Add minimal field set to represent groups. (#203)

Also fix a field name mistake in the changelog for #204
elastic · Dec 3, 2018 · bd081c5 · bd081c5
1 parent df9b3de
commit bd081c5
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,7 +14,8 @@ All notable changes to this project will be documented in this file based on the
 * Add `host.name` field and clarify usage of `host.hostname`.
 * Add `event.start` and `event.end` date fields.
 * Create new `related` field set with `related.ip`. #206
-* Add `user.groups` field. #204
+* Add `user.group` field. #204
+* Create new `group` field set with `group.id` and `group.name`. #203
 
 ### Improvements
 

diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ ECS defines these fields.
  * [Event fields](#event)
  * [File fields](#file)
  * [Geo fields](#geo)
+ * [Group fields](#group)
  * [Host fields](#host)
  * [Log fields](#log)
  * [Network fields](#network)
@@ -250,6 +251,17 @@ Note also that the `geo` fields are not expected to be used directly at the top
 | <a name="geo.city_name"></a>geo.city_name | City name. | core | keyword | `Montreal` |
 
 
+## <a name="group"></a> Group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+| Field  | Description  | Level  | Type  | Example  |
+|---|---|---|---|---|
+| <a name="group.id"></a>group.id | Unique identifier for the group on the system/platform. | extended | keyword |  |
+| <a name="group.name"></a>group.name | Name of the group. | extended | keyword |  |
+
+
 ## <a name="host"></a> Host fields
 
 Host fields provide information related to a host. A host can be a physical machine, a virtual machine, or a Docker container.

diff --git a/fields.yml b/fields.yml
@@ -660,6 +660,27 @@
             City name.
           example: Montreal
 
+    - name: group
+      title: Group
+      group: 2
+      description: >
+        The group fields are meant to represent groups that are relevant to the
+        event.
+      type: group
+      fields:
+
+        - name: id
+          level: extended
+          type: keyword
+          description: >
+            Unique identifier for the group on the system/platform.
+    
+        - name: name
+          level: extended
+          type: keyword
+          description: >
+            Name of the group.
+    
     - name: host
       title: Host
       group: 2

diff --git a/schema.csv b/schema.csv
@@ -70,6 +70,8 @@ geo.continent_name,keyword,core,North America
 geo.country_iso_code,keyword,core,CA
 geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }"
 geo.region_name,keyword,core,Quebec
+group.id,keyword,extended,
+group.name,keyword,extended,
 host.architecture,keyword,core,x86_64
 host.hostname,keyword,core,
 host.id,keyword,core,

diff --git a/schemas/group.yml b/schemas/group.yml
@@ -0,0 +1,21 @@
+---
+- name: group
+  title: Group
+  group: 2
+  description: >
+    The group fields are meant to represent groups that are relevant to the
+    event.
+  type: group
+  fields:
+
+    - name: id
+      level: extended
+      type: keyword
+      description: >
+        Unique identifier for the group on the system/platform.
+
+    - name: name
+      level: extended
+      type: keyword
+      description: >
+        Name of the group.
diff --git a/template.json b/template.json
@@ -334,6 +334,18 @@
             }
           }
         },
+        "group": {
+          "properties": {
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
         "host": {
           "properties": {
             "architecture": {