ecs_types 0.2.0

Rust types mapping to the elasticsearch common schema
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# 	http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: source
  title: Source
  group: 2
  short: Fields about the source side of a network connection, used with destination.
  description: >
    Source fields capture details about the sender of a network exchange/packet. These fields are populated from
    a network event, packet, or other event containing details of a network transaction.

    Source fields are usually populated in conjunction with destination fields. The source and destination
    fields are considered the baseline and should always be filled if an event contains source
    and destination details from a network transaction. If the event also contains identification of the
    client and server roles, then the client and server fields should also be populated.
  type: group
  reusable:
    top_level: true
    expected:
      - at: process.entry_meta
        as: source
        short_override: Remote client information such as ip, port and geo location.

  fields:

    - name: address
      level: extended
      type: keyword
      short: Source network address.
      description: >
        Some event source addresses are defined ambiguously. The event will
        sometimes list an IP, a domain or a unix socket.  You should always
        store the raw address in the `.address` field.

        Then it should be duplicated to `.ip` or `.domain`, depending on which
        one it is.

    - name: ip
      level: core
      type: ip
      short: IP address of the source.
      description: >
        IP address of the source (IPv4 or IPv6).

    - name: port
      format: string
      level: core
      type: long
      description: >
        Port of the source.

    - name: mac
      level: core
      type: keyword
      short: MAC address of the source.
      pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$
      example: 00-00-5E-00-53-23
      description: >
        MAC address of the source.

        The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is
        represented by two [uppercase] hexadecimal digits giving the value of
        the octet as an unsigned integer. Successive octets are separated by a
        hyphen.

    - name: domain
      level: core
      type: keyword
      short: The domain name of the source.
      example: foo.example.com
      description: >
        The domain name of the source system.

        This value may be a host name, a fully qualified domain name, or another
        host naming format. The value may derive from the original event or be
        added from enrichment.

    - name: registered_domain
      level: extended
      type: keyword
      short: The highest registered source domain, stripped of the subdomain.
      description: >
        The highest registered source domain, stripped of the subdomain.

        For example, the registered domain for "foo.example.com" is "example.com".

        This value can be determined precisely with a list like the public
        suffix list (http://publicsuffix.org). Trying to approximate this by
        simply taking the last two labels will not work well for TLDs such as "co.uk".
      example: example.com

    - name: top_level_domain
      level: extended
      type: keyword
      short: The effective top level domain (com, org, net, co.uk).
      description: >
        The effective top level domain (eTLD), also known as the domain suffix,
        is the last part of the domain name.
        For example, the top level domain for example.com is "com".

        This value can be determined precisely with a list like the public
        suffix list (http://publicsuffix.org). Trying to approximate this by
        simply taking the last label will not work well for effective TLDs such as "co.uk".
      example: co.uk

    - name: subdomain
      level: extended
      type: keyword
      short: The subdomain of the domain.
      description: >
        The subdomain portion of a fully qualified domain name includes all of the names except
        the host name under the registered_domain.  In a partially qualified domain, or if the
        the qualification level of the full name cannot be determined, subdomain contains all of
        the names below the registered domain.

        For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
        If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
        the subdomain field should contain "sub2.sub1", with no trailing period.
      example: east

    # Metrics
    - name: bytes
      format: bytes
      level: core
      type: long
      example: 184
      description: >
        Bytes sent from the source to the destination.

    - name: packets
      level: core
      type: long
      example: 12
      description: >
        Packets sent from the source to the destination.

    - name: nat.ip
      level: extended
      type: ip
      short: Source NAT ip
      description: >
        Translated ip of source based NAT sessions (e.g. internal client to internet)

        Typically connections traversing load balancers, firewalls, or routers.

    - name: nat.port
      format: string
      level: extended
      type: long
      short: Source NAT port
      description: >
        Translated port of source based NAT sessions. (e.g. internal client to internet)

        Typically used with load balancers, firewalls, or routers.