   type: group
   fields:
 
@@ -28,3 +28,12 @@
       type: keyword
       description: >
         All the user names seen on your event.
+
+    - name: hash
+      level: extended
+      type: keyword
+      short: All the hashes seen on your event.
+      description: >
+        All the hashes seen on your event. Populating this field, then using it
+        to search for hashes can help in situations where you're unsure what
+        the hash algorithm is (and therefore which key name to search).