-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #223 from jonathan-buttner/ep-package
Elastic Endpoint Package
- Loading branch information
Showing
8 changed files
with
4,059 additions
and
2 deletions.
There are no files selected for viewing
3,807 changes: 3,807 additions & 0 deletions
3,807
dev/package-examples/endpoint-0.0.1/dataset/events/fields/fields.yml
Large diffs are not rendered by default.
Oops, something went wrong.
6 changes: 6 additions & 0 deletions
6
dev/package-examples/endpoint-0.0.1/dataset/events/manifest.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
title: Endpoint Events | ||
|
||
type: events | ||
|
||
# If set to true, this will be enabled by default in the input selection | ||
default: true |
200 changes: 200 additions & 0 deletions
200
dev/package-examples/endpoint-0.0.1/dataset/metadata/fields/fields.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,200 @@ | ||
- name: "@timestamp" | ||
level: core | ||
required: true | ||
type: date | ||
description: "Date/time when the event originated. | ||
This is the date/time extracted from the event, typically representing when | ||
the event was generated by the source. | ||
If the event source has no original timestamp, this value is typically populated | ||
by the first time the event was received by the pipeline. | ||
Required field for all events." | ||
example: "2016-05-23T08:05:34.853Z" | ||
- name: agent | ||
title: Agent | ||
group: 2 | ||
description: "The agent fields contain the data about the software entity, if | ||
any, that collects, detects, or observes events on a host, or takes measurements | ||
on a host. | ||
Examples include Beats. Agents may also run on observers. ECS agent.* fields | ||
shall be populated with details of the agent running on the host or observer | ||
where the event happened or the measurement was taken." | ||
footnote: | ||
"Examples: In the case of Beats for logs, the agent.name is filebeat. | ||
For APM, it is the agent running in the app/service. The agent information does | ||
not change if data is sent through queuing systems like Kafka, Redis, or processing | ||
systems such as Logstash or APM Server." | ||
type: group | ||
fields: | ||
- name: id | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: "Unique identifier of this agent (if one exists). | ||
Example: For Beats this would be beat.id." | ||
example: 8a4f500d | ||
- name: name | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: "Custom name of the agent. | ||
This is a name that can be given to an agent. This can be helpful if for example | ||
two Filebeat instances are running on the same host but a human readable separation | ||
is needed on which Filebeat instance data is coming from. | ||
If no name is given, the name is often left empty." | ||
example: foo | ||
- name: version | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: Version of the agent. | ||
example: 6.0.0-rc2 | ||
- name: ecs | ||
title: ECS | ||
group: 2 | ||
description: Meta-information specific to ECS. | ||
type: group | ||
fields: | ||
- name: version | ||
level: core | ||
required: true | ||
type: keyword | ||
ignore_above: 1024 | ||
description: | ||
"ECS version this event conforms to. `ecs.version` is a required | ||
field and must exist in all events. | ||
When querying across multiple indices -- which may conform to slightly different | ||
ECS versions -- this field lets integrations adjust to the schema version | ||
of the events." | ||
example: 1.0.0 | ||
- name: endpoint | ||
title: Endpoint | ||
group: 2 | ||
description: TODO | ||
type: group | ||
fields: | ||
- name: policy.id | ||
level: custom | ||
type: keyword | ||
ignore_above: 1024 | ||
description: TODO | ||
default_field: false | ||
- name: event | ||
title: Event | ||
group: 2 | ||
description: "The event fields are used for context information about the log | ||
or metric event itself. | ||
A log is defined as an event containing details of something that happened. | ||
Log events must include the time at which the thing happened. Examples of log | ||
events include a process starting on a host, a network packet being sent from | ||
a source to a destination, or a network connection between a client and a server | ||
being initiated or closed. A metric is defined as an event containing one or | ||
more numerical or categorical measurements and the time at which the measurement | ||
was taken. Examples of metric events include memory pressure measured on a host, | ||
or vulnerabilities measured on a scanned host." | ||
type: group | ||
fields: | ||
- name: created | ||
level: core | ||
type: date | ||
description: | ||
"event.created contains the date/time when the event was first | ||
read by an agent, or by your pipeline. | ||
This field is distinct from @timestamp in that @timestamp typically contain | ||
the time extracted from the original event. | ||
In most situations, these two timestamps will be slightly different. The difference | ||
can be used to calculate the delay between your source generating an event, | ||
and the time when your agent first processed it. This can be used to monitor | ||
your agent's or pipeline's ability to keep up with your event source. | ||
In case the two timestamps are identical, @timestamp should be used." | ||
example: "2016-05-23T08:05:34.857Z" | ||
- name: host | ||
title: Host | ||
group: 2 | ||
description: "A host is defined as a general computing instance. | ||
ECS host.* fields should be populated with details about the host on which the | ||
event happened, or from which the measurement was taken. Host types include | ||
hardware, virtual machines, Docker containers, and Kubernetes nodes." | ||
type: group | ||
fields: | ||
- name: architecture | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: Operating system architecture. | ||
example: x86_64 | ||
- name: hostname | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: "Hostname of the host. | ||
It normally contains what the `hostname` command returns on the host machine." | ||
- name: id | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: "Unique host id. | ||
As hostname is not always unique, use values that are meaningful in your environment. | ||
Example: The current usage of `beat.name`." | ||
- name: ip | ||
level: core | ||
type: ip | ||
description: Host ip addresses. | ||
- name: mac | ||
level: core | ||
type: keyword | ||
ignore_above: 1024 | ||
description: Host mac addresses. | ||
- name: os.full | ||
level: extended | ||
type: keyword | ||
ignore_above: 1024 | ||
multi_fields: | ||
- name: text | ||
type: text | ||
norms: false | ||
default_field: false | ||
description: Operating system name, including the version or code name. | ||
example: Mac OS Mojave | ||
- name: os.name | ||
level: extended | ||
type: keyword | ||
ignore_above: 1024 | ||
multi_fields: | ||
- name: text | ||
type: text | ||
norms: false | ||
default_field: false | ||
description: Operating system name, without the version. | ||
example: Mac OS X | ||
- name: os.variant | ||
level: custom | ||
type: keyword | ||
ignore_above: 1024 | ||
description: | ||
A string value or phrase that further aid to classify or qualify | ||
the operating system (OS). For example the distribution for a Linux OS will | ||
be entered in this field. | ||
example: Ubuntu | ||
default_field: false | ||
- name: os.version | ||
level: extended | ||
type: keyword | ||
ignore_above: 1024 | ||
description: Operating system version as a raw string. | ||
example: 10.14.1 |
8 changes: 8 additions & 0 deletions
8
dev/package-examples/endpoint-0.0.1/dataset/metadata/manifest.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
title: Endpoint Metadata | ||
|
||
type: metrics | ||
|
||
# If set to true, this will be enabled by default in the input selection | ||
default: true | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Endpoint package | ||
|
||
This is a module for the Endpoint Kibana App and Elastic Endpoint. It sets up the templates, index patterns, aliases, and dashboards. |
14 changes: 14 additions & 0 deletions
14
dev/package-examples/endpoint-0.0.1/elasticsearch/ilm-policy/endpoint-ilm-policy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{ | ||
"policy": { | ||
"phases": { | ||
"hot": { | ||
"actions": { | ||
"rollover": { | ||
"max_size": "50GB", | ||
"max_age": "30d" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
format_version: 1.0.0 | ||
name: endpoint | ||
title: Elastic Endpoint | ||
description: This is the Elastic Endpoint package. | ||
version: 0.0.1 | ||
categories: ["security"] | ||
# Options are experimental, beta, ga | ||
release: beta | ||
# The package type. The options for now are [integration, solution], more type might be added in the future. | ||
# The default type is integration and will be set if empty. | ||
type: solution | ||
license: basic | ||
|
||
requirement: | ||
elasticsearch: | ||
versions: ">7.4.0" | ||
kibana: | ||
versions: ">7.4.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters