RFC 0038: Add event.kind: asset - stage 2 changes (#2191)

* add event.kind:asset as beta category * artifacts * changelog * fix typo
elastic · Apr 10, 2023 · 261a873 · 261a873
1 parent 1127228
commit 261a873
Show file tree

Hide file tree

Showing 8 changed files with 99 additions and 1 deletion.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -17,6 +17,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Add `access` as an allowed type for `event.type: file`. #2174
+* Add `event.kind: asset` as a beta category. #2191
 
 #### Improvements
 

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -3562,7 +3562,7 @@ type: keyword
 
 *Important*: The field value must be one of the following:
 
-alert, enrichment, event, metric, state, pipeline_error, signal
+alert, asset, enrichment, event, metric, state, pipeline_error, signal
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-kind,allowed values for event.kind>>

diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
@@ -40,6 +40,7 @@ The value of this field can be used to inform how these kinds of events should b
 *Allowed Values*
 
 * <<ecs-event-kind-alert,alert>>
+* <<ecs-event-kind-asset,asset>>
 * <<ecs-event-kind-enrichment,enrichment>>
 * <<ecs-event-kind-event,event>>
 * <<ecs-event-kind-metric,metric>>
@@ -59,6 +60,20 @@ This value is not used by Elastic solutions for alert documents that are created
 
 
 
+[float]
+[[ecs-event-kind-asset]]
+==== asset
+
+beta:[ This event categorization value is beta and subject to change. ]
+
+This value indicates events whose primary purpose is to store an inventory of assets/entities and their attributes. Assets/entities are objects (such as users and hosts) that are expected to be subjects of detailed analysis within the system.
+
+Examples include lists of user identities or accounts ingested from directory services such as Active Directory (AD), inventory of hosts pulled from configuration management databases (CMDB), and lists of cloud storage buckets pulled from cloud provider APIs.
+
+This value is used by Elastic Security for asset management solutions. `event.kind: asset` is not used for normal system events or logs that are coming from an asset/entity, nor is it used for system events or logs coming from a directory or CMDB system.
+
+
+
 [float]
 [[ecs-event-kind-enrichment]]
 ==== enrichment

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -3305,6 +3305,22 @@ event.kind:
       This value is not used by Elastic solutions for alert documents that are created
       by rules executing within the Kibana alerting framework.'
     name: alert
+  - beta: This event categorization value is beta and subject to change.
+    description: 'This value indicates events whose primary purpose is to store an
+      inventory of assets/entities and their attributes. Assets/entities are objects
+      (such as users and hosts) that are expected to be subjects of detailed analysis
+      within the system.
+
+      Examples include lists of user identities or accounts ingested from directory
+      services such as Active Directory (AD), inventory of hosts pulled from configuration
+      management databases (CMDB), and lists of cloud storage buckets pulled from
+      cloud provider APIs.
+
+      This value is used by Elastic Security for asset management solutions. `event.kind:
+      asset` is not used for normal system events or logs that are coming from an
+      asset/entity, nor is it used for system events or logs coming from a directory
+      or CMDB system.'
+    name: asset
   - description: 'The `enrichment` value indicates an event collected to provide additional
       context, often to other events.
 

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -4302,6 +4302,22 @@ event:
           This value is not used by Elastic solutions for alert documents that are
           created by rules executing within the Kibana alerting framework.'
         name: alert
+      - beta: This event categorization value is beta and subject to change.
+        description: 'This value indicates events whose primary purpose is to store
+          an inventory of assets/entities and their attributes. Assets/entities are
+          objects (such as users and hosts) that are expected to be subjects of detailed
+          analysis within the system.
+
+          Examples include lists of user identities or accounts ingested from directory
+          services such as Active Directory (AD), inventory of hosts pulled from configuration
+          management databases (CMDB), and lists of cloud storage buckets pulled from
+          cloud provider APIs.
+
+          This value is used by Elastic Security for asset management solutions. `event.kind:
+          asset` is not used for normal system events or logs that are coming from
+          an asset/entity, nor is it used for system events or logs coming from a
+          directory or CMDB system.'
+        name: asset
       - description: 'The `enrichment` value indicates an event collected to provide
           additional context, often to other events.
 

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -3236,6 +3236,22 @@ event.kind:
       This value is not used by Elastic solutions for alert documents that are created
       by rules executing within the Kibana alerting framework.'
     name: alert
+  - beta: This event categorization value is beta and subject to change.
+    description: 'This value indicates events whose primary purpose is to store an
+      inventory of assets/entities and their attributes. Assets/entities are objects
+      (such as users and hosts) that are expected to be subjects of detailed analysis
+      within the system.
+
+      Examples include lists of user identities or accounts ingested from directory
+      services such as Active Directory (AD), inventory of hosts pulled from configuration
+      management databases (CMDB), and lists of cloud storage buckets pulled from
+      cloud provider APIs.
+
+      This value is used by Elastic Security for asset management solutions. `event.kind:
+      asset` is not used for normal system events or logs that are coming from an
+      asset/entity, nor is it used for system events or logs coming from a directory
+      or CMDB system.'
+    name: asset
   - description: 'The `enrichment` value indicates an event collected to provide additional
       context, often to other events.
 

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -4222,6 +4222,22 @@ event:
           This value is not used by Elastic solutions for alert documents that are
           created by rules executing within the Kibana alerting framework.'
         name: alert
+      - beta: This event categorization value is beta and subject to change.
+        description: 'This value indicates events whose primary purpose is to store
+          an inventory of assets/entities and their attributes. Assets/entities are
+          objects (such as users and hosts) that are expected to be subjects of detailed
+          analysis within the system.
+
+          Examples include lists of user identities or accounts ingested from directory
+          services such as Active Directory (AD), inventory of hosts pulled from configuration
+          management databases (CMDB), and lists of cloud storage buckets pulled from
+          cloud provider APIs.
+
+          This value is used by Elastic Security for asset management solutions. `event.kind:
+          asset` is not used for normal system events or logs that are coming from
+          an asset/entity, nor is it used for system events or logs coming from a
+          directory or CMDB system.'
+        name: asset
       - description: 'The `enrichment` value indicates an event collected to provide
           additional context, often to other events.
 

diff --git a/schemas/event.yml b/schemas/event.yml
@@ -83,6 +83,24 @@
 
             This value is not used by Elastic solutions for alert documents
             that are created by rules executing within the Kibana alerting framework.
+        - name: asset
+          description: >
+            This value indicates events whose primary purpose is to store an inventory of
+            assets/entities and their attributes. Assets/entities are objects (such as
+            users and hosts) that are expected to be subjects of detailed analysis within
+            the system.
+
+            Examples include lists of user identities or accounts ingested from directory
+            services such as Active Directory (AD), inventory of hosts pulled from
+            configuration management databases (CMDB), and lists of cloud storage buckets
+            pulled from cloud provider APIs.
+
+            This value is used by Elastic Security for asset management solutions.
+            `event.kind: asset` is not used for normal system events or logs that are coming
+            from an asset/entity, nor is it used for system events or logs coming from a
+            directory or CMDB system.
+          beta: >
+            This event categorization value is beta and subject to change.
         - name: enrichment
           description: >
             The `enrichment` value indicates an event collected to provide additional