elastic · kgeller · Sep 27, 2021 · Jun 2, 2021 · Jul 6, 2021 · Jul 27, 2021
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -58,6 +58,7 @@ Thanks, you're awesome :-) -->
 * Removing incorrect `hash` reuses. #1604
 * Updating `pe` order to correct nesting. #1605
 * Removing incorrect `pe` reuses. #1606
+* Correcting `enrichments` to an `array` type. #1608
 
 #### Added
 

diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -7768,6 +7768,9 @@ A list of associated indicators objects enriching the event, and the context of
 type: nested
 
 
+Note: this field should contain an array of values.
+
+
 
 
 

diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
@@ -1032,7 +1032,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.0.0-dev+exp,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event.
+8.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -12837,7 +12837,8 @@ threat.enrichments:
   flat_name: threat.enrichments
   level: extended
   name: enrichments
-  normalize: []
+  normalize:
+  - array
   short: List of objects containing indicators enriching the event.
   type: nested
 threat.enrichments.indicator:

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -14922,7 +14922,8 @@ threat:
       flat_name: threat.enrichments
       level: extended
       name: enrichments
-      normalize: []
+      normalize:
+      - array
       short: List of objects containing indicators enriching the event.
       type: nested
     threat.enrichments.indicator:

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -676,7 +676,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.0.0-dev,true,source,source.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 8.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
-8.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event.
+8.0.0-dev,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event.
 8.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event.
 8.0.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system.
 8.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -8649,7 +8649,8 @@ threat.enrichments:
   flat_name: threat.enrichments
   level: extended
   name: enrichments
-  normalize: []
+  normalize:
+  - array
   short: List of objects containing indicators enriching the event.
   type: nested
 threat.enrichments.indicator:

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -10358,7 +10358,8 @@ threat:
       flat_name: threat.enrichments
       level: extended
       name: enrichments
-      normalize: []
+      normalize:
+      - array
       short: List of objects containing indicators enriching the event.
       type: nested
     threat.enrichments.indicator:

diff --git a/schemas/threat.yml b/schemas/threat.yml
@@ -22,6 +22,8 @@
       description: >
         A list of associated indicators objects enriching the event, and the context of
         that association/enrichment.
+      normalize:
+        - array
 
     - name: enrichments.indicator
       level: extended
Original file line number	Diff line number	Diff line change
Expand Up		@@ -7768,6 +7768,9 @@ A list of associated indicators objects enriching the event, and the context of
		type: nested


		Note: this field should contain an array of values.





Expand Down