Beats: Add default_field: true to fieldsets

CHANGELOG.next.md

@@ -45,6 +45,7 @@ Thanks, you're awesome :-) -->
 #### Improvements
 
 * Remove remaining Go deps after removing Go code generator. #1585
+* Add explicit `default_field: true` for Beats artifacts. #1633
 
 #### Deprecated
 

experimental/generated/beats/fields.ecs.yml

@@ -119,6 +119,7 @@
       ignore_above: 1024
       description: Version of the agent.
       example: 6.0.0-rc2
+    default_field: true
   - name: as
     title: Autonomous System
     group: 2
@@ -144,6 +145,7 @@
         default_field: false
       description: Organization name.
       example: Google LLC
+    default_field: true
   - name: client
     title: Client
     group: 2
@@ -427,6 +429,7 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    default_field: true
   - name: cloud
     title: Cloud
     group: 2
@@ -523,6 +526,7 @@
         Examples: app engine, app service, cloud run, fargate, lambda.'
       example: lambda
       default_field: false
+    default_field: true
   - name: code_signature
     title: Code Signature
     group: 2
@@ -607,6 +611,7 @@
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
       default_field: false
+    default_field: true
   - name: container
     title: Container
     group: 2
@@ -685,6 +690,7 @@
       ignore_above: 1024
       description: Runtime managing this container.
       example: docker
+    default_field: true
   - name: data_stream
     title: Data Stream
     group: 2
@@ -737,6 +743,7 @@
         and "synthetics" in the near future.'
       example: logs
       default_field: false
+    default_field: true
   - name: destination
     title: Destination
     group: 2
@@ -1013,6 +1020,7 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    default_field: true
   - name: dll
     title: DLL
     group: 2
@@ -1417,6 +1425,7 @@
       description: Virtual address available to the file.
       example: 8192
       default_field: false
+    default_field: true
   - name: dns
     title: DNS
     group: 2
@@ -1586,6 +1595,7 @@
         one event per query (optionally as soon as the query is seen). And a second
         event containing all query details as well as an array of answers.'
       example: answer
+    default_field: true
   - name: ecs
     title: ECS
     group: 2
@@ -1604,6 +1614,7 @@
         ECS versions -- this field lets integrations adjust to the schema version
         of the events.'
       example: 1.0.0
+    default_field: true
   - name: elf
     title: ELF Header
     group: 2
@@ -1789,6 +1800,7 @@
       ignore_above: 1024
       description: telfhash symbol hash for ELF file.
       default_field: false
+    default_field: true
   - name: email
     title: Email
     group: 2
@@ -1959,6 +1971,7 @@
         original email message.
       example: Spambot v2.5
       default_field: false
+    default_field: true
   - name: error
     title: Error
     group: 2
@@ -1996,6 +2009,7 @@
       ignore_above: 1024
       description: The type of the error, for example the class name of the exception.
       example: java.lang.NullPointerException
+    default_field: true
   - name: event
     title: Event
     group: 2
@@ -2323,6 +2337,7 @@
         are a common use case for this field.'
       example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
       default_field: false
+    default_field: true
   - name: file
     title: File
     group: 2
@@ -3222,6 +3237,7 @@
       description: Version of x509 format.
       example: 3
       default_field: false
+    default_field: true
   - name: geo
     title: Geo
     group: 2
@@ -3309,6 +3325,7 @@
       description: The time zone of the location, such as IANA time zone name.
       example: America/Argentina/Buenos_Aires
       default_field: false
+    default_field: true
   - name: group
     title: Group
     group: 2
@@ -3333,6 +3350,7 @@
       type: keyword
       ignore_above: 1024
       description: Name of the group.
+    default_field: true
   - name: hash
     title: Hash
     group: 2
@@ -3374,6 +3392,7 @@
       ignore_above: 1024
       description: SSDEEP hash.
       default_field: false
+    default_field: true
   - name: host
     title: Host
     group: 2
@@ -3639,6 +3658,7 @@
       type: long
       description: Seconds the host has been up.
       example: 1325
+    default_field: true
   - name: http
     title: HTTP
     group: 2
@@ -3750,6 +3770,7 @@
       ignore_above: 1024
       description: HTTP version.
       example: 1.1
+    default_field: true
   - name: interface
     title: Interface
     group: 2
@@ -3783,6 +3804,7 @@
       description: Interface name as reported by the system.
       example: eth0
       default_field: false
+    default_field: true
   - name: log
     title: Log
     group: 2
@@ -3897,6 +3919,7 @@
         If the event source does not specify a distinct severity, you can optionally
         copy the Syslog severity to `log.level`.'
       example: Error
+    default_field: true
   - name: network
     title: Network
     group: 2
@@ -4049,6 +4072,7 @@
       description: Optional VLAN name as reported by the observer.
       example: outside
       default_field: false
+    default_field: true
   - name: observer
     title: Observer
     group: 2
@@ -4372,6 +4396,7 @@
       type: keyword
       ignore_above: 1024
       description: Observer version.
+    default_field: true
   - name: orchestrator
     title: Orchestrator
     group: 2
@@ -4440,6 +4465,7 @@
       description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
       example: kubernetes
       default_field: false
+    default_field: true
   - name: organization
     title: Organization
     group: 2
@@ -4464,6 +4490,7 @@
         type: match_only_text
         default_field: false
       description: Organization name.
+    default_field: true
   - name: os
     title: Operating System
     group: 2
@@ -4529,6 +4556,7 @@
       ignore_above: 1024
       description: Operating system version as a raw string.
       example: 10.14.1
+    default_field: true
   - name: package
     title: Package
     group: 2
@@ -4627,6 +4655,7 @@
       ignore_above: 1024
       description: Package version
       example: 1.12.9
+    default_field: true
   - name: pe
     title: PE Header
     group: 2
@@ -4896,6 +4925,7 @@
       description: Virtual address available to the file.
       example: 8192
       default_field: false
+    default_field: true
   - name: process
     title: Process
     group: 2
@@ -7675,6 +7705,7 @@
         default_field: false
       description: The working directory of the process.
       example: /home/alice
+    default_field: true
   - name: registry
     title: Registry
     group: 2
@@ -7740,6 +7771,7 @@
       description: Name of the value written.
       example: Debugger
       default_field: false
+    default_field: true
   - name: related
     title: Related
     group: 2
@@ -7781,6 +7813,7 @@
       ignore_above: 1024
       description: All the user names or other user identifiers seen on the event.
       default_field: false
+    default_field: true
   - name: rule
     title: Rule
     group: 2
@@ -7875,6 +7908,7 @@
       description: The version / revision of the rule being used for analysis.
       example: 1.1
       default_field: false
+    default_field: true
   - name: server
     title: Server
     group: 2
@@ -8158,6 +8192,7 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    default_field: true
   - name: service
     title: Service
     group: 2
@@ -8266,6 +8301,7 @@
 
         This allows to look at a data set only for a specific version of a service.'
       example: 3.2.4
+    default_field: true
   - name: source
     title: Source
     group: 2
@@ -8543,6 +8579,7 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    default_field: true
   - name: threat
     title: Threat
     group: 2
@@ -11767,6 +11804,7 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
+    default_field: true
   - name: tls
     title: TLS
     group: 2
@@ -12350,6 +12388,7 @@
       description: Normalized lowercase protocol name parsed from original string.
       example: tls
       default_field: false
+    default_field: true
   - name: span.id
     level: extended
     type: keyword
@@ -12522,6 +12561,7 @@
       type: keyword
       ignore_above: 1024
       description: Username of the request.
+    default_field: true
   - name: user
     title: User
     group: 2
@@ -12837,6 +12877,7 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    default_field: true
   - name: user_agent
     title: User agent
     group: 2
@@ -12932,6 +12973,7 @@
       ignore_above: 1024
       description: Version of the user agent.
       example: 12.0
+    default_field: true
   - name: vlan
     title: VLAN
     group: 2
@@ -12967,6 +13009,7 @@
       description: Optional VLAN name as reported by the observer.
       example: outside
       default_field: false
+    default_field: true
   - name: vulnerability
     title: Vulnerability
     group: 2
@@ -13095,6 +13138,7 @@
         prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
       example: Critical
       default_field: false
+    default_field: true
   - name: x509
     title: x509 Certificate
     group: 2
@@ -13284,3 +13328,4 @@
       description: Version of x509 format.
       example: 3
       default_field: false
+    default_field: true