elastic
diff --git a/‎auditbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions b/‎auditbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎auditbeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion b/‎auditbeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎filebeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions b/‎filebeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎filebeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion b/‎filebeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎heartbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions b/‎heartbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎heartbeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion b/‎heartbeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎journalbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions b/‎journalbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎journalbeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion b/‎journalbeat/include/fields.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎libbeat/_meta/fields.ecs.yml‎
Lines changed: 14 additions & 15 deletions b/‎libbeat/_meta/fields.ecs.yml‎
Lines changed: 14 additions & 15 deletions
diff --git a/‎metricbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions b/‎metricbeat/docs/fields.asciidoc‎
Lines changed: 7 additions & 6 deletions
@@ -7672,8 +7672,9 @@ The network.* fields should be populated with details about the network activity
 *`network.application`*::
 +
 --
-A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -7809,8 +7810,8 @@ example: 24
 *`network.protocol`*::
 +
 --
-L7 Network protocol name. ex. http, lumberjack, transport protocol.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -7822,7 +7823,7 @@ example: http
 +
 --
 Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -7834,7 +7835,7 @@ example: tcp
 +
 --
 In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
 
@@ -39386,8 +39386,9 @@ The network.* fields should be populated with details about the network activity
 *`network.application`*::
 +
 --
-A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -39523,8 +39524,8 @@ example: 24
 *`network.protocol`*::
 +
 --
-L7 Network protocol name. ex. http, lumberjack, transport protocol.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -39536,7 +39537,7 @@ example: http
 +
 --
 Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -39548,7 +39549,7 @@ example: tcp
 +
 --
 In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
 
@@ -5204,8 +5204,9 @@ The network.* fields should be populated with details about the network activity
 *`network.application`*::
 +
 --
-A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5341,8 +5342,8 @@ example: 24
 *`network.protocol`*::
 +
 --
-L7 Network protocol name. ex. http, lumberjack, transport protocol.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5354,7 +5355,7 @@ example: http
 +
 --
 Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5366,7 +5367,7 @@ example: tcp
 +
 --
 In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
 
@@ -5756,8 +5756,9 @@ The network.* fields should be populated with details about the network activity
 *`network.application`*::
 +
 --
-A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5893,8 +5894,8 @@ example: 24
 *`network.protocol`*::
 +
 --
-L7 Network protocol name. ex. http, lumberjack, transport protocol.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5906,7 +5907,7 @@ example: http
 +
 --
 Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -5918,7 +5919,7 @@ example: tcp
 +
 --
 In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
 
@@ -3538,14 +3538,15 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'A name given to an application level protocol. This can be arbitrarily
-        assigned for things like microservices, but also apply to things like skype,
-        icq, facebook, twitter. This would be used in situations where the vendor
-        or service can be decoded such as from the source/dest IP owners, ports, or
-        wire format.
-
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+      description: 'When a specific application or service is identified from network
+        connection details (source/dest IPs, ports, certificates, or wire format),
+        this field captures the application''s or service''s name.
+
+        For example, the original event identifies the network connection being from
+        a specific web service in a `https` network connection, like `facebook` or
+        `twitter`.
+
+        The field value must be normalized to lowercase for querying.'
       example: aim
     - name: bytes
       level: core
@@ -3637,10 +3638,10 @@
       level: core
       type: keyword
       ignore_above: 1024
-      description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
+      description: 'In the OSI Model this would be the Application Layer protocol.
+        For example, `http`, `dns`, or `ssh`.
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: http
     - name: transport
       level: core
@@ -3649,8 +3650,7 @@
       description: 'Same as network.iana_number, but instead using the Keyword name
         of the transport layer (udp, tcp, ipv6-icmp, etc.)
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: tcp
     - name: type
       level: core
@@ -3659,8 +3659,7 @@
       description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
         ipsec, pim, etc
 
-        The field value must be normalized to lowercase for querying. See the documentation
-        section "Implementing ECS".'
+        The field value must be normalized to lowercase for querying.'
       example: ipv4
     - name: vlan.id
       level: extended
 
@@ -17700,8 +17700,9 @@ The network.* fields should be populated with details about the network activity
 *`network.application`*::
 +
 --
-A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -17837,8 +17838,8 @@ example: 24
 *`network.protocol`*::
 +
 --
-L7 Network protocol name. ex. http, lumberjack, transport protocol.
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -17850,7 +17851,7 @@ example: http
 +
 --
 Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword
 
@@ -17862,7 +17863,7 @@ example: tcp
 +
 --
 In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
+The field value must be normalized to lowercase for querying.
 
 type: keyword