From a5ff8f1108b1f91e26209f1319a604fd464a56b3 Mon Sep 17 00:00:00 2001
From: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
Date: Tue, 12 Sep 2023 02:32:49 +0800
Subject: [PATCH] [RFC] Stage 2 for volume device (#2260)

* level/keyword/field adjustments

* update document

* update pr link

* tweak

* blanks

* add reviewer

* fix field name

* Update rfcs/text/0040-volume-device.md

Co-authored-by: Eric Beahan <ebeahan@gmail.com>

* set stage 2 advancement date

---------

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
Co-authored-by: Eric Beahan <ebeahan@gmail.com>
---
 rfcs/text/0040-volume-device.md | 204 ++++++++++++++++++++++----------
 rfcs/text/0040/volume.yml       |  26 ++--
 2 files changed, 160 insertions(+), 70 deletions(-)

diff --git a/rfcs/text/0040-volume-device.md b/rfcs/text/0040-volume-device.md
index 465bdf92ea..7d8b687150 100644
--- a/rfcs/text/0040-volume-device.md
+++ b/rfcs/text/0040-volume-device.md
@@ -1,8 +1,8 @@
 # 0040: Volume device
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2023-07-27** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2023-09-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -28,8 +28,9 @@ This RFC propose adding the volume device fieldset to describe volume storage de
  * volume.vendor_id
  * volume.vendor_name
  * volume.serial_number
- * volume.volume_device_type
+ * volume.device_type
  * volume.size
+ * volume.removable
 
 <!--
 Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
@@ -80,7 +81,7 @@ Details of the proposed fields:
         The field is relevant to Windows only.
 
     - name: nt_name
-      level: custom
+      level: extended
       type: keyword
       short: NT name of the device.
       description: >
@@ -110,7 +111,7 @@ Details of the proposed fields:
         A string to describe the default access(es) of the volume.
 
     - name: file_system_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device file system type.
       description: >
@@ -121,7 +122,7 @@ Details of the proposed fields:
         UDF
 
     - name: product_id
-      level: custom
+      level: extended
       type: keyword
       short: ProductID of the device.
       description: >
@@ -134,28 +135,28 @@ Details of the proposed fields:
         Product name of the volume device. It is provided by the vendor of the device.
 
     - name: vendor_id
-      level: custom
+      level: extended
       type: keyword
       short: VendorID of the device.
       description: >
         VendorID of the device. It is provided by the vendor of the device.
 
     - name: vendor_name
-      level: custom
+      level: extended
       type: keyword
       short: Vendor name of the device.
       description: >
         Vendor name of the volume device. It is provided by the vendor of the device.
 
     - name: serial_number
-      level: custom
+      level: extended
       type: keyword
       short: Serial Number of the device.
       description: >
         Serial Number of the device. It is provided by the vendor of the device if any.
 
     - name: device_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device type.
       description: >
@@ -166,10 +167,17 @@ Details of the proposed fields:
         CD-ROM File System
 
     - name: size
-      level: custom
-      type: keyword
+      level: extended
+      type: long
       description: >
         Size of the volume device in bytes.
+
+    - name: removable
+      level: extended
+      type: boolean
+      description: >
+        This field indicates if the volume is removable.
+
 ```
 
 <!--
@@ -194,51 +202,120 @@ Stage 1: Provide a high-level description of example sources of data. This does
 -->
 ```json
 {
-	"@timestamp": "2023-04-05T18:48:25.7435298Z",
-	"agent": {
-		"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
-		"type": "endpoint",
-		"version": "8.8.0-SNAPSHOT"
-	},
-	"data_stream": {
-		"dataset": "endpoint.events.volume_device",
-		"namespace": "default",
-		"type": "logs"
-	},
-	"ecs": {
-		"version": "1.11.0"
-	},
-	"elastic": {
-		"agent": {
-			"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
-		}
-	},
-	"event": {
-		"action": "attach",
-		"category": [
-			"volume_device"
-		],
-		"created": "2023-04-05T18:48:25.7435298Z",
-		"dataset": "endpoint.events.volume_device",
-		"id": "N0r0JIPXbQR6J+83++++++PP",
-		"kind": "event",
-		"module": "endpoint",
-		"outcome": "unknown",
-		"sequence": 1281,
-		"type": [
-			"attach"
-		]
-	},
-	"message": "Endpoint volume device event",
-	"volume.bus_type": "FileBackedVirtual",
-	"volume.dos_name": "E:",
-	"volume.file_system_type": "UDF",
-	"volume.nt_name": "\\Device\\CdRom1",
-	"volume.product_name": "Virtual DVD-ROM",
-	"volume.vendor_name": "Msft",
-	"volume.serial_number": "12345",
-	"volume.volume_device_type": "CD-ROM File System",
-	"volume.size": 1000,000,000
+    "@timestamp":"2023-08-24T12:37:59.9817807Z",
+    "agent":
+    {
+        "id":"ada69fee-8801-4248-9ea5-acada41cef88",
+        "type":"endpoint",
+        "version":"8.10.0-SNAPSHOT"
+    },
+    "data_stream":
+    {
+        "dataset":"endpoint.events.volume_device",
+        "namespace":"default",
+        "type":"logs"
+    },
+    "ecs":
+    {
+        "version":"1.11.0"
+    },
+    "elastic":
+    {
+        "agent":
+        {
+            "id":"ada69fee-8801-4248-9ea5-acada41cef88"
+        }
+    },
+    "event":
+    {
+        "action":"mount",
+        "category": [
+            "volume_device"
+        ],
+        "created":"2023-08-24T12:37:59.9817807Z",
+        "dataset":"endpoint.events.volume_device",
+        "id":"NCRD4OiOt10Kj8r9++++++e0",
+        "kind":"event",
+        "module":"endpoint",
+        "outcome":"success",
+        "sequence":1759,
+        "type": [
+            "start"
+        ]
+    },
+    "host":
+    {
+        "architecture":"x86_64",
+        "hostname":"win11vm",
+        "id":"01d52cf8-1917-4fab-8317-100076ab9aab",
+        "ip":
+        [
+            "192.168.2.3","127.0.0.1","::1"
+        ],
+        "mac": [
+            "00-0a-9d-b2-55-61"
+        ],
+        "name":"win11vm",
+        "os":
+        {
+            "Ext":
+            {
+                "variant":"Windows 11 Pro"
+            },
+            "family":"windows",
+            "full":"Windows 11 Pro 22H2 (10.0.22621.2134)",
+            "kernel":"22H2 (10.0.22621.2134)",
+            "name":"Windows",
+            "platform":"windows",
+            "type":"windows",
+            "version":"22H2 (10.0.22621.2134)"
+        }
+    },
+    "message":"Endpoint volume device event",
+    "process":
+    {
+        "Ext":
+        {
+            "code_signature": [
+                {
+                    "exists":true,
+                    "status":"trusted",
+                    "subject_name":"Microsoft Windows",
+                    "trusted":true
+                }
+            ]
+        },
+        "code_signature":
+        {
+            "exists":true,
+            "status":"trusted",
+            "subject_name":"Microsoft Windows",
+            "trusted":true
+        },
+        "entity_id":"NWRhNjlkZWUtODgwNS00MjZiLTllYTUtYmM5ZGE0MGMwZjc3LTY1ODAtMTY5Mjc1ODgyNC40OTIxMjU5MDA=",
+        "executable":"C:\\Windows\\explorer.exe",
+        "name":"explorer.exe",
+        "pid":6580
+    },
+    "user":
+    {
+        "domain":"WIN11VM",
+        "id":"S-1-5-21-3464081356-156823451-1687200008-1001",
+        "name":"john"
+    },
+    "volume":
+    {
+        "bus_type":"FileBackedVirtual",
+        "device_type":"CD-ROM File System",
+        "dos_name":"E:",
+        "file_system_type":"UDF",
+        "nt_name":"\\Device\\CdRom1",
+        "product_name":"Virtual DVD-ROM",
+        "serial_number":"",
+        "vendor_name":"Msft",
+        "size": 1000,000,000,
+        "removable": true
+    }
 }
 ```
 
@@ -259,6 +336,10 @@ Stage 2: Identifies scope of impact of changes. Are breaking changes required? S
  * ECS project (e.g. docs, tooling)
 The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each.
 -->
+As this RFC involves the creation of an entirely new fieldset, no breaking
+changes are envisaged. Some existing tooling might need updates to factor in the
+new fieldset's availability, however.
+
 
 ## Concerns
 
@@ -279,9 +360,10 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 
 The following are the people that consulted on the contents of this RFC.
 
- * @Trinity2019    | author
- * @ricardoungureanu| reviewer
- * @stanek-michal  | reviewer
+ * @Trinity2019      | author, sponsor
+ * @ricardoungureanu | reviewer
+ * @stanek-michal    | reviewer
+ * @intxgo           | reviewer
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -310,6 +392,8 @@ https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%2
 
 * Stage 1: https://github.com/elastic/ecs/pull/2229
 
+* Stage 2: https://github.com/elastic/ecs/pull/2260
+
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
 ...
diff --git a/rfcs/text/0040/volume.yml b/rfcs/text/0040/volume.yml
index a85f575c50..8893373264 100644
--- a/rfcs/text/0040/volume.yml
+++ b/rfcs/text/0040/volume.yml
@@ -47,7 +47,7 @@
         The field is relevant to Windows only.
 
     - name: nt_name
-      level: custom
+      level: extended
       type: keyword
       short: NT name of the device.
       description: >
@@ -77,7 +77,7 @@
         A string to describe the default access(es) of the volume.
         
     - name: file_system_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device file system type.
       description: >
@@ -88,7 +88,7 @@
         UDF
 
     - name: product_id
-      level: custom
+      level: extended
       type: keyword
       short: ProductID of the device.
       description: >
@@ -101,28 +101,28 @@
         Product name of the volume device. It is provided by the vendor of the device.
 
     - name: vendor_id
-      level: custom
+      level: extended
       type: keyword
       short: VendorID of the device.
       description: >
         VendorID of the device. It is provided by the vendor of the device.
 
     - name: vendor_name
-      level: custom
+      level: extended
       type: keyword
       short: Vendor name of the device.
       description: >
         Vendor name of the volume device. It is provided by the vendor of the device.
 
     - name: serial_number
-      level: custom
+      level: extended
       type: keyword
       short: Serial Number of the device.
       description: >
         Serial Number of the device. It is provided by the vendor of the device if any.
 
     - name: device_type
-      level: custom
+      level: extended
       type: keyword
       short: Volume device type.
       description: >
@@ -133,7 +133,13 @@
         CD-ROM File System
 
     - name: size
-      level: custom
-      type: keyword
+      level: extended
+      type: long
+      description: >
+        Size of the volume device in bytes.
+
+    - name: removable
+      level: extended
+      type: boolean
       description: >
-        Size of the volume device in MB.
+        This field indicates if the volume is removable.