Update ECS to 8.5.2 (#322)

Author: kevinlog

Makefile

@@ -1,7 +1,7 @@
 ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 # we are intentionally pinning the ECS version here, when ecs releases a new version
 # we'll discuss whether we need to release a new package and bump the version here
-ECS_GIT_REF ?= v8.3.1
+ECS_GIT_REF ?= v8.5.2
 
 # This variable specifies to location of the package-storage repo. It is used for automatically creating a PR
 # to release a new endpoint package. This can be overridden with the location on your file system using the config.mk

package/endpoint/data_stream/alerts/fields/fields.yml

@@ -4226,9 +4226,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version
@@ -5480,11 +5478,12 @@
       default_field: false
     - name: env_vars
       level: extended
-      type: object
-      description: 'Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
     - name: executable
       level: extended
@@ -8534,8 +8533,8 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Traffic Light Protocol sharing markings. Recommended values are:\n  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
-      example: White
+      description: Traffic Light Protocol sharing markings.
+      example: WHITE
       default_field: false
     - name: enrichments.indicator.modified_at
       level: extended
@@ -8631,7 +8630,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values:\n  * autonomous-system\n  * artifact\n  * directory\n  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n  * user-account\n  * windows-registry-key\n  * x509-certificate"
+      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
       example: ipv4-addr
       default_field: false
     - name: enrichments.indicator.url.domain
@@ -8776,7 +8775,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country (C) codes
+      description: List of country \(C) codes
       example: US
       default_field: false
     - name: enrichments.indicator.x509.issuer.distinguished_name
@@ -8879,7 +8878,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country (C) code
+      description: List of country \(C) code
       example: US
       default_field: false
     - name: enrichments.indicator.x509.subject.distinguished_name
@@ -9012,7 +9011,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.\nExpected values are:\n  * Not Specified\n  * None\n  * Low\n  * Medium\n  * High"
+      description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
       example: Medium
       default_field: false
     - name: indicator.description
@@ -9915,7 +9914,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n  * WHITE\n  * GREEN\n  * AMBER\n  * RED"
+      description: Traffic Light Protocol sharing markings.
       example: WHITE
       default_field: false
     - name: indicator.modified_at
@@ -10012,7 +10011,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\nRecommended values:\n  * autonomous-system\n  * artifact\n  * directory\n  * domain-name\n  * email-addr\n  * file\n  * ipv4-addr\n  * ipv6-addr\n  * mac-addr\n  * mutex\n  * port\n  * process\n  * software\n  * url\n  * user-account\n  * windows-registry-key\n  * x509-certificate"
+      description: Type of indicator as represented by Cyber Observable in STIX 2.0.
       example: ipv4-addr
       default_field: false
     - name: indicator.url.domain
@@ -10157,7 +10156,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country (C) codes
+      description: List of country \(C) codes
       example: US
       default_field: false
     - name: indicator.x509.issuer.distinguished_name
@@ -10260,7 +10259,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: List of country (C) code
+      description: List of country \(C) code
       example: US
       default_field: false
     - name: indicator.x509.subject.distinguished_name
@@ -10322,7 +10321,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nRecommended Values:\n  * AWS\n  * Azure\n  * Azure AD\n  * GCP\n  * Linux\n  * macOS\n  * Network\n  * Office 365\n  * SaaS\n  * Windows\n\nWhile not required, you can use a MITRE ATT&CK® software platforms."
+      description: "The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use MITRE ATT&CK® software platform values."
       example: '[ "Windows" ]'
       default_field: false
     - name: software.reference
@@ -10336,7 +10335,7 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nRecommended values\n  * Malware\n  * Tool\n\n While not required, you can use a MITRE ATT&CK® software type."
+      description: "The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.\nWhile not required, you can use a MITRE ATT&CK® software type."
       example: Tool
       default_field: false
     - name: tactic.id

package/endpoint/data_stream/file/fields/fields.yml

@@ -970,9 +970,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version

package/endpoint/data_stream/library/fields/fields.yml

@@ -963,9 +963,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version

package/endpoint/data_stream/metadata/fields/fields.yml

@@ -451,9 +451,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version

package/endpoint/data_stream/metrics/fields/fields.yml

@@ -977,9 +977,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version

package/endpoint/data_stream/network/fields/fields.yml

@@ -633,9 +633,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version
@@ -751,7 +749,13 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: "Direction of the network traffic.\nRecommended values are:\n  * ingress\n  * egress\n  * inbound\n  * outbound\n  * internal\n  * external\n  * unknown\n\nWhen mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values \"ingress\" or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values \"inbound\", \"outbound\", \"internal\" or \"external\".\nNote that \"internal\" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that \"external\" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers."
+      description: 'Direction of the network traffic.
+
+        When mapping events from a host-based monitoring context, populate this field from the host''s point of view, using the values "ingress" or "egress".
+
+        When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+
+        Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.'
       example: inbound
     - name: iana_number
       level: extended

package/endpoint/data_stream/policy/fields/fields.yml

@@ -760,9 +760,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version

package/endpoint/data_stream/process/fields/fields.yml

@@ -596,9 +596,7 @@
       ignore_above: 1024
       description: 'Use the `os.type` field to categorize the operating system into one of the broad commercial families.
 
-        One of these following values should be used (lowercase): linux, macos, unix, windows.
-
-        If the OS you''re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
+        If the OS you''re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.'
       example: macos
       default_field: false
     - name: os.version
@@ -1414,11 +1412,12 @@
       default_field: false
     - name: env_vars
       level: extended
-      type: object
-      description: 'Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
     - name: executable
       level: extended

package/endpoint/data_stream/process/sample_event.json

@@ -159,7 +159,11 @@
             "total_bytes_captured": 10,
             "total_bytes_skipped": 0,
             "max_bytes_per_process_exceeded": false
-        }
+        },
+        "env_vars": [
+            "NICK=test",
+            "OTHER=why"
+        ]
     },
     "message": "Endpoint process event",
     "@timestamp": "2022-04-04T18:53:08.6578986Z",