elastic · jonathan-buttner · Mar 3, 2020 · Jan 22, 2020 · Jan 31, 2020 · Feb 14, 2020
diff --git a/dev/package-examples/endpoint-0.0.1/dataset/events/fields/fields.yml b/dev/package-examples/endpoint-0.0.1/dataset/events/fields/fields.yml
diff --git a/dev/package-examples/endpoint-0.0.1/dataset/events/manifest.yml b/dev/package-examples/endpoint-0.0.1/dataset/events/manifest.yml
@@ -0,0 +1,6 @@
+title: Endpoint Events
+
+type: events
+
+# If set to true, this will be enabled by default in the input selection
+default: true
diff --git a/dev/package-examples/endpoint-0.0.1/dataset/metadata/fields/fields.yml b/dev/package-examples/endpoint-0.0.1/dataset/metadata/fields/fields.yml
@@ -0,0 +1,200 @@
+- name: "@timestamp"
+  level: core
+  required: true
+  type: date
+  description: "Date/time when the event originated.
+
+    This is the date/time extracted from the event, typically representing when
+    the event was generated by the source.
+
+    If the event source has no original timestamp, this value is typically populated
+    by the first time the event was received by the pipeline.
+
+    Required field for all events."
+  example: "2016-05-23T08:05:34.853Z"
+- name: agent
+  title: Agent
+  group: 2
+  description: "The agent fields contain the data about the software entity, if
+    any, that collects, detects, or observes events on a host, or takes measurements
+    on a host.
+
+    Examples include Beats. Agents may also run on observers. ECS agent.* fields
+    shall be populated with details of the agent running on the host or observer
+    where the event happened or the measurement was taken."
+  footnote:
+    "Examples: In the case of Beats for logs, the agent.name is filebeat.
+    For APM, it is the agent running in the app/service. The agent information does
+    not change if data is sent through queuing systems like Kafka, Redis, or processing
+    systems such as Logstash or APM Server."
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Unique identifier of this agent (if one exists).
+
+        Example: For Beats this would be beat.id."
+      example: 8a4f500d
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Custom name of the agent.
+
+        This is a name that can be given to an agent. This can be helpful if for example
+        two Filebeat instances are running on the same host but a human readable separation
+        is needed on which Filebeat instance data is coming from.
+
+        If no name is given, the name is often left empty."
+      example: foo
+    - name: version
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Version of the agent.
+      example: 6.0.0-rc2
+- name: ecs
+  title: ECS
+  group: 2
+  description: Meta-information specific to ECS.
+  type: group
+  fields:
+    - name: version
+      level: core
+      required: true
+      type: keyword
+      ignore_above: 1024
+      description:
+        "ECS version this event conforms to. `ecs.version` is a required
+        field and must exist in all events.
+
+        When querying across multiple indices -- which may conform to slightly different
+        ECS versions -- this field lets integrations adjust to the schema version
+        of the events."
+      example: 1.0.0
+- name: endpoint
+  title: Endpoint
+  group: 2
+  description: TODO
+  type: group
+  fields:
+    - name: policy.id
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: TODO
+      default_field: false
+- name: event
+  title: Event
+  group: 2
+  description: "The event fields are used for context information about the log
+    or metric event itself.
+
+    A log is defined as an event containing details of something that happened.
+    Log events must include the time at which the thing happened. Examples of log
+    events include a process starting on a host, a network packet being sent from
+    a source to a destination, or a network connection between a client and a server
+    being initiated or closed. A metric is defined as an event containing one or
+    more numerical or categorical measurements and the time at which the measurement
+    was taken. Examples of metric events include memory pressure measured on a host,
+    or vulnerabilities measured on a scanned host."
+  type: group
+  fields:
+    - name: created
+      level: core
+      type: date
+      description:
+        "event.created contains the date/time when the event was first
+        read by an agent, or by your pipeline.
+
+        This field is distinct from @timestamp in that @timestamp typically contain
+        the time extracted from the original event.
+
+        In most situations, these two timestamps will be slightly different. The difference
+        can be used to calculate the delay between your source generating an event,
+        and the time when your agent first processed it. This can be used to monitor
+        your agent's or pipeline's ability to keep up with your event source.
+
+        In case the two timestamps are identical, @timestamp should be used."
+      example: "2016-05-23T08:05:34.857Z"
+- name: host
+  title: Host
+  group: 2
+  description: "A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the
+    event happened, or from which the measurement was taken. Host types include
+    hardware, virtual machines, Docker containers, and Kubernetes nodes."
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine."
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: "Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`."
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: os.full
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, including the version or code name.
+      example: Mac OS Mojave
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.variant
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description:
+        A string value or phrase that further aid to classify or qualify
+        the operating system (OS).  For example the distribution for a Linux OS will
+        be entered in this field.
+      example: Ubuntu
+      default_field: false
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
diff --git a/dev/package-examples/endpoint-0.0.1/dataset/metadata/manifest.yml b/dev/package-examples/endpoint-0.0.1/dataset/metadata/manifest.yml
@@ -0,0 +1,8 @@
+title: Endpoint Metadata
+
+type: metrics
+
+# If set to true, this will be enabled by default in the input selection
+default: true
+
+
diff --git a/dev/package-examples/endpoint-0.0.1/docs/README.md b/dev/package-examples/endpoint-0.0.1/docs/README.md
@@ -0,0 +1,3 @@
+# Endpoint package
+
+This is a module for the Endpoint Kibana App and Elastic Endpoint. It sets up the templates, index patterns, aliases, and dashboards.
diff --git a/dev/package-examples/endpoint-0.0.1/elasticsearch/ilm-policy/endpoint-ilm-policy.json b/dev/package-examples/endpoint-0.0.1/elasticsearch/ilm-policy/endpoint-ilm-policy.json
@@ -0,0 +1,14 @@
+{
+    "policy": {
+        "phases": {
+            "hot": {
+                "actions": {
+                    "rollover": {
+                        "max_size": "50GB",
+                        "max_age": "30d"
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/dev/package-examples/endpoint-0.0.1/manifest.yml b/dev/package-examples/endpoint-0.0.1/manifest.yml
@@ -0,0 +1,18 @@
+format_version: 1.0.0
+name: endpoint
+title: Elastic Endpoint
+description: This is the Elastic Endpoint package.
+version: 0.0.1
+categories: ["security"]
+# Options are experimental, beta, ga
+release: beta
+# The package type. The options for now are [integration, solution], more type might be added in the future.
+# The default type is integration and will be set if empty.
+type: solution
+license: basic
+
+requirement:
+  elasticsearch:
+    versions: ">7.4.0"
+  kibana:
+    versions: ">7.4.0"
diff --git a/util/package.go b/util/package.go
@@ -21,8 +21,9 @@ import (
 const defaultType = "integration"
 
 var CategoryTitles = map[string]string{
-	"logs":    "Logs",
-	"metrics": "Metrics",
+	"logs":     "Logs",
+	"metrics":  "Metrics",
+	"security": "Security",
 }
 
 type Package struct {