Invalid ECS field usages at root-level

[andrewkroh]

Across packages owned by elastic/security-external-integrations the following fields are being used at the document root, but according to ECS they are only allowed be nested under other ECS namespaces like host or source. These usages need to be changed to align with ECS. And fixing these issues will be required to move to package-spec 3.0.0.

Field Name	Usage count
as.number	2
geo.city_name	6
geo.continent_name	4
interface.id	2
interface.name	3
os.family	3
os.name	7
os.type	2
vlan.id	2
x509.issuer.common_name	2

This was detected by looking at fields.yml mappings only. It's possible that the fields are not actually used in some cases. If I accidentally included a deprecated or rsa2elk package then please ignore that field.

Source Locations

Package	Data Stream	Field	Github Source
1password	item_usages	os.name	View Source
1password	signin_attempts	os.name	View Source
azure_frontdoor	access	geo.city_name	View Source
azure_frontdoor	access	geo.continent_name	View Source
azure_frontdoor	waf	geo.city_name	View Source
azure_frontdoor	waf	geo.continent_name	View Source
bluecoat	director	geo.city_name	View Source
carbonblack_edr	log	os.type	View Source
cisco_aironet	log	interface.id	View Source
cisco_meraki	events	geo.city_name	View Source
cisco_meraki	log	geo.city_name	View Source
cloudflare_logpush	network_session	vlan.id	View Source
crowdstrike	fdr	os.type	View Source
f5	bigipafm	geo.city_name	View Source
f5	bigipapm	geo.city_name	View Source
fireeye	nx	interface.name	View Source
infoblox_nios	log	interface.name	View Source
juniper_junos	log	geo.city_name	View Source
juniper_netscreen	log	geo.city_name	View Source
juniper_srx	log	as.number	View Source
juniper_srx	log	geo.city_name	View Source
juniper_srx	log	geo.continent_name	View Source
juniper_srx	log	interface.id	View Source
juniper_srx	log	interface.name	View Source
juniper_srx	log	os.family	View Source
juniper_srx	log	os.name	View Source
juniper_srx	log	vlan.id	View Source
juniper_srx	log	x509.issuer.common_name	View Source
lyve_cloud	audit	os.name	View Source
netflow	log	as.number	View Source
netflow	log	geo.city_name	View Source
netflow	log	geo.continent_name	View Source
netflow	log	os.family	View Source
netflow	log	os.name	View Source
panw	panos	x509.issuer.common_name	View Source
sentinel_one	activity	os.family	View Source
sentinel_one	alert	os.name	View Source
trend_micro_vision_one	detection	os.name	View Source

(List generated with an agg on top of query @attributes.deprecated:false and @attributes.rsa2elk:false and @owner:elastic/security-external-integrations and @type:field and name:(vlan.id or geo.continent_name or os.type or interface.id or os.name or interface.name or as.number or os.name or os.name or as.number or os.family or os.type or interface.name or x509.issuer.common_name or geo.city_name) to https://github.com/andrewkroh/go-examples/tree/main/fleetpkg-indexer)