From ff4885d0dc87daba4588eec795d9957d1004845f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 8 Sep 2020 14:35:19 -0500 Subject: [PATCH] Remove `expected_event_types` from protocol (#964) --- CHANGELOG.next.md | 2 ++ docs/field-values.asciidoc | 4 ---- generated/ecs/ecs_flat.yml | 6 ------ generated/ecs/ecs_nested.yml | 6 ------ schemas/event.yml | 6 ------ 5 files changed, 2 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 0705d87f66..62a6425f6b 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -14,6 +14,8 @@ Thanks, you're awesome :-) --> #### Bugfixes +* The `protocol` allowed value under `event.type` should not have the `expected_event_types` defined. #964 + #### Added * Added Mime Type fields to HTTP request and response. #944 diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 03a74e16cd..4e4bb8a61e 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -439,10 +439,6 @@ The installation event type is used for the subset of events within a category t The protocol event type is used for the subset of events within a category that indicate that they contain protocol details or analysis, beyond simply identifying the protocol. Generally, network events that contain specific protocol details will fall into this subcategory. A common example is `event.category:network AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate that the event is a network connection event sent at the end of a connection that also includes a protocol detail breakdown). Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. -*Expected event types for category protocol:* - -access, change, end, info, start - [float] [[ecs-event-type-start]] diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 08a1c79cb4..c27228d794 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2298,12 +2298,6 @@ event.type: indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 926f834242..8ed5b86a80 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2701,12 +2701,6 @@ event: should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start name: protocol - description: The start event type is used for the subset of events within a category that indicate something has started. A common example is `event.category:process diff --git a/schemas/event.yml b/schemas/event.yml index 4d18ae2c86..74e99b99fe 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -469,12 +469,6 @@ Note that events that only indicate the name or id of the protocol should not use the protocol value. Further note that when the protocol subcategory is used, the identified protocol is populated in the ECS `network.protocol` field. - expected_event_types: - - access - - change - - end - - info - - start - name: start description: > The start event type is used for the subset of events within a category