update experimental artifacts

Author: ebeahan

experimental/generated/beats/fields.ecs.yml

@@ -917,8 +917,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -1297,7 +1296,7 @@
         but it can be retrieved from `_source`.'
       example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
         worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
-      index: true
+      index: false
     - name: outcome
       level: core
       type: keyword
@@ -1664,8 +1663,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -2285,8 +2283,7 @@
       default_field: false
     - name: request.referrer
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Referrer for this HTTP request.
       example: https://blog.example.com/
     - name: response.body.bytes
@@ -3138,8 +3135,7 @@
       default_field: false
     - name: original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3290,8 +3286,7 @@
       description: SHA512 hash.
     - name: name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3436,8 +3431,7 @@
       default_field: false
     - name: parent.name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       multi_fields:
       - name: text
         type: text
@@ -3488,8 +3482,7 @@
       default_field: false
     - name: parent.pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false
@@ -3609,8 +3602,7 @@
       default_field: false
     - name: pe.original_file_name
       level: extended
-      type: keyword
-      ignore_above: 1024
+      type: wildcard
       description: Internal name of the file, provided at compile-time.
       example: MSPAINT.EXE
       default_field: false

experimental/generated/csv/fields.csv

@@ -109,7 +109,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-2.0.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource.
@@ -147,7 +147,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store.
 2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy.
 2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from.
-2.0.0-dev,true,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
+2.0.0-dev,false,event,event.original,wildcard,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event.
 2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy.
 2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event.
 2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source"
@@ -192,7 +192,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-2.0.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes.
 2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks.
@@ -269,7 +269,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers).
 2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method.
 2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request.
-2.0.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request.
+2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request.
 2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body.
 2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body.
 2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body.
@@ -378,7 +378,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash.
 2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash.
 2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash.
-2.0.0-dev,true,process,process.name,keyword,extended,,ssh,Process name.
+2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name.
 2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name.
 2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -397,14 +397,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash.
 2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash.
 2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash.
-2.0.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name.
+2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name.
 2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name.
 2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
 2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-2.0.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id.
@@ -422,7 +422,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time."
 2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name.
 2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file.
-2.0.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
+2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time."
 2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time."
 2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to.
 2.0.0-dev,true,process,process.pid,long,core,,4242,Process id.

experimental/generated/ecs/ecs_flat.yml

@@ -1264,13 +1264,12 @@ dll.pe.original_file_name:
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: dll.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 dll.pe.product:
   dashed_name: dll-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -1984,7 +1983,7 @@ event.original:
   example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
     worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
   flat_name: event.original
-  index: true
+  index: false
   level: core
   name: original
   normalize: []
@@ -2693,13 +2692,12 @@ file.pe.original_file_name:
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: file.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 file.pe.product:
   dashed_name: file-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -3587,12 +3585,11 @@ http.request.referrer:
   description: Referrer for this HTTP request.
   example: https://blog.example.com/
   flat_name: http.request.referrer
-  ignore_above: 1024
   level: extended
   name: request.referrer
   normalize: []
   short: Referrer for this HTTP request.
-  type: keyword
+  type: wildcard
 http.response.body.bytes:
   dashed_name: http-response-body-bytes
   description: Size in bytes of the response body.
@@ -4933,7 +4930,6 @@ process.name:
     Sometimes called program name or similar.'
   example: ssh
   flat_name: process.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.name.text
@@ -4943,7 +4939,7 @@ process.name:
   name: name
   normalize: []
   short: Process name.
-  type: keyword
+  type: wildcard
 process.parent.args:
   dashed_name: process-parent-args
   description: 'Array of process arguments, starting with the absolute path to the
@@ -5163,7 +5159,6 @@ process.parent.name:
     Sometimes called program name or similar.'
   example: ssh
   flat_name: process.parent.name
-  ignore_above: 1024
   level: extended
   multi_fields:
   - flat_name: process.parent.name.text
@@ -5174,7 +5169,7 @@ process.parent.name:
   normalize: []
   original_fieldset: process
   short: Process name.
-  type: keyword
+  type: wildcard
 process.parent.pe.architecture:
   dashed_name: process-parent-pe-architecture
   description: CPU architecture target for the file.
@@ -5244,13 +5239,12 @@ process.parent.pe.original_file_name:
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: process.parent.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 process.parent.pe.product:
   dashed_name: process-parent-pe-product
   description: Internal product name of the file, provided at compile-time.
@@ -5447,13 +5441,12 @@ process.pe.original_file_name:
   description: Internal name of the file, provided at compile-time.
   example: MSPAINT.EXE
   flat_name: process.pe.original_file_name
-  ignore_above: 1024
   level: extended
   name: original_file_name
   normalize: []
   original_fieldset: pe
   short: Internal name of the file, provided at compile-time.
-  type: keyword
+  type: wildcard
 process.pe.product:
   dashed_name: process-pe-product
   description: Internal product name of the file, provided at compile-time.