Updating ECS version to 1.6.0

Makefile

@@ -1,7 +1,7 @@
 ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 # we are intentionally pinning the ECS version here, when ecs releases a new version 
 # we'll discuss whether we need to release a new package and bump the version here
-ECS_GIT_REF ?= v1.5.0
+ECS_GIT_REF ?= v1.6.0
 
 # This variable specifies to location of the package-storage repo. It is used for automatically creating a PR
 # to release a new endpoint package. This can be overridden with the location on your file system using the config.mk
@@ -119,8 +119,7 @@ clean:
 
 
 $(REAL_ECS_DIR):
-	git clone --branch mmain-fix-short-desc https://github.com/jonathan-buttner/ecs.git $(REAL_ECS_DIR)
-
+	git clone --branch master https://github.com/elastic/ecs.git $(REAL_ECS_DIR)
 
 .PHONY: setup-tools
 setup-tools:

custom_schemas/custom_call_stack.yml

@@ -28,6 +28,7 @@
       type: keyword
       description: >
         Base address of the memory region containing `instruction_pointer`.  Corresponds to `MEMORY_BASIC_INFORMATION.BaseAddress`
+      short: Base address of the memory region containing `instruction_pointer`.
 
     - name: memory_section.size
       level: custom
@@ -52,3 +53,4 @@
       type: keyword
       description: >
         The relative virtual address of `instruction_pointer`.  Computed as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`.
+      short: The relative virtual address of `instruction_pointer`.

custom_schemas/custom_elastic.yml

@@ -14,6 +14,7 @@
       description: >
         The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent
         that manages other agents or process on the host.
+      short: The agent fields contain data about the Elastic Agent.
 
     - name: agent.id
       level: custom

custom_schemas/custom_endpoint.yml

@@ -91,6 +91,7 @@
       description: >
         the overall status of event collection, this is correlated to the status of concerned actions 
         but not a simple sum of the actions
+      short: the overall status of event collection
 
     - name: policy.applied.configurations.logging
       level: custom
@@ -108,6 +109,7 @@
       description: >
         the overall status of logging, this is correlated to the status of concerned actions but 
         not a simple sum of the actions
+      short: the overall status of logging
 
     - name: policy.applied.configurations.malware
       level: custom
@@ -125,6 +127,7 @@
       description: >
         the overall status of malware, this is correlated to the status of concerned actions 
         but not a simple sum of the actions
+      short: the overall status of malware
 
     - name: policy.applied.configurations.streaming
       level: custom
@@ -142,6 +145,7 @@
       description: >
         the overall status of data streaming, this is correlated to the status of concerned actions 
         but not a simple sum of the actions
+      short: overall status of data streaming
 
     - name: policy.applied.artifacts
       level: custom
@@ -246,6 +250,7 @@
         This field defines an elasticsearch histogram field (https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html#histogram)
         The values field includes 20 buckets (each bucket is 5%) representing the cpu usage
         The counts field includes 20 buckets of how many times the endpoint's cpu usage fell into each bucket
+      short: CPU histogram
 
     - name: metrics.memory
       level: custom

custom_schemas/custom_file.yml

@@ -140,7 +140,6 @@
         Validating the trust of the certificate chain may be complicated, and this field should only be populated
         by tools that actively check the status.
 
-
     - name: Ext.code_signature.status
       level: custom
       type: keyword

custom_schemas/custom_macro.yml

@@ -70,6 +70,7 @@
       type: long
       description: >
         Identifies the character encoding used for this macro.  https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
+      short: Identifies the character encoding used for this macro.
 
     - name: file_extension
       level: custom

custom_schemas/custom_os.yml

@@ -23,4 +23,5 @@
       description: >
         A string value or phrase that further aid to classify or qualify the operating system (OS). 
         For example the distribution for a Linux OS will be entered in this field.
+      short: A string value or phrase that further aid to classify or qualify the operating system (OS).
       example: Ubuntu

custom_schemas/custom_process.yml

@@ -13,6 +13,7 @@
     top_level: true
     expected:
       - Target
+      - { at: Target.process, as: parent }
   type: group
   fields:
     - name: Ext
@@ -138,76 +139,15 @@
         Leave unpopulated if the validity or trust of the certificate was unchecked.
       example: ERROR_UNTRUSTED_ROOT
 
-    - name: parent
+    - name: Ext.real
       level: custom
       type: object
       description: >
-        Extended "process.parent" field set.
+        The field set containing process info in case of any pid spoofing. This is mainly useful for process.parent.
 
-    - name: parent.Ext
-      level: custom
-      type: object
-      description: Object for all custom defined fields to live in.
-
-    - name: parent.Ext.code_signature
-      level: custom
-      type: nested
-      description: Nested version of ECS code_signature fieldset.
-
-    - name: parent.Ext.code_signature.exists
-      level: custom
-      type: boolean
-      description: Boolean to capture if a signature is present.
-      example: "true"
-
-    - name: parent.Ext.code_signature.subject_name
-      level: custom
-      type: keyword
-      description: Subject name of the code signer
-      example: Microsoft Corporation
-
-    - name: parent.Ext.code_signature.valid
-      level: custom
-      type: boolean
-      short: Boolean to capture if the digital signature is verified against the binary content.
-      example: "true"
-      description: >
-        Boolean to capture if the digital signature is verified against the binary content.
-
-        Leave unpopulated if a certificate was unchecked.
-
-    - name: parent.Ext.code_signature.trusted
-      level: custom
-      type: boolean
-      short: Stores the trust status of the certificate chain.
-      example: "true"
-      description: >
-        Stores the trust status of the certificate chain.
-
-        Validating the trust of the certificate chain may be complicated, and this field should only be populated
-        by tools that actively check the status.
-
-
-    - name: parent.Ext.code_signature.status
-      level: custom
-      type: keyword
-      short: Additional information about the certificate status.
-      description: >
-        Additional information about the certificate status.
-
-        This is useful for logging cryptographic errors with the certificate validity or trust status.
-        Leave unpopulated if the validity or trust of the certificate was unchecked.
-      example: ERROR_UNTRUSTED_ROOT
-
-    - name: parent.Ext.real
-      level: custom
-      type: object
-      description: >
-        The field set containing parent process info in case of any ppid spoofing.
-
-    - name: parent.Ext.real.pid
+    - name: Ext.real.pid
       level: custom
       type: long
+      short: The real pid of the process if ppid spoofing is happening.
       description: >
-        The ppid of the process that actually spawned the current process, in case of
-        ppid spoofing.
+        For process.parent this will be the ppid of the process that actually spawned the current process.