diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index a202bcadb9..45ab024e61 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -42,7 +42,7 @@ Thanks, you're awesome :-) --> #### Added -* Adding `risk.*` fields as experimental. #1994 +* Adding `risk.*` fields as experimental. #1994, #2010 #### Improvements diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 4d6caf921d..693a6b9c36 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -395,10 +395,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.6.0-dev+exp,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode 8.6.0-dev+exp,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. 8.6.0-dev+exp,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.6.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. 8.6.0-dev+exp,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 8.6.0-dev+exp,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.6.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 8.6.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. 8.6.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. 8.6.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. @@ -1462,10 +1462,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.6.0-dev+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user. 8.6.0-dev+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. 8.6.0-dev+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.6.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. 8.6.0-dev+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 8.6.0-dev+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.6.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 8.6.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 8.6.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. 8.6.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. @@ -1481,10 +1481,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.6.0-dev+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user. 8.6.0-dev+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. 8.6.0-dev+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.6.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. 8.6.0-dev+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 8.6.0-dev+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.6.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 8.6.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 8.6.0-dev+exp,true,user,user.email,keyword,extended,,,User email address. 8.6.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." @@ -1498,10 +1498,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.6.0-dev+exp,true,user,user.name.text,match_only_text,core,,a.einstein,Short name or login of the user. 8.6.0-dev+exp,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. 8.6.0-dev+exp,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.6.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. 8.6.0-dev+exp,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 8.6.0-dev+exp,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.6.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 8.6.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 8.6.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. 8.6.0-dev+exp,true,user,user.target.email,keyword,extended,,,User email address. @@ -1516,10 +1516,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.6.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user. 8.6.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. 8.6.0-dev+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. -8.6.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,"A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. 8.6.0-dev+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." 8.6.0-dev+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." -8.6.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a range of 0 to 100." +8.6.0-dev+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. 8.6.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 8.6.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. 8.6.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index f239d49f82..0f0c830883 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -5288,8 +5288,7 @@ host.risk.calculated_score_norm: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring, and normalized to a range of 0 to 100. + short: A normalized risk score calculated by an internal system. type: float host.risk.static_level: dashed_name: host-risk-static-level @@ -5329,9 +5328,7 @@ host.risk.static_score_norm: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform, and normalized to a range of 0 to - 100. + short: A normalized risk score calculated by an external system. type: float host.type: dashed_name: host-type @@ -18527,8 +18524,7 @@ user.changes.risk.calculated_score_norm: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring, and normalized to a range of 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.changes.risk.static_level: dashed_name: user-changes-risk-static-level @@ -18568,9 +18564,7 @@ user.changes.risk.static_score_norm: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform, and normalized to a range of 0 to - 100. + short: A normalized risk score calculated by an external system. type: float user.changes.roles: dashed_name: user-changes-roles @@ -18753,8 +18747,7 @@ user.effective.risk.calculated_score_norm: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring, and normalized to a range of 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.effective.risk.static_level: dashed_name: user-effective-risk-static-level @@ -18794,9 +18787,7 @@ user.effective.risk.static_score_norm: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform, and normalized to a range of 0 to - 100. + short: A normalized risk score calculated by an external system. type: float user.effective.roles: dashed_name: user-effective-roles @@ -18949,8 +18940,7 @@ user.risk.calculated_score_norm: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring, and normalized to a range of 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.risk.static_level: dashed_name: user-risk-static-level @@ -18990,9 +18980,7 @@ user.risk.static_score_norm: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform, and normalized to a range of 0 to - 100. + short: A normalized risk score calculated by an external system. type: float user.roles: dashed_name: user-roles @@ -19162,8 +19150,7 @@ user.target.risk.calculated_score_norm: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part of entity - analytics and entity risk scoring, and normalized to a range of 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.target.risk.static_level: dashed_name: user-target-risk-static-level @@ -19203,9 +19190,7 @@ user.target.risk.static_score_norm: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as from - some external Threat Intelligence Platform, and normalized to a range of 0 to - 100. + short: A normalized risk score calculated by an external system. type: float user.target.roles: dashed_name: user-target-roles diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 9dafdd1782..76b035710b 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -6557,9 +6557,7 @@ host: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of - 0 to 100. + short: A normalized risk score calculated by an internal system. type: float host.risk.static_level: dashed_name: host-risk-static-level @@ -6599,9 +6597,7 @@ host: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. + short: A normalized risk score calculated by an external system. type: float host.type: dashed_name: host-type @@ -12654,9 +12650,7 @@ risk: level: extended name: calculated_score_norm normalize: [] - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of - 0 to 100. + short: A normalized risk score calculated by an internal system. type: float risk.static_level: dashed_name: risk-static-level @@ -12693,9 +12687,7 @@ risk: level: extended name: static_score_norm normalize: [] - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. + short: A normalized risk score calculated by an external system. type: float group: 2 name: risk @@ -20846,9 +20838,7 @@ user: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of - 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.changes.risk.static_level: dashed_name: user-changes-risk-static-level @@ -20888,9 +20878,7 @@ user: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. + short: A normalized risk score calculated by an external system. type: float user.changes.roles: dashed_name: user-changes-roles @@ -21073,9 +21061,7 @@ user: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of - 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.effective.risk.static_level: dashed_name: user-effective-risk-static-level @@ -21115,9 +21101,7 @@ user: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. + short: A normalized risk score calculated by an external system. type: float user.effective.roles: dashed_name: user-effective-roles @@ -21270,9 +21254,7 @@ user: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of - 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.risk.static_level: dashed_name: user-risk-static-level @@ -21312,9 +21294,7 @@ user: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. + short: A normalized risk score calculated by an external system. type: float user.roles: dashed_name: user-roles @@ -21484,9 +21464,7 @@ user: name: calculated_score_norm normalize: [] original_fieldset: risk - short: A risk classification score calculated by an internal system as part - of entity analytics and entity risk scoring, and normalized to a range of - 0 to 100. + short: A normalized risk score calculated by an internal system. type: float user.target.risk.static_level: dashed_name: user-target-risk-static-level @@ -21526,9 +21504,7 @@ user: name: static_score_norm normalize: [] original_fieldset: risk - short: A risk classification score obtained from outside the system, such as - from some external Threat Intelligence Platform, and normalized to a range - of 0 to 100. + short: A normalized risk score calculated by an external system. type: float user.target.roles: dashed_name: user-target-roles diff --git a/experimental/schemas/risk.yml b/experimental/schemas/risk.yml index 456c4659f6..72f4ebd846 100644 --- a/experimental/schemas/risk.yml +++ b/experimental/schemas/risk.yml @@ -23,6 +23,7 @@ level: extended type: float example: 88.73 + short: A normalized risk score calculated by an internal system. description: > A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring, and normalized to a range of @@ -38,6 +39,7 @@ level: extended type: float example: 83.0 + short: A normalized risk score calculated by an external system. description: > A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform, and normalized to a