elastic · AlexanderWert · Aug 18, 2022 · Aug 17, 2022 · Aug 17, 2022 · Aug 17, 2022
@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `device.*` field set as beta. #2030
+
 #### Improvements
 
 #### Deprecated

@@ -1591,6 +1591,95 @@ example: `co.uk`
 |=====
 
 
+[[ecs-device]]
+=== Device Fields
+
+Fields that describe a device instance and its characteristics.  Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
+
+This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
+
+beta::[ These fields are in beta and are subject to change.]
+
+[discrete]
+==== Device Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-device-id]]
+<<field-device-id, device.id>>
+
+a| The unique identifier of a device. The identifier must not change across application sessions but stay fixex for an instance of a (mobile) device. 
+
+On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
+
+For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user.
+
+type: keyword
+
+
+
+example: `00000000-54b3-e7c7-0000-000046bffd97`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-device-manufacturer]]
+<<field-device-manufacturer, device.manufacturer>>
+
+a| The vendor name of the device manufacturer.
+
+type: keyword
+
+
+
+example: `Samsung`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-device-model-identifier]]
+<<field-device-model-identifier, device.model.identifier>>
+
+a| The machine readable identifier of the device model.
+
+type: keyword
+
+
+
+example: `SM-G920F`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-device-model-name]]
+<<field-device-model-name, device.model.name>>
+
+a| The human readable marketing name of the device model.
+
+type: keyword
+
+
+
+example: `Samsung Galaxy S6`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+
 [[ecs-dll]]
 === DLL Fields
 

@@ -38,6 +38,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
 
+| <<ecs-device,Device>> | Fields characterizing a (mobile) device a process or application is running on.
+
 | <<ecs-dll,DLL>> | These fields contain information about code libraries dynamically loaded into processes.
 
 | <<ecs-dns,DNS>> | Fields describing DNS queries and answers.

@@ -1286,6 +1286,53 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+  - name: device
+    title: Device
+    group: 2
+    description: 'Fields that describe a device instance and its characteristics.  Data
+      collected for applications and processes running on a (mobile) device can be
+      enriched with these fields to describe the identity, type and other characteristics
+      of the device.
+
+      This field group definition is based on the Device namespace of the OpenTelemetry
+      Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).'
+    type: group
+    default_field: true
+    fields:
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The unique identifier of a device. The identifier must not change\
+        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+        \ On Android, this value must be equal to the Firebase Installation ID or\
+        \ a globally unique UUID which is persisted across sessions in your application.\n\
+        For GDPR and data protection law reasons this identifier should not carry\
+        \ information that would allow to identify a user."
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      default_field: false
+    - name: manufacturer
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The vendor name of the device manufacturer.
+      example: Samsung
+      default_field: false
+    - name: model.identifier
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The machine readable identifier of the device model.
+      example: SM-G920F
+      default_field: false
+    - name: model.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The human readable marketing name of the device model.
+      example: Samsung Galaxy S6
+      default_field: false
   - name: dll
     title: DLL
     group: 2

@@ -141,6 +141,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,destination,destination.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+8.6.0-dev+exp,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device.
+8.6.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer.
+8.6.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model.
+8.6.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model.
 8.6.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.6.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 8.6.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.

@@ -1700,6 +1700,56 @@ destination.user.roles:
   original_fieldset: user
   short: Array of user roles at the time of the event.
   type: keyword
+device.id:
+  dashed_name: device-id
+  description: "The unique identifier of a device. The identifier must not change\
+    \ across application sessions but stay fixex for an instance of a (mobile) device.\
+    \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+    \ On Android, this value must be equal to the Firebase Installation ID or a globally\
+    \ unique UUID which is persisted across sessions in your application.\nFor GDPR\
+    \ and data protection law reasons this identifier should not carry information\
+    \ that would allow to identify a user."
+  example: 00000000-54b3-e7c7-0000-000046bffd97
+  flat_name: device.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  short: The unique identifier of a device.
+  type: keyword
+device.manufacturer:
+  dashed_name: device-manufacturer
+  description: The vendor name of the device manufacturer.
+  example: Samsung
+  flat_name: device.manufacturer
+  ignore_above: 1024
+  level: extended
+  name: manufacturer
+  normalize: []
+  short: The vendor name of the device manufacturer.
+  type: keyword
+device.model.identifier:
+  dashed_name: device-model-identifier
+  description: The machine readable identifier of the device model.
+  example: SM-G920F
+  flat_name: device.model.identifier
+  ignore_above: 1024
+  level: extended
+  name: model.identifier
+  normalize: []
+  short: The machine readable identifier of the device model.
+  type: keyword
+device.model.name:
+  dashed_name: device-model-name
+  description: The human readable marketing name of the device model.
+  example: Samsung Galaxy S6
+  flat_name: device.model.name
+  ignore_above: 1024
+  level: extended
+  name: model.name
+  normalize: []
+  short: The human readable marketing name of the device model.
+  type: keyword
 dll.code_signature.digest_algorithm:
   dashed_name: dll-code-signature-digest-algorithm
   description: 'The hashing algorithm used to sign the process.

@@ -2142,6 +2142,73 @@ destination:
   short: Fields about the destination side of a network connection, used with source.
   title: Destination
   type: group
+device:
+  beta: These fields are in beta and are subject to change.
+  description: 'Fields that describe a device instance and its characteristics.  Data
+    collected for applications and processes running on a (mobile) device can be enriched
+    with these fields to describe the identity, type and other characteristics of
+    the device.
+
+    This field group definition is based on the Device namespace of the OpenTelemetry
+    Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).'
+  fields:
+    device.id:
+      dashed_name: device-id
+      description: "The unique identifier of a device. The identifier must not change\
+        \ across application sessions but stay fixex for an instance of a (mobile)\
+        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
+        \ On Android, this value must be equal to the Firebase Installation ID or\
+        \ a globally unique UUID which is persisted across sessions in your application.\n\
+        For GDPR and data protection law reasons this identifier should not carry\
+        \ information that would allow to identify a user."
+      example: 00000000-54b3-e7c7-0000-000046bffd97
+      flat_name: device.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      short: The unique identifier of a device.
+      type: keyword
+    device.manufacturer:
+      dashed_name: device-manufacturer
+      description: The vendor name of the device manufacturer.
+      example: Samsung
+      flat_name: device.manufacturer
+      ignore_above: 1024
+      level: extended
+      name: manufacturer
+      normalize: []
+      short: The vendor name of the device manufacturer.
+      type: keyword
+    device.model.identifier:
+      dashed_name: device-model-identifier
+      description: The machine readable identifier of the device model.
+      example: SM-G920F
+      flat_name: device.model.identifier
+      ignore_above: 1024
+      level: extended
+      name: model.identifier
+      normalize: []
+      short: The machine readable identifier of the device model.
+      type: keyword
+    device.model.name:
+      dashed_name: device-model-name
+      description: The human readable marketing name of the device model.
+      example: Samsung Galaxy S6
+      flat_name: device.model.name
+      ignore_above: 1024
+      level: extended
+      name: model.name
+      normalize: []
+      short: The human readable marketing name of the device model.
+      type: keyword
+  group: 2
+  name: device
+  prefix: device.
+  short: Fields characterizing a (mobile) device a process or application is running
+    on.
+  title: Device
+  type: group
 dll:
   description: 'These fields contain information about code libraries dynamically
     loaded into processes.

@@ -0,0 +1,36 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-device.html",
+    "ecs_version": "8.6.0-dev+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "device": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "manufacturer": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "model": {
+              "properties": {
+                "identifier": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
@@ -12,6 +12,7 @@
     "ecs_8.6.0-dev-exp_container",
     "ecs_8.6.0-dev-exp_data_stream",
     "ecs_8.6.0-dev-exp_destination",
+    "ecs_8.6.0-dev-exp_device",
     "ecs_8.6.0-dev-exp_dll",
     "ecs_8.6.0-dev-exp_dns",
     "ecs_8.6.0-dev-exp_ecs",

@@ -754,6 +754,30 @@
           }
         }
       },
+      "device": {
+        "properties": {
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "manufacturer": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "model": {
+            "properties": {
+              "identifier": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          }
+        }
+      },
       "dll": {
         "properties": {
           "code_signature": {