elastic · webmat · Nov 18, 2020 · Nov 11, 2020 · Nov 11, 2020 · Nov 11, 2020
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 
 * Added `event.category` "registry". #1040
 * Added `event.category` "session". #1049
+* Added `os.commercial_family`. #1111
 
 #### Improvements
 

diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -3853,6 +3853,23 @@ The OS fields contain information about the operating system.
 
 // ===============================================================
 
+| os.commercial_family
+| Categorize the operating system in one of the broad commercial families.
+
+One of these following values should be used (lowercase): linux, macos, unix, windows.
+
+If the OS is not part of any of these families, the field should not be populated. Please let us know by opening an issue with ECS, to have it added to the list.
+
+type: keyword
+
+
+
+example: `macos`
+
+| extended
+
+// ===============================================================
+
 | os.family
 | OS family (such as redhat, debian, freebsd, windows).
 

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -2131,6 +2131,20 @@
         It can contain what `hostname` returns on Unix systems, the fully qualified
         domain name, or a name specified by the user. The sender decides which value
         to use.'
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
@@ -2879,6 +2893,20 @@
 
         If no custom name is needed, the field can be left empty.'
       example: 1_proxySG
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword
@@ -2984,6 +3012,20 @@
     description: The OS fields contain information about the operating system.
     type: group
     fields:
+    - name: commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      default_field: false
     - name: family
       level: extended
       type: keyword
@@ -5666,6 +5708,20 @@
       description: Unparsed user_agent string.
       example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
         (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
+    - name: os.commercial_family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      default_field: false
     - name: os.family
       level: extended
       type: keyword

diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
@@ -243,6 +243,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses.
 2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses.
 2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host.
+2.0.0-dev,true,host,host.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -334,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer.
 2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer
 2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer.
+2.0.0-dev,true,observer,observer.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
@@ -695,6 +697,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
 2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
 2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
+2.0.0-dev,true,user_agent,user_agent.os.commercial_family,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)."
 2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)."
 2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name."
 2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name."

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -3337,6 +3337,24 @@ host.name:
   normalize: []
   short: Name of the host.
   type: keyword
+host.os.commercial_family:
+  dashed_name: host-os-commercial-family
+  description: 'Categorize the operating system in one of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS is not part of any of these families, the field should not be populated.
+    Please let us know by opening an issue with ECS, to have it added to the list.'
+  example: macos
+  flat_name: host.os.commercial_family
+  ignore_above: 1024
+  level: extended
+  name: commercial_family
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 host.os.family:
   dashed_name: host-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
@@ -4473,6 +4491,24 @@ observer.name:
   normalize: []
   short: Custom name of the observer.
   type: keyword
+observer.os.commercial_family:
+  dashed_name: observer-os-commercial-family
+  description: 'Categorize the operating system in one of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS is not part of any of these families, the field should not be populated.
+    Please let us know by opening an issue with ECS, to have it added to the list.'
+  example: macos
+  flat_name: observer.os.commercial_family
+  ignore_above: 1024
+  level: extended
+  name: commercial_family
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 observer.os.family:
   dashed_name: observer-os-family
   description: OS family (such as redhat, debian, freebsd, windows).
@@ -8710,6 +8746,24 @@ user_agent.original:
   normalize: []
   short: Unparsed user_agent string.
   type: wildcard
+user_agent.os.commercial_family:
+  dashed_name: user-agent-os-commercial-family
+  description: 'Categorize the operating system in one of the broad commercial families.
+
+    One of these following values should be used (lowercase): linux, macos, unix,
+    windows.
+
+    If the OS is not part of any of these families, the field should not be populated.
+    Please let us know by opening an issue with ECS, to have it added to the list.'
+  example: macos
+  flat_name: user_agent.os.commercial_family
+  ignore_above: 1024
+  level: extended
+  name: commercial_family
+  normalize: []
+  original_fieldset: os
+  short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+  type: keyword
 user_agent.os.family:
   dashed_name: user-agent-os-family
   description: OS family (such as redhat, debian, freebsd, windows).

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -4000,6 +4000,25 @@ host:
       normalize: []
       short: Name of the host.
       type: keyword
+    host.os.commercial_family:
+      dashed_name: host-os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      flat_name: host.os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     host.os.family:
       dashed_name: host-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -5253,6 +5272,25 @@ observer:
       normalize: []
       short: Custom name of the observer.
       type: keyword
+    observer.os.commercial_family:
+      dashed_name: observer-os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      flat_name: observer.os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     observer.os.family:
       dashed_name: observer-os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -5461,6 +5499,24 @@ organization:
 os:
   description: The OS fields contain information about the operating system.
   fields:
+    os.commercial_family:
+      dashed_name: os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      flat_name: os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     os.family:
       dashed_name: os-family
       description: OS family (such as redhat, debian, freebsd, windows).
@@ -10024,6 +10080,25 @@ user_agent:
       normalize: []
       short: Unparsed user_agent string.
       type: wildcard
+    user_agent.os.commercial_family:
+      dashed_name: user-agent-os-commercial-family
+      description: 'Categorize the operating system in one of the broad commercial
+        families.
+
+        One of these following values should be used (lowercase): linux, macos, unix,
+        windows.
+
+        If the OS is not part of any of these families, the field should not be populated.
+        Please let us know by opening an issue with ECS, to have it added to the list.'
+      example: macos
+      flat_name: user_agent.os.commercial_family
+      ignore_above: 1024
+      level: extended
+      name: commercial_family
+      normalize: []
+      original_fieldset: os
+      short: 'Which commercial OS family (one of: linux, macos, unix or windows).'
+      type: keyword
     user_agent.os.family:
       dashed_name: user-agent-os-family
       description: OS family (such as redhat, debian, freebsd, windows).

diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json
@@ -1103,6 +1103,10 @@
           },
           "os": {
             "properties": {
+              "commercial_family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "family": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -1558,6 +1562,10 @@
           },
           "os": {
             "properties": {
+              "commercial_family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "family": {
                 "ignore_above": 1024,
                 "type": "keyword"
@@ -3206,6 +3214,10 @@
           },
           "os": {
             "properties": {
+              "commercial_family": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
               "family": {
                 "ignore_above": 1024,
                 "type": "keyword"