object_type: keyword (#443)

Author: pzl

custom_schemas/custom_api.yml

@@ -4,6 +4,7 @@
  group: 2
  short: Fields describing an API call.
  type: object
+ object_type: keyword
  description: >
  These fields describe an API call (function, or system call).
 
@@ -61,6 +62,7 @@
  - name: metadata
  level: custom
  type: object
+ object_type: keyword
  description: >
  Information related to the API call.
 
@@ -81,6 +83,7 @@
  - name: parameters
  level: custom
  type: object
+ object_type: keyword
  description: >
  Parameter values passed to the API call.
 

custom_schemas/custom_base.yml

@@ -11,6 +11,7 @@
  fields:
  - name: Events
  type: object
+ object_type: keyword
  level: custom
  short: events array
  description: >

custom_schemas/custom_call_stack.yml

@@ -4,6 +4,7 @@
  group: 3
  short: Fields describing a stack frame.
  type: object
+ object_type: keyword
  description: >
  Fields describing a stack frame. call_stack is expected to be an array where each array element represents a stack frame.
  reusable:

custom_schemas/custom_dll.yml

@@ -20,6 +20,7 @@
  - name: Ext
  level: custom
  type: object
+ object_type: keyword
  description: Object for all custom defined fields to live in.
 
  - name: Ext.mapped_address

custom_schemas/custom_dns.yml

@@ -15,6 +15,7 @@
  - name: Ext
  level: custom
  type: object
+ object_type: keyword
  description: Object for all custom defined fields to live in.
 
  - name: Ext.status

custom_schemas/custom_elastic.yml

@@ -11,6 +11,7 @@
  - name: agent
  level: custom
  type: object
+ object_type: keyword
  description: >
  The agent fields contain data about the Elastic Agent. The Elastic Agent is the management agent
  that manages other agents or process on the host.

custom_schemas/custom_endpoint.yml

@@ -15,11 +15,13 @@
  - name: policy
  level: custom
  type: object
+ object_type: keyword
  description: The policy fields are used to hold information about applied policy.
 
  - name: policy.applied
  level: custom
  type: object
+ object_type: keyword
  description: information about the policy that is applied
 
  - name: policy.applied.actions
@@ -71,18 +73,21 @@
  - name: policy.applied.response
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: the response of actions that failed in the applied policy
 
  - name: policy.applied.response.configurations
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: the configurations of the applied policy
 
  - name: policy.applied.response.configurations.events
  level: custom
  type: object
+ object_type: keyword
  description: overall event collection configuration and status of the applied policy
 
  - name: policy.applied.response.configurations.events.concerned_actions
@@ -101,6 +106,7 @@
  - name: policy.applied.response.configurations.logging
  level: custom
  type: object
+ object_type: keyword
  description: overall logging configuration and status of the applied policy
 
  - name: policy.applied.response.configurations.logging.concerned_actions
@@ -119,6 +125,7 @@
  - name: policy.applied.response.configurations.antivirus_registration
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: overall antivirus registration configuration and status of the applied policy
 
@@ -138,6 +145,7 @@
  - name: policy.applied.response.configurations.malware
  level: custom
  type: object
+ object_type: keyword
  description: overall malware configuration and status of the applied policy
 
  - name: policy.applied.response.configurations.malware.concerned_actions
@@ -156,6 +164,7 @@
  - name: policy.applied.response.configurations.memory_protection
  level: custom
  type: object
+ object_type: keyword
  description: overall memory_protection configuration and status of the applied policy
 
  - name: policy.applied.response.configurations.memory_protection.concerned_actions
@@ -174,6 +183,7 @@
  - name: policy.applied.response.configurations.streaming
  level: custom
  type: object
+ object_type: keyword
  description: overall data streaming configuration and status of the applied policy
 
  - name: policy.applied.response.configurations.streaming.concerned_actions
@@ -244,6 +254,7 @@
  - name: policy.applied.response.diagnostic
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: the diagnostic configurations of the applied policy
 
@@ -328,12 +339,14 @@
  - name: policy.applied.artifacts
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: information about protection artifacts applied.
 
  - name: policy.applied.artifacts.global
  level: custom
  type: object
+ object_type: keyword
  description: information about global protection artifacts applied.
 
  - name: policy.applied.artifacts.global.version
@@ -359,6 +372,7 @@
  - name: policy.applied.artifacts.user
  level: custom
  type: object
+ object_type: keyword
  description: information about user protection artifacts applied.
 
  - name: policy.applied.artifacts.user.version
@@ -384,11 +398,13 @@
  - name: metrics
  level: custom
  type: object
+ object_type: keyword
  description: Metrics fields hold the endpoint and system's performance metrics
 
  - name: metrics.documents_volume
  level: custom
  type: object
+ object_type: keyword
  description: Statistics about sent documents
 
  - name: metrics.documents_volume.overall
@@ -619,6 +635,7 @@
  - name: metrics.documents_volume.api_events.sources
  level: custom
  type: object
+ object_type: keyword
  description: An array of API Event document statistics per source
 
  - name: metrics.documents_volume.api_events.sources.source
@@ -649,6 +666,7 @@
  - name: metrics.uptime
  level: custom
  type: object
+ object_type: keyword
  description: Number of seconds since boot
 
  - name: metrics.uptime.endpoint
@@ -664,11 +682,13 @@
  - name: metrics.cpu
  level: custom
  type: object
+ object_type: keyword
  description: CPU statistics
 
  - name: metrics.cpu.endpoint
  level: custom
  type: object
+ object_type: keyword
  description: CPU metrics for the endpoint
 
  - name: metrics.cpu.endpoint.mean
@@ -693,16 +713,19 @@
  - name: metrics.memory
  level: custom
  type: object
+ object_type: keyword
  description: Memory statistics
 
  - name: metrics.memory.endpoint
  level: custom
  type: object
+ object_type: keyword
  description: Endpoint memory utilization
 
  - name: metrics.memory.endpoint.private
  level: custom
  type: object
+ object_type: keyword
  description: The memory private to the endpoint
 
  - name: metrics.memory.endpoint.private.mean
@@ -718,6 +741,7 @@
  - name: metrics.disks
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: An array of disk information for the host
 
@@ -766,6 +790,7 @@
  - name: metrics.malicious_behavior_rules
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  description: An array of performance information about each malicious behavior rule
 
@@ -784,6 +809,7 @@
  - name: metrics.system_impact
  level: custom
  type: object
+ object_type: keyword
  enabled: false
  index: false
  description: An array of system impact information
@@ -1011,6 +1037,7 @@
  # using an object here even though it is actually an array because you can only have a limited number
  # of nested fields
  type: object
+ object_type: keyword
  enabled: false
  description: Statistics about the individual Endpoint threads (array)
 
@@ -1029,6 +1056,7 @@
  - name: configuration
  level: custom
  type: object
+ object_type: keyword
  description:
  Configuration fields represent the intended and applied setting for fields not part of a Policy setting
  This reflects what a given field is configured to do. The actual state of that same field is found in Endpoint.state
@@ -1041,6 +1069,7 @@
  - name: state
  level: custom
  type: object
+ object_type: keyword
  description:
  Represents the current state of a non-policy setting
  These fields reflect the current status of a field, which may differ from what it is configured to be (see Endpoint.configuration)

custom_schemas/custom_endpoint_actions.yml

@@ -33,6 +33,7 @@
  type: object
  level: custom
  short: data
+ object_type: keyword
  description: >
  The action request information
 

custom_schemas/custom_event.yml

@@ -21,11 +21,13 @@
  - name: Ext
  level: custom
  type: object
+ object_type: keyword
  description: Object for all custom defined fields to live in.
 
  - name: Ext.correlation
  level: custom
  type: object
+ object_type: keyword
  description: Information about event this should be correlated with.
 
  - name: Ext.correlation.id

custom_schemas/custom_file.yml

@@ -30,6 +30,7 @@
  - name: Ext
  level: custom
  type: object
+ object_type: keyword
  description: Object for all custom defined fields to live in.
 
  - name: Ext.entry_modified
@@ -65,6 +66,7 @@
  - name: Ext.windows
  level: custom
  type: object
+ object_type: keyword
  description: Platform-specific Windows fields
 
  - name: Ext.windows.zone_identifier
@@ -76,6 +78,7 @@
  - name: Ext.original
  level: custom
  type: object
+ object_type: keyword
  description: Original file information during a modification event.
 
  - name: Ext.original.name
@@ -423,4 +426,5 @@
  - name: pe
  level: custom
  type: object
+ object_type: keyword
  description: PE fields