From d76d6d8b084a0797294f1374be15c4ad369ef69b Mon Sep 17 00:00:00 2001 From: johnmschoonover Date: Thu, 5 Jun 2025 13:34:07 -0500 Subject: [PATCH 1/4] Clarify url.query usage to specify full query string format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This update removes ambiguity around the url.query field by explicitly stating that it should contain the full query string, including compound parameters. An example with multiple query parameters is added to reinforce this guidance. This helps prevent misinterpretation—such as splitting the query into an array of keywords—and promotes consistent, ECS-compliant implementations across ingestion pipelines and tools. --- schemas/url.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/schemas/url.yml b/schemas/url.yml index 29941fed8a..93a4f2351c 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -166,6 +166,8 @@ type: keyword short: Query string of the request. description: > + The field contains the entire query string excluding the leading `?`. + The query field describes the query string of the request, such as "q=elasticsearch". @@ -174,6 +176,7 @@ the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. ignore_above: 2083 + example: q=elasticsearch&sort=desc otel: - relation: match From 9a682bcb2ca6a508a44b173cd7d533272b1e86c1 Mon Sep 17 00:00:00 2001 From: johnmschoonover Date: Thu, 5 Jun 2025 14:27:50 -0500 Subject: [PATCH 2/4] Update CHANGELOG.next.md --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index c922e49648..16f7020ea2 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -39,6 +39,7 @@ Thanks, you're awesome :-) --> * Allow Unicode characters in generated ECS yml files. #2478 * Update semconv version used in file generation to v1.34.0 #2483 +* Added details for implementation of url.query to avoid ambiguity #2488 #### Deprecated From bc7dde55edca6cca903e06439cb4e9a79f3f2b35 Mon Sep 17 00:00:00 2001 From: johnmschoonover Date: Thu, 5 Jun 2025 14:29:08 -0500 Subject: [PATCH 3/4] generated files from changes --- docs/reference/ecs-url.md | 2 +- experimental/generated/beats/fields.ecs.yml | 21 +++++++++++++++------ experimental/generated/csv/fields.csv | 6 +++--- experimental/generated/ecs/ecs_flat.yml | 18 ++++++++++++------ experimental/generated/ecs/ecs_nested.yml | 21 +++++++++++++++------ generated/beats/fields.ecs.yml | 21 +++++++++++++++------ generated/csv/fields.csv | 6 +++--- generated/ecs/ecs_flat.yml | 18 ++++++++++++------ generated/ecs/ecs_nested.yml | 21 +++++++++++++++------ 9 files changed, 91 insertions(+), 43 deletions(-) diff --git a/docs/reference/ecs-url.md b/docs/reference/ecs-url.md index 0ec666f4f6..853e054c3b 100644 --- a/docs/reference/ecs-url.md +++ b/docs/reference/ecs-url.md @@ -23,7 +23,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki | $$$field-url-password$$$ [url.password](#field-url-password) | Password of the request.

type: keyword | extended | | $$$field-url-path$$$ [url.path](#field-url-path) | Path of the request, such as "/search".

type: wildcard

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-path) | extended | | $$$field-url-port$$$ [url.port](#field-url-port) | Port of the request, such as 443.

type: long

example: `443`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.port](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-port) | extended | -| $$$field-url-query$$$ [url.query](#field-url-query) | The query field describes the query string of the request, such as "q=elasticsearch".

The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.

type: keyword

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.query](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-query) | extended | +| $$$field-url-query$$$ [url.query](#field-url-query) | The field contains the entire query string excluding the leading `?`.

The query field describes the query string of the request, such as "q=elasticsearch".

The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.

type: keyword

example: `q=elasticsearch&sort=desc`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.query](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-query) | extended | | $$$field-url-registered-domain$$$ [url.registered_domain](#field-url-registered-domain) | The highest registered url domain, stripped of the subdomain.

For example, the registered domain for "foo.example.com" is "example.com".

This value can be determined precisely with a list like the public suffix list (https://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

example: `example.com`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.registered_domain](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-registered-domain) | extended | | $$$field-url-scheme$$$ [url.scheme](#field-url-scheme) | Scheme of the request, such as "https".

Note: The `:` is not part of the scheme.

type: keyword

example: `https`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.scheme](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-scheme) | extended | | $$$field-url-subdomain$$$ [url.subdomain](#field-url-subdomain) | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.

For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

example: `east`

![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [url.subdomain](https://opentelemetry.io/docs/specs/semconv/attributes-registry/url/#url-subdomain) | extended | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 9c12e2132c..388b513c1d 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -10621,13 +10621,16 @@ level: extended type: keyword ignore_above: 2083 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc default_field: false - name: enrichments.indicator.url.registered_domain level: extended @@ -12281,13 +12284,16 @@ level: extended type: keyword ignore_above: 2083 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc default_field: false - name: indicator.url.registered_domain level: extended @@ -13350,13 +13356,16 @@ level: extended type: keyword ignore_above: 2083 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc - name: registered_domain level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index d9693a0827..0372d48393 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1361,7 +1361,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request. 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. @@ -1584,7 +1584,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.1.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. 9.1.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 9.1.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.1.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request. 9.1.0-dev+exp,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 9.1.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. 9.1.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. @@ -1720,7 +1720,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.1.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. 9.1.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 9.1.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -9.1.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +9.1.0-dev+exp,true,url,url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request. 9.1.0-dev+exp,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 9.1.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. 9.1.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index edf0609918..2c22e58a8a 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -17747,13 +17747,15 @@ threat.enrichments.indicator.url.port: type: long threat.enrichments.indicator.url.query: dashed_name: threat-enrichments-indicator-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.enrichments.indicator.url.query ignore_above: 2083 level: extended @@ -20546,13 +20548,15 @@ threat.indicator.url.port: type: long threat.indicator.url.query: dashed_name: threat-indicator-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.indicator.url.query ignore_above: 2083 level: extended @@ -22389,13 +22393,15 @@ url.port: type: long url.query: dashed_name: url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: url.query ignore_above: 2083 level: extended diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 6f8a6d1307..4c4e1387bf 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -20515,13 +20515,16 @@ threat: type: long threat.enrichments.indicator.url.query: dashed_name: threat-enrichments-indicator-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.enrichments.indicator.url.query ignore_above: 2083 level: extended @@ -23322,13 +23325,16 @@ threat: type: long threat.indicator.url.query: dashed_name: threat-indicator-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.indicator.url.query ignore_above: 2083 level: extended @@ -25293,13 +25299,16 @@ url: type: long url.query: dashed_name: url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: url.query ignore_above: 2083 level: extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 95a9ab77ea..3338bd4fcb 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -10571,13 +10571,16 @@ level: extended type: keyword ignore_above: 2083 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc default_field: false - name: enrichments.indicator.url.registered_domain level: extended @@ -12231,13 +12234,16 @@ level: extended type: keyword ignore_above: 2083 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc default_field: false - name: indicator.url.registered_domain level: extended @@ -13300,13 +13306,16 @@ level: extended type: keyword ignore_above: 2083 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc - name: registered_domain level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 89b6e21ed0..3d0b05d4e0 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1354,7 +1354,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.1.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. 9.1.0-dev,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 9.1.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.1.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request. 9.1.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 9.1.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. 9.1.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. @@ -1577,7 +1577,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.1.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. 9.1.0-dev,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 9.1.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." -9.1.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +9.1.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request. 9.1.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 9.1.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. 9.1.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. @@ -1713,7 +1713,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.1.0-dev,true,url,url.password,keyword,extended,,,Password of the request. 9.1.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." 9.1.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -9.1.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. +9.1.0-dev,true,url,url.query,keyword,extended,,q=elasticsearch&sort=desc,Query string of the request. 9.1.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." 9.1.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. 9.1.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d697dd36fa..318b3785d3 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -17678,13 +17678,15 @@ threat.enrichments.indicator.url.port: type: long threat.enrichments.indicator.url.query: dashed_name: threat-enrichments-indicator-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.enrichments.indicator.url.query ignore_above: 2083 level: extended @@ -20477,13 +20479,15 @@ threat.indicator.url.port: type: long threat.indicator.url.query: dashed_name: threat-indicator-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.indicator.url.query ignore_above: 2083 level: extended @@ -22320,13 +22324,15 @@ url.port: type: long url.query: dashed_name: url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: url.query ignore_above: 2083 level: extended diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 50c61c1803..4d2a33ec5e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -20435,13 +20435,16 @@ threat: type: long threat.enrichments.indicator.url.query: dashed_name: threat-enrichments-indicator-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.enrichments.indicator.url.query ignore_above: 2083 level: extended @@ -23242,13 +23245,16 @@ threat: type: long threat.indicator.url.query: dashed_name: threat-indicator-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: threat.indicator.url.query ignore_above: 2083 level: extended @@ -25213,13 +25219,16 @@ url: type: long url.query: dashed_name: url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + description: 'The field contains the entire query string excluding the leading + `?`. + + The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' + example: q=elasticsearch&sort=desc flat_name: url.query ignore_above: 2083 level: extended From 08c7c64bc7b89dcfd45d8fa8c06af17a15412067 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Mon, 23 Jun 2025 09:54:46 -0700 Subject: [PATCH 4/4] Trim trailing whitespace --- schemas/url.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/url.yml b/schemas/url.yml index 93a4f2351c..458940fd5c 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -167,7 +167,7 @@ short: Query string of the request. description: > The field contains the entire query string excluding the leading `?`. - + The query field describes the query string of the request, such as "q=elasticsearch".