From 716f717cd781b29b91c029a3bca25905233aa2b1 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 8 Sep 2020 14:35:19 -0500 Subject: [PATCH] Remove `expected_event_types` from protocol (#964) --- docs/field-values.asciidoc | 4 ---- generated/ecs/ecs_flat.yml | 6 ------ generated/ecs/ecs_nested.yml | 6 ------ schemas/event.yml | 6 ------ 4 files changed, 22 deletions(-) diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 03a74e16cd..4e4bb8a61e 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -439,10 +439,6 @@ The installation event type is used for the subset of events within a category t The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. -*Expected event types for category protocol:* - -access, change, end, info, start - [float] [[ecs-event-type-start]] diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 6dd52f8022..5322836187 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2298,12 +2298,6 @@ event.type: indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 9812e7f66a..522f884a44 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2701,12 +2701,6 @@ event: should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/schemas/event.yml b/schemas/event.yml index 4d18ae2c86..74e99b99fe 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -469,12 +469,6 @@ Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start - name: start description: > The start event type is used for the subset of events within a category