From 8752db51efe97b0f79d179f318813229ebfeefad Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 2 Oct 2023 11:55:14 -0500 Subject: [PATCH] Remove `expected_values` from *.indicator.name field defs (#2281) * remove expected_values for indicator.name fields * generate artifacts * changelog --- CHANGELOG.next.md | 2 ++ docs/fields/field-details.asciidoc | 28 ++--------------- experimental/generated/beats/fields.ecs.yml | 10 ++++-- experimental/generated/ecs/ecs_flat.yml | 34 +++++---------------- experimental/generated/ecs/ecs_nested.yml | 34 +++++---------------- generated/beats/fields.ecs.yml | 10 ++++-- generated/ecs/ecs_flat.yml | 34 +++++---------------- generated/ecs/ecs_nested.yml | 34 +++++---------------- schemas/threat.yml | 30 ++++-------------- 9 files changed, 58 insertions(+), 158 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 2fec6bc55b..fc526611f1 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -14,6 +14,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* Remove `expected_values` from `threat.*.indicator.name` fields. #2281 + #### Added #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index b5d67924ff..7317aade5c 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -10526,19 +10526,7 @@ example: `2020-11-05T17:25:47.000Z` a| The display name indicator in an UI friendly format -Expected values for this field: - -* `5.2.75.227` -* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6` -* `https://example.com/some/path` -* `example.com` -* `373d34874d7bc89fd4cefa6272ee80bf` -* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7` -* `email@example.com` -* `HKLM\\SOFTWARE\\Microsoft\\Active` -* `13335` -* `00:00:5e:00:53:af` -* `8008` +URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. type: keyword @@ -11084,19 +11072,7 @@ example: `2020-11-05T17:25:47.000Z` a| The display name indicator in an UI friendly format -Expected values for this field: - -* `5.2.75.227` -* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6` -* `https://example.com/some/path` -* `example.com` -* `373d34874d7bc89fd4cefa6272ee80bf` -* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7` -* `email@example.com` -* `HKLM\\SOFTWARE\\Microsoft\\Active` -* `13335` -* `00:00:5e:00:53:af` -* `8008` +URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 41ce694b58..7018f4b333 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -10077,7 +10077,10 @@ level: extended type: keyword ignore_above: 1024 - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 default_field: false - name: enrichments.indicator.port @@ -11681,7 +11684,10 @@ level: extended type: keyword ignore_above: 1024 - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 default_field: false - name: indicator.port diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 151c000712..c46dee2556 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -16325,20 +16325,11 @@ threat.enrichments.indicator.modified_at: type: date threat.enrichments.indicator.name: dashed_name: threat-enrichments-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or other + relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.enrichments.indicator.name ignore_above: 1024 level: extended @@ -19044,20 +19035,11 @@ threat.indicator.modified_at: type: date threat.indicator.name: dashed_name: threat-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or other + relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.indicator.name ignore_above: 1024 level: extended diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 326f4a15e3..bb26762db2 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -18992,20 +18992,11 @@ threat: type: date threat.enrichments.indicator.name: dashed_name: threat-enrichments-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.enrichments.indicator.name ignore_above: 1024 level: extended @@ -21717,20 +21708,11 @@ threat: type: date threat.indicator.name: dashed_name: threat-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.indicator.name ignore_above: 1024 level: extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3e0b8c5d52..822c3ddeff 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -10027,7 +10027,10 @@ level: extended type: keyword ignore_above: 1024 - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 default_field: false - name: enrichments.indicator.port @@ -11631,7 +11634,10 @@ level: extended type: keyword ignore_above: 1024 - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 default_field: false - name: indicator.port diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d38886a565..03591ada52 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -16256,20 +16256,11 @@ threat.enrichments.indicator.modified_at: type: date threat.enrichments.indicator.name: dashed_name: threat-enrichments-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or other + relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.enrichments.indicator.name ignore_above: 1024 level: extended @@ -18975,20 +18966,11 @@ threat.indicator.modified_at: type: date threat.indicator.name: dashed_name: threat-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or other + relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.indicator.name ignore_above: 1024 level: extended diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index d8affec2da..94db2fcf1e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -18912,20 +18912,11 @@ threat: type: date threat.enrichments.indicator.name: dashed_name: threat-enrichments-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.enrichments.indicator.name ignore_above: 1024 level: extended @@ -21637,20 +21628,11 @@ threat: type: date threat.indicator.name: dashed_name: threat-indicator-name - description: The display name indicator in an UI friendly format + description: 'The display name indicator in an UI friendly format + + URL, IP address, email address, registry key, port number, hash value, or + other relevant name can serve as the display name.' example: 5.2.75.227 - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 flat_name: threat.indicator.name ignore_above: 1024 level: extended diff --git a/schemas/threat.yml b/schemas/threat.yml index 26c1018e11..a9cb544948 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -111,18 +111,9 @@ short: Indicator display name description: > The display name indicator in an UI friendly format - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 + + URL, IP address, email address, registry key, port number, hash value, + or other relevant name can serve as the display name. example: 5.2.75.227 - name: enrichments.indicator.description @@ -419,18 +410,9 @@ short: Indicator display name description: > The display name indicator in an UI friendly format - expected_values: - - 5.2.75.227 - - 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 - - https://example.com/some/path - - example.com - - 373d34874d7bc89fd4cefa6272ee80bf - - b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7 - - email@example.com - - HKLM\\SOFTWARE\\Microsoft\\Active - - 13335 - - 00:00:5e:00:53:af - - 8008 + + URL, IP address, email address, registry key, port number, hash value, + or other relevant name can serve as the display name. example: 5.2.75.227 - name: indicator.description