Skip to content

Commit

Permalink
.
Browse files Browse the repository at this point in the history
  • Loading branch information
@w0rk3r
w0rk3r committed Jul 1, 2024
1 parent b8b0869 commit ed878c5
Show file tree
Hide file tree
Showing 13 changed files with 560 additions and 0 deletions.
6 changes: 6 additions & 0 deletions docs/fields/field-details.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8128,6 +8128,9 @@ type: keyword

Multi-fields:

* process.executable.caseless (type: keyword)


* process.executable.text (type: match_only_text)


Expand Down Expand Up @@ -8343,6 +8346,9 @@ type: keyword

Multi-fields:

* process.name.caseless (type: keyword)


* process.name.text (type: match_only_text)


Expand Down
46 changes: 46 additions & 0 deletions experimental/generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5175,6 +5175,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -5213,6 +5217,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down Expand Up @@ -5482,6 +5490,11 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
default_field: false
- name: text
type: match_only_text
default_field: false
Expand Down Expand Up @@ -5548,6 +5561,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -5586,6 +5603,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down Expand Up @@ -6000,6 +6021,11 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
default_field: false
- name: text
type: match_only_text
default_field: false
Expand Down Expand Up @@ -6389,6 +6415,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -6632,6 +6662,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down Expand Up @@ -7218,6 +7252,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -7333,6 +7371,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: Absolute path to the process executable.
Expand Down Expand Up @@ -7371,6 +7413,10 @@
type: keyword
ignore_above: 1024
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
ignore_above: 1024
- name: text
type: match_only_text
description: 'Process name.
Expand Down
11 changes: 11 additions & 0 deletions experimental/generated/csv/fields.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -648,11 +648,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
Expand Down Expand Up @@ -688,6 +690,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
8.12.0-dev+exp,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
Expand All @@ -696,11 +699,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
Expand Down Expand Up @@ -760,6 +765,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
Expand Down Expand Up @@ -815,6 +821,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
Expand Down Expand Up @@ -848,6 +855,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
Expand Down Expand Up @@ -931,6 +939,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
Expand All @@ -948,11 +957,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.
Expand Down
55 changes: 55 additions & 0 deletions experimental/generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8426,6 +8426,11 @@ process.entry_leader.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.entry_leader.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.entry_leader.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -8487,6 +8492,11 @@ process.entry_leader.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.entry_leader.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.entry_leader.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -8910,6 +8920,11 @@ process.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -9007,6 +9022,11 @@ process.group_leader.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.group_leader.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.group_leader.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -9068,6 +9088,11 @@ process.group_leader.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.group_leader.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.group_leader.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -9757,6 +9782,11 @@ process.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -10418,6 +10448,11 @@ process.parent.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -10827,6 +10862,11 @@ process.parent.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.name.text
name: text
type: match_only_text
Expand Down Expand Up @@ -11811,6 +11851,11 @@ process.previous.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.previous.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.previous.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -11996,6 +12041,11 @@ process.session_leader.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.session_leader.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.session_leader.executable.text
name: text
type: match_only_text
Expand Down Expand Up @@ -12057,6 +12107,11 @@ process.session_leader.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.session_leader.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.session_leader.name.text
name: text
type: match_only_text
Expand Down
Loading

0 comments on commit ed878c5

Please sign in to comment.