elastic · webmat · Dec 12, 2019 · Dec 2, 2019 · Dec 2, 2019 · Dec 2, 2019
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -16,9 +16,10 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
-* Add default `text` analyzer as a multi-field to `user_agent.original`. #575
+* Added default `text` analyzer as a multi-field to `user_agent.original`. #575
 * Added `file.attributes`. #611
-* Add `file.drive_letter`. #620
+* Added `file.drive_letter`. #620
+* Added `rule` fields. #665
 * Added default `text` analyzer as a multi-field to around 25 more fields. #680
 
 #### Improvements

diff --git a/code/go/ecs/rule.go b/code/go/ecs/rule.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -3519,6 +3519,113 @@ type: ip
 
 
 
+| extended
+
+// ===============================================================
+
+|=====
+
+[[ecs-rule]]
+=== Rule Fields
+
+Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
+
+Examples of data sources that would populate the rule fields include: network admission control platforms, network or  host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
+
+==== Rule Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| rule.category
+| A categorization value keyword used by the entity using the rule for detection of this event.
+
+type: keyword
+
+example: `Attempted Information Leak`
+
+| extended
+
+// ===============================================================
+
+| rule.description
+| The description of the rule generating the event.
+
+type: keyword
+
+example: `Block requests to public DNS over HTTPS / TLS protocols`
+
+| extended
+
+// ===============================================================
+
+| rule.id
+| A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+
+type: keyword
+
+example: `101`
+
+| extended
+
+// ===============================================================
+
+| rule.name
+| The name of the rule or signature generating the event.
+
+type: keyword
+
+example: `BLOCK_DNS_over_TLS`
+
+| extended
+
+// ===============================================================
+
+| rule.reference
+| Reference URL to additional information about the rule used to generate this event.
+
+The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
+
+type: keyword
+
+example: `https://en.wikipedia.org/wiki/DNS_over_TLS`
+
+| extended
+
+// ===============================================================
+
+| rule.ruleset
+| Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+
+type: keyword
+
+example: `Standard_Protocol_Filters`
+
+| extended
+
+// ===============================================================
+
+| rule.uuid
+| A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+
+type: keyword
+
+example: `1100110011`
+
+| extended
+
+// ===============================================================
+
+| rule.version
+| The version / revision of the rule being used for analysis.
+
+type: keyword
+
+example: `1.1`
+
 | extended
 
 // ===============================================================

diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -68,6 +68,8 @@ all fields are defined.
 
 | <<ecs-related,Related>> | Fields meant to facilitate pivoting around a piece of data.
 
+| <<ecs-rule,Rule>> | Fields to capture details about rules used to generate alerts or other notable events.
+
 | <<ecs-server,Server>> | Fields about the server side of a network connection, used with client.
 
 | <<ecs-service,Service>> | Fields describing the service for or from which the data was collected.

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -2604,6 +2604,76 @@
       level: extended
       type: ip
       description: All of the IPs seen on your event.
+  - name: rule
+    title: Rule
+    group: 2
+    description: 'Rule fields are used to capture the specifics of any observer or
+      agent rules that generate alerts or other notable events.
+
+      Examples of data sources that would populate the rule fields include: network
+      admission control platforms, network or  host IDS/IPS, network firewalls, web
+      application firewalls, url filters, endpoint detection and response (EDR) systems,
+      etc.'
+    type: group
+    fields:
+    - name: category
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A categorization value keyword used by the entity using the rule
+        for detection of this event.
+      example: Attempted Information Leak
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The description of the rule generating the event.
+      example: Block requests to public DNS over HTTPS / TLS protocols
+    - name: id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A rule ID that is unique within the scope of an agent, observer,
+        or other entity using the rule for detection of this event.
+      example: 101
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The name of the rule or signature generating the event.
+      example: BLOCK_DNS_over_TLS
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Reference URL to additional information about the rule used to
+        generate this event.
+
+        The URL can point to the vendor''s documentation about the rule. If that''s
+        not available, it can also be a link to a more general page describing this
+        type of alert.'
+      example: https://en.wikipedia.org/wiki/DNS_over_TLS
+    - name: ruleset
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the ruleset, policy, group, or parent category in which
+        the rule used to generate this event is a member.
+      example: Standard_Protocol_Filters
+    - name: uuid
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A rule ID that is unique within the scope of a set or group of
+        agents, observers, or other entities using the rule for detection of this
+        event.
+      example: 1100110011
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version / revision of the rule being used for analysis.
+      example: 1.1
   - name: server
     title: Server
     group: 2

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -343,6 +343,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.4.0-dev,true,process,process.working_directory,keyword,extended,/home/alice,The working directory of the process.
 1.4.0-dev,true,process,process.working_directory.text,text,extended,/home/alice,The working directory of the process.
 1.4.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event.
+1.4.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category
+1.4.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description
+1.4.0-dev,true,rule,rule.id,keyword,extended,101,Rule ID
+1.4.0-dev,true,rule,rule.name,keyword,extended,BLOCK_DNS_over_TLS,Rule name
+1.4.0-dev,true,rule,rule.reference,keyword,extended,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL
+1.4.0-dev,true,rule,rule.ruleset,keyword,extended,Standard_Protocol_Filters,Rule ruleset
+1.4.0-dev,true,rule,rule.uuid,keyword,extended,1100110011,Rule UUID
+1.4.0-dev,true,rule,rule.version,keyword,extended,1.1,Rule version
 1.4.0-dev,true,server,server.address,keyword,extended,,Server network address.
 1.4.0-dev,true,server,server.as.number,long,extended,15169,Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
 1.4.0-dev,true,server,server.as.organization.name,keyword,extended,Google LLC,Organization name.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -3697,6 +3697,95 @@ related.ip:
   order: 0
   short: All of the IPs seen on your event.
   type: ip
+rule.category:
+  description: A categorization value keyword used by the entity using the rule for
+    detection of this event.
+  example: Attempted Information Leak
+  flat_name: rule.category
+  ignore_above: 1024
+  level: extended
+  name: category
+  order: 5
+  short: Rule category
+  type: keyword
+rule.description:
+  description: The description of the rule generating the event.
+  example: Block requests to public DNS over HTTPS / TLS protocols
+  flat_name: rule.description
+  ignore_above: 1024
+  level: extended
+  name: description
+  order: 4
+  short: Rule description
+  type: keyword
+rule.id:
+  description: A rule ID that is unique within the scope of an agent, observer, or
+    other entity using the rule for detection of this event.
+  example: 101
+  flat_name: rule.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  order: 0
+  short: Rule ID
+  type: keyword
+rule.name:
+  description: The name of the rule or signature generating the event.
+  example: BLOCK_DNS_over_TLS
+  flat_name: rule.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  order: 3
+  short: Rule name
+  type: keyword
+rule.reference:
+  description: 'Reference URL to additional information about the rule used to generate
+    this event.
+
+    The URL can point to the vendor''s documentation about the rule. If that''s not
+    available, it can also be a link to a more general page describing this type of
+    alert.'
+  example: https://en.wikipedia.org/wiki/DNS_over_TLS
+  flat_name: rule.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  order: 7
+  short: Rule reference URL
+  type: keyword
+rule.ruleset:
+  description: Name of the ruleset, policy, group, or parent category in which the
+    rule used to generate this event is a member.
+  example: Standard_Protocol_Filters
+  flat_name: rule.ruleset
+  ignore_above: 1024
+  level: extended
+  name: ruleset
+  order: 6
+  short: Rule ruleset
+  type: keyword
+rule.uuid:
+  description: A rule ID that is unique within the scope of a set or group of agents,
+    observers, or other entities using the rule for detection of this event.
+  example: 1100110011
+  flat_name: rule.uuid
+  ignore_above: 1024
+  level: extended
+  name: uuid
+  order: 1
+  short: Rule UUID
+  type: keyword
+rule.version:
+  description: The version / revision of the rule being used for analysis.
+  example: 1.1
+  flat_name: rule.version
+  ignore_above: 1024
+  level: extended
+  name: version
+  order: 2
+  short: Rule version
+  type: keyword
 server.address:
   description: 'Some event server addresses are defined ambiguously. The event will
     sometimes list an IP, a domain or a unix socket.  You should always store the