Adding risk.* as beta (#2051) (#2052)

elastic · Sep 20, 2022 · 5c4e3a1 · 5c4e3a1
1 parent 6495b47
commit 5c4e3a1
Show file tree

Hide file tree

Showing 26 changed files with 3,705 additions and 14 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -34,8 +34,6 @@ Thanks, you're awesome :-) -->
 
 ## 8.5.0 (Soft Feature Freeze)
 
-* Changed `process.env_vars` field type to be an array of keywords. #2038
-
 ### Schema Changes
 
 #### Breaking changes
@@ -47,6 +45,8 @@ Thanks, you're awesome :-) -->
 * Adding `risk.*` fields as experimental. #1994, #2010
 * Adding `process.io.*` as beta fields. #1956, #2031
 * Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
+* Changed `process.env_vars` field type to be an array of keywords. #2038
+* Added `risk.*` fieldset to beta. #2051
 
 #### Improvements
 

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -5056,6 +5056,13 @@ example: `1325`
 // ===============================================================
 
 
+| `host.risk.*`
+| <<ecs-risk,risk>>
+| Fields for describing risk score and level.
+
+// ===============================================================
+
+
 |=====
 
 
@@ -8095,6 +8102,132 @@ Note: this field should contain an array of values.
 |=====
 
 
+[[ecs-risk]]
+=== Risk information Fields
+
+Fields for describing risk score and risk level of entities such as hosts and users.  These fields are not allowed to be nested under `event.*`. Please continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+
+beta::[ These fields are in beta and are subject to change.]
+
+[discrete]
+==== Risk information Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-risk-calculated-level]]
+<<field-risk-calculated-level, risk.calculated_level>>
+
+a| A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+
+type: keyword
+
+
+
+example: `High`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-calculated-score]]
+<<field-risk-calculated-score, risk.calculated_score>>
+
+a| A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+
+type: float
+
+
+
+example: `880.73`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-calculated-score-norm]]
+<<field-risk-calculated-score-norm, risk.calculated_score_norm>>
+
+a| A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100.
+
+type: float
+
+
+
+example: `88.73`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-static-level]]
+<<field-risk-static-level, risk.static_level>>
+
+a| A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
+
+type: keyword
+
+
+
+example: `High`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-static-score]]
+<<field-risk-static-score, risk.static_score>>
+
+a| A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
+
+type: float
+
+
+
+example: `830.0`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-risk-static-score-norm]]
+<<field-risk-static-score-norm, risk.static_score_norm>>
+
+a| A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100.
+
+type: float
+
+
+
+example: `83.0`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+[discrete]
+==== Field Reuse
+
+The `risk` fields are expected to be nested at:
+
+
+* `host.risk`
+
+* `user.risk`
+
+
+Note also that the `risk` fields are not expected to be used directly at the root of the events.
 [[ecs-rule]]
 === Rule Fields
 
@@ -11458,6 +11591,13 @@ Note also that the `user` fields may be used directly at the root of the events.
 // ===============================================================
 
 
+| `user.risk.*`
+| <<ecs-risk,risk>>
+| Fields for describing risk score and level.
+
+// ===============================================================
+
+
 | `user.target.*`
 | <<ecs-user,user>>
 | Targeted user of action taken.

diff --git a/docs/fields/fields.asciidoc b/docs/fields/fields.asciidoc
@@ -90,6 +90,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-related,Related>> | Fields meant to facilitate pivoting around a piece of data.
 
+| <<ecs-risk,Risk information>> | Fields for describing risk score and level.
+
 | <<ecs-rule,Rule>> | Fields to capture details about rules used to generate alerts or other notable events.
 
 | <<ecs-server,Server>> | Fields about the server side of a network connection, used with client.