From 8766cd91e2621c1d141b94b495430b48e651b51d Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 8 Sep 2020 14:35:19 -0500 Subject: [PATCH] Remove `expected_event_types` from protocol (#964) --- CHANGELOG.next.md | 2 ++ docs/field-values.asciidoc | 4 ---- generated/ecs/ecs_flat.yml | 6 ------ generated/ecs/ecs_nested.yml | 6 ------ schemas/event.yml | 6 ------ 5 files changed, 2 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ef52884095..69edaeb0d0 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -14,6 +14,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 + #### Added #### Improvements diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 03a74e16cd..4e4bb8a61e 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -439,10 +439,6 @@ The installation event type is used for the subset of events within a category t The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. -*Expected event types for category protocol:* - -access, change, end, info, start - [float] [[ecs-event-type-start]] diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 6dd52f8022..5322836187 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2298,12 +2298,6 @@ event.type: indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 9812e7f66a..522f884a44 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2701,12 +2701,6 @@ event: should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/schemas/event.yml b/schemas/event.yml index 4d18ae2c86..74e99b99fe 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -469,12 +469,6 @@ Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start - name: start description: > The start event type is used for the subset of events within a category