Stage 2 beta changes for RFC 0040, volume.*

CHANGELOG.next.md

@@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `volume.*` as beta field set. #2269
+
 #### Improvements
 
 #### Deprecated

docs/fields/field-details.asciidoc

@@ -12934,6 +12934,303 @@ The `vlan` fields are expected to be nested at:
 
 
 Note also that the `vlan` fields are not expected to be used directly at the root of the events.
+[[ecs-volume]]
+=== Volume Fields
+
+Fields related to storage volume details.
+
+beta::[ These fields are beta and are subject to change.]
+
+[discrete]
+==== Volume Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+|
+[[field-volume-bus-type]]
+<<field-volume-bus-type, volume.bus_type>>
+
+a| Bus type of the device, such as `Nvme`, `Usb`, or `FileBackedVirtual`.
+
+type: keyword
+
+
+
+example: `FileBackedVirtual`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-default-access]]
+<<field-volume-default-access, volume.default_access>>
+
+a| Describes the default access(es) of the volume.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-device-name]]
+<<field-volume-device-name, volume.device_name>>
+
+a| Full path of the volume device.
+
+Only populate this field for POSIX system volumes.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-device-type]]
+<<field-volume-device-type, volume.device_type>>
+
+a| Volume device type.
+
+The most frequently seen volume device types are `Disk File System` and `CD-ROM File System`.
+
+type: keyword
+
+
+
+example: `CD-ROM File System`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-dos-name]]
+<<field-volume-dos-name, volume.dos_name>>
+
+a| The MS-DOS name of a device.
+
+DOS device name is in the format of driver letters, such as `C:`. The field is relevant to Windows systems only.
+
+type: keyword
+
+
+
+example: `E:`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-file-system-type]]
+<<field-volume-file-system-type, volume.file_system_type>>
+
+a| Volume device file system type.
+
+The most common volume file system types are `NTFS` and `UDF`.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-mount-name]]
+<<field-volume-mount-name, volume.mount_name>>
+
+a| Mount name of the volume device.
+
+Only populate this field for POSIX system volumes.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-nt-name]]
+<<field-volume-nt-name, volume.nt_name>>
+
+a| The NT device name.
+
+NT device name uses a format of `\Device\HarddiskVolume2`. The field is relevant to Windows systems only.
+
+type: keyword
+
+
+
+example: `\Device\Cdrom1`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-product-id]]
+<<field-volume-product-id, volume.product_id>>
+
+a| ProductID of the device.
+
+The vendor provides the ProductID for the volume, if any.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-product-name]]
+<<field-volume-product-name, volume.product_name>>
+
+a| Product name of the volume.
+
+The volume device vendor provides this value.
+
+type: keyword
+
+
+
+example: `Virtual DVD-ROM`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-removable]]
+<<field-volume-removable, volume.removable>>
+
+a| Indicates if the volume is removable.
+
+type: boolean
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-serial-number]]
+<<field-volume-serial-number, volume.serial_number>>
+
+a| Serial number identifier for the volume device.
+
+The serial number is provided by the vendor of the device, if any.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-size]]
+<<field-volume-size, volume.size>>
+
+a| Size of the volume device in bytes.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-vendor-id]]
+<<field-volume-vendor-id, volume.vendor_id>>
+
+a| VendorID of the volume device.
+
+The volume device vendor provides this value.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-vendor-name]]
+<<field-volume-vendor-name, volume.vendor_name>>
+
+a| Vendor name of the volume device.
+
+The value is provided by the vendor of the device.
+
+type: keyword
+
+
+
+example: `Msft`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-volume-writable]]
+<<field-volume-writable, volume.writable>>
+
+a| Indicates if the volume is writable.
+
+type: boolean
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|=====
+
+
 [[ecs-vulnerability]]
 === Vulnerability Fields
 

docs/fields/fields.asciidoc

@@ -118,6 +118,8 @@ For a single page representation of all fields, please see the
 
 | <<ecs-vlan,VLAN>> | Fields to describe observed VLAN information.
 
+| <<ecs-volume,Volume>> | Fields related to storage volume details.
+
 | <<ecs-vulnerability,Vulnerability>> | Fields to describe the vulnerability relevant to an event.
 
 | <<ecs-x509,x509 Certificate>> | These fields contain x509 certificate metadata.