Actions log spaces (#622)

pzl · web-flow · commit d0de81a6fb9f · 2025-05-02T16:21:47.000-04:00
diff --git a/custom_schemas/custom_action_policy.yml b/custom_schemas/custom_action_policy.yml
@@ -0,0 +1,32 @@
+- name: agent
+  title: Agent
+  type: group
+  group: 2
+  level: custom
+  short: agent
+  description: >
+    The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
+
+    Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
+  fields:
+    - name: policy.elasticAgentId
+      title: Elastic Agent ID
+      type: keyword
+      level: custom
+      short: elastic agent ID
+      description: >
+        The agent ID of elastic agent explicitly, even if agent.id refers to an external agent.
+    - name: policy.integrationPolicyId
+      title: Integration Policy ID
+      type: keyword
+      level: custom
+      short: integration policy
+      description: >
+        The agent's integration policy ID at the time the action was initiated.
+    - name: policy.agentPolicyId
+      title: Agent Policy ID
+      type: keyword
+      level: custom
+      short: agent policy
+      description: >
+        The agent's policy ID at the time the action was initiated.
diff --git a/custom_schemas/custom_action_space.yml b/custom_schemas/custom_action_space.yml
@@ -0,0 +1,17 @@
+- name: space
+  root: true
+  title: Space
+  group: 2
+  short: Space-related fields
+  description: >
+    Fields to enable space-tracking in action documents
+  type: group
+  fields:
+    - name: originSpaceId
+      title: Origin Space ID
+      type: keyword
+      level: custom
+      short: originating space ID
+      description: >
+        The space ID that the action was initiated from
+
diff --git a/custom_subsets/elastic_endpoint/actions/actions.yaml b/custom_subsets/elastic_endpoint/actions/actions.yaml
@@ -23,6 +23,14 @@ fields:
   agent:
     fields:
       id: {}
+      policy:
+        fields:
+          elasticAgentId: {}
+          integrationPolicyId: {}
+          agentPolicyId: {}
+  space:
+    fields:
+      originSpaceId: {}
   rule:
     fields:
       id: {}
diff --git a/package/endpoint/data_stream/actions/fields/fields.yml b/package/endpoint/data_stream/actions/fields/fields.yml
@@ -127,6 +127,24 @@
 
         Example: For Beats this would be beat.id.'
       example: 8a4f500d
+    - name: policy.agentPolicyId
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The agent's policy ID at the time the action was initiated.
+      default_field: false
+    - name: policy.elasticAgentId
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The agent ID of elastic agent explicitly, even if agent.id refers to an external agent.
+      default_field: false
+    - name: policy.integrationPolicyId
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The agent's integration policy ID at the time the action was initiated.
+      default_field: false
 - name: data_stream
   title: data_stream
   group: 2
@@ -319,6 +337,11 @@
       description: The name of the rule or signature generating the event.
       example: BLOCK_DNS_over_TLS
       default_field: false
+- name: originSpaceId
+  level: custom
+  type: keyword
+  ignore_above: 1024
+  description: The space ID that the action was initiated from
 - name: user
   title: User
   group: 2
diff --git a/package/endpoint/data_stream/actions/sample_event.json b/package/endpoint/data_stream/actions/sample_event.json
@@ -12,8 +12,23 @@
     "agent": {
         "id": [
             "c8cad7f3-9e62-43d0-94ed-8c51670fae62"
+        ],
+        "policy": [
+            {
+                "agentId": "ff1a47b4-71ed-4cbf-ad7f-55203358850d",
+                "elasticAgentId": "1e2f91a1-1946-460d-b885-af983d964ea3",
+                "integrationPolicyId": "645fe9a9-2afd-4b4b-a2d7-38ee21e0f19d",
+                "agentPolicyId": "e9734d0c-1816-4d68-8d9a-84418a850927"
+            },
+            {
+                "agentId": "a756f3f4-c974-4d44-84f5-ba02a954cd55",
+                "elasticAgentId": "20ceb5f6-4e15-4db5-9494-f47f589de33f",
+                "integrationPolicyId": "1f297497-14d4-4bf5-9d26-7c5e629e1d62",
+                "agentPolicyId": "100a3ee3-5304-4fc9-b495-e0022178a2f3"
+            }
         ]
     },
+    "originSpaceId": "b88dae77-9037-459b-be31-efefa6788362",
     "@timestamp": "2022-04-04T20:44:07.805Z",
     "event": {
         "agent_id_status": "auth_metadata_missing",
diff --git a/schemas/v1/actions/actions.yaml b/schemas/v1/actions/actions.yaml
