From 5aabacba7ff7f5719531846547526271fce6a937 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 12 Jul 2023 15:16:55 -0700
Subject: [PATCH 01/32] Create asset.yml

---
 rfcs/text/0041/asset.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rfcs/text/0041/asset.yml

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
new file mode 100644
index 000000000..498ed4c38
--- /dev/null
+++ b/rfcs/text/0041/asset.yml
@@ -0,0 +1,26 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: asset
+  fields:
+    - name: asset.name
+      level: extended
+      type: keyword
+      short: 
+      example: 88a1f0ed-5ae5-41ee-af6b-41921c311872
+      description: >
+        Asset name of ....

From 5274c02bd01449ecef34c5ab7448bd0bcff5c68a Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 12 Jul 2023 15:18:10 -0700
Subject: [PATCH 02/32] Create host.yml

---
 rfcs/text/0041/host.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rfcs/text/0041/host.yml

diff --git a/rfcs/text/0041/host.yml b/rfcs/text/0041/host.yml
new file mode 100644
index 000000000..050aaeafb
--- /dev/null
+++ b/rfcs/text/0041/host.yml
@@ -0,0 +1,26 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+---
+- name: host
+  fields:
+    - name: host 
+      level: extended
+      type: keyword
+      short: 
+      example: ..
+      description: >
+        Asset name of ....

From fca40be534a98246483b7589bb271ba3c4063cf0 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 12 Jul 2023 16:39:07 -0700
Subject: [PATCH 03/32] Update 0041-asset-integration.md

Initial touch
---
 rfcs/text/0041-asset-integration.md | 31 +++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 7fe8ee9b3..7227540fb 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -1,7 +1,7 @@
 # 0041: Asset Integration
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Stage: **1 (Draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **2023-07-07** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
@@ -13,6 +13,10 @@ Feel free to remove these comments as you go along.
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
 
+<!--
+Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+-->
+
 This proposal extends the existing ECS field set to store inventory metadata for hosts and users from external application repositories. Using ECS to store such fields will improve metadata querying and retrieval across various use cases.
 
 Terminologies:
@@ -25,11 +29,6 @@ This proposal includes the following:
 
 This proposal will also facilitate storing host and user inventory within the security solution (the entity store).
 
-
-<!--
-Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
--->
-
 <!--
 Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
 -->
@@ -135,13 +134,17 @@ Stage 2: Add or update all remaining field definitions. The list should now be e
 Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
 -->
 
-* As part of Entity Analytics, we are ingesting metadata about Users and from various external vendor applications. We are storing all ingested metadata in Elasticsearch. After we map these fields to ECS, we will enrich these ingested events for risk-scoring scenarios (e.g., context enrichments) and detecting advanced analytics (UBA) use cases.
+* As part of Entity Analytics, we are ingesting metadata about Users and from various external vendor applications. We are storing all ingested metadata in Elasticsearch. After we map these fields to ECS, we will enrich these ingested events for risk-scoring scenarios (e.g., context enrichments) and detecting advanced analytics (UEBA) use cases.
+
+### Example of Hosts and Users stored in ES
 
 * This schema will persist `Observed` (queried) entities from the ingested security log dataset in an Entity store. This entity store can be further extended to meet broader Asset Management needs.
 
 * Additional enrichment use cases for existing prebuilt detection rules will leverage these ECS fields.
 
 
+
+
 ## Source data
 
 <!--
@@ -165,14 +168,23 @@ There are many sources of asset inventory repositories. In the mid-term, we are
 * MS Intune
 * ServiceNow Asset CMDB
 
+
+
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
 -->
 
+
 <!--
 Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
 -->
 
+### Real-world mapping of an Identity provider 
+
+#### Okta Users
+#### AzureAD Hosts
+
+
 ## Scope of impact
 
 <!--
@@ -195,7 +207,6 @@ The goal here is to research and understand the impact of these changes on users
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
 
-* We have a couple of fleet integrations under development. We want them to use these proposed ECS before being released.
 * Schema/ field sets defined here focus on asset inventory data sources. Additional fields may need to be appended (ideally within this RFC lifecycle) to support the entity store needs.
 * Due diligence is needed to avoid the proliferation of field sets and validate business requirements.
 * In stage1, @jasonrhodes identified fields from o11y use cases and a potential conflict: https://github.com/elastic/ecs/pull/2215#pullrequestreview-1498781860
@@ -216,9 +227,8 @@ The following are the people that consulted on the contents of this RFC.
 * @andrewkroh | subject matter expert
 * @jamiehynds | subject matter expert
 * @lauravoicu | subject matter expert
-* @MikePaquette | subject matter expert
+* @MikePaquette | sponsor
 * @sourinpaul | sponsor
-* ?
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -242,6 +252,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2215
+* Stage 1: https://github.com/elastic/ecs/pull/NNN
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN

From 6d65d5956b7732415c52b5002841c309b6af3383 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Thu, 13 Jul 2023 14:01:35 -0700
Subject: [PATCH 04/32] Update 0041-asset-integration.md

Including examples of source documents and mappings
---
 rfcs/text/0041-asset-integration.md | 130 ++++++++++++++++++++++++++--
 1 file changed, 122 insertions(+), 8 deletions(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 7227540fb..ab713eab9 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -27,7 +27,7 @@ This proposal includes the following:
 * Introduces a new field set called `assets`.
 <!-- * Additional fields in the `host` object --->
 
-This proposal will also facilitate storing host and user inventory within the security solution (the entity store).
+This proposal will also facilitate storing host and user inventory within the security solution (the entity store). Schema/ field sets defined here focus on asset inventory data sources. Additional fields may need to be appended (ideally within this RFC lifecycle) to support the entity store needs.
 
 <!--
 Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
@@ -168,7 +168,55 @@ There are many sources of asset inventory repositories. In the mid-term, we are
 * MS Intune
 * ServiceNow Asset CMDB
 
-
+### Examples of source data:
+
+#### Subset of User fields from Okta:
+
+```json
+{
+  "@timestamp": "2023-07-04T09:57:19.786056-05:00",
+  "event": {
+    "action": "user-discovered"
+  },
+  "okta": {
+    "id": "userid",
+    "status": "RECOVERY",
+    "created": "2023-06-02T09:33:00.189752+09:30",
+    "activated": "0001-01-01T00:00:00Z",
+    "statusChanged": "2023-06-02T09:33:00.189752+09:30",
+    "lastLogin": "2023-06-02T09:33:00.189752+09:30",
+    "lastUpdated": "2023-06-02T09:33:00.189753+09:30",
+    "passwordChanged": "2023-06-02T09:33:00.189753+09:30",
+    "type": {
+      "id": "typeid"
+    },
+    "profile": {
+      "login": "name.surname@example.com",
+      "email": "name.surname@example.com",
+      "firstName": "name",
+      "lastName": "surname"
+    },
+    "credentials": {
+      "password": {},
+      "provider": {
+        "type": "OKTA",
+        "name": "OKTA"
+      }
+    },
+    "_links": {
+      "self": {
+        "href": "https://localhost/api/v1/users/userid"
+      }
+    }
+  },
+  "user": {
+    "id": "userid"
+  },
+  "labels": {
+    "identity_source": "okta-1"
+  }
+}
+```
 
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting, or if on the larger side, add them to the corresponding RFC folder.
@@ -179,9 +227,77 @@ Stage 2: Included a real world example source document. Ideally this example com
 Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
 -->
 
-### Real-world mapping of an Identity provider 
-
-#### Okta Users
+### Examples of Real-world mapping: 
+
+#### Mapping User object from Okta (partial):
+```yml
+- set:
+      field: asset.status
+      copy_from: entityanalytics_okta.user.status
+      tag: set_asset_status
+      ignore_empty_value: true
+  - set:
+      field: user.profile.status
+      copy_from: entityanalytics_okta.user.status
+      tag: set_user_profile_status
+      ignore_empty_value: true
+  - date:
+      field: okta.created
+      target_field: entityanalytics_okta.user.created
+      tag: date_user_created
+      formats:
+        - ISO8601
+      if: ctx.okta?.created != null && ctx.okta.created != ''
+      on_failure:
+        - remove:
+            field: okta.created
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: user.account.create_date
+      copy_from: entityanalytics_okta.user.created
+      tag: set_user_account_create_date
+      ignore_empty_value: true
+  - set:
+      field: asset.create_date
+      copy_from: entityanalytics_okta.user.created
+      tag: set_asset_create_date
+      ignore_empty_value: true
+  - date:
+      field: okta.activated
+      target_field: entityanalytics_okta.user.activated
+      tag: date_user_activated
+      formats:
+        - ISO8601
+      if: ctx.okta?.activated != null && ctx.okta.activated != ''
+      on_failure:
+        - remove:
+            field: okta.activated
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: user.account.activated_date
+      copy_from: entityanalytics_okta.user.activated
+      tag: set_user_account_activated_date
+      ignore_empty_value: true
+  - date:
+      field: okta.statusChanged
+      target_field: entityanalytics_okta.user.status_changed
+      tag: date_user_status_changed
+      formats:
+        - ISO8601
+      if: ctx.okta?.statusChanged != null && ctx.okta.statusChanged != ''
+      on_failure:
+        - remove:
+            field: okta.statusChanged
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+```
+
+ 
 #### AzureAD Hosts
 
 
@@ -207,8 +323,6 @@ The goal here is to research and understand the impact of these changes on users
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
 
-* Schema/ field sets defined here focus on asset inventory data sources. Additional fields may need to be appended (ideally within this RFC lifecycle) to support the entity store needs.
-* Due diligence is needed to avoid the proliferation of field sets and validate business requirements.
 * In stage1, @jasonrhodes identified fields from o11y use cases and a potential conflict: https://github.com/elastic/ecs/pull/2215#pullrequestreview-1498781860
 
 <!--
@@ -227,7 +341,7 @@ The following are the people that consulted on the contents of this RFC.
 * @andrewkroh | subject matter expert
 * @jamiehynds | subject matter expert
 * @lauravoicu | subject matter expert
-* @MikePaquette | sponsor
+* @MikePaquette | subject matter expert
 * @sourinpaul | sponsor
 
 <!--

From b0a7d067f87daec4bbfa1335b00b4931ccd40814 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Thu, 13 Jul 2023 14:55:54 -0700
Subject: [PATCH 05/32] Update and rename host.yml to user.yml

User fieldset
---
 rfcs/text/0041/host.yml |  26 -------
 rfcs/text/0041/user.yml | 164 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 164 insertions(+), 26 deletions(-)
 delete mode 100644 rfcs/text/0041/host.yml
 create mode 100644 rfcs/text/0041/user.yml

diff --git a/rfcs/text/0041/host.yml b/rfcs/text/0041/host.yml
deleted file mode 100644
index 050aaeafb..000000000
--- a/rfcs/text/0041/host.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-# Licensed to Elasticsearch B.V. under one or more contributor
-# license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright
-# ownership. Elasticsearch B.V. licenses this file to you under
-# the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# 	http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
----
-- name: host
-  fields:
-    - name: host 
-      level: extended
-      type: keyword
-      short: 
-      example: ..
-      description: >
-        Asset name of ....
diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
new file mode 100644
index 000000000..0cd0a98da
--- /dev/null
+++ b/rfcs/text/0041/user.yml
@@ -0,0 +1,164 @@
+- name: user.profile.id
+    type:  keyword
+    example:  1234
+    description:  User ID from the identity datasource.
+
+- name: user.profile.type
+    type:  keyword
+    example:  Employee
+    description:  Type of user account.
+
+- name: user.profile.status
+    type:  keyword 
+    example: On board
+    description:  Status of the user account.
+
+- name: user.profile.first_name
+    type:  keyword 
+    example: First
+    description:  First Name of the User.
+
+- name: user.profile.last_name
+    type:  keyword 
+    example: Last
+    description:  Last Name of the user.
+
+- name: user.profile.other_identities
+    type:  keyword, text 
+    example: first.last@elk.elastic.co
+    description:  Array of additional user identities (usually email addresses).
+
+- name: user.profile.manager
+    type:  keyword 
+    example: John Doe
+    description:  Assigned Manager for the user account.
+
+- name: user.profile.employee_type
+    type:  keyword 
+    example: Regular 
+    description:  Further classification type for the user account.
+
+- name: user.profile.job_family
+    type:  keyword 
+    example: 65-Sales
+    description:  Job family associated with the user account.
+
+- name: user.profile.job_family_group
+    type:  keyword 
+    example: GTM
+    description:  Job family group associated with the user account.
+
+- name: user.profile.management_level
+    type:  keyword 
+    example: Individual Contributor
+    description:  If the user account is identified as a Manager or Individual contributor.
+
+- name: user.profile.job_title
+    type:  keyword 
+    example: Field Sales
+    description:  Job title assigned to the user account.
+
+- name: user.profile.department
+    type:  keyword 
+    example: x256
+    description:  Department name associated with the user account.
+
+- name: user.profile.organization
+    type:  keyword 
+    example: Elasticsearch Inc.
+    description:  Organization name associated with the account.
+
+- name: user.profile.location
+    type:  keyword 
+    example: US - Washington - Distributed
+    description:  Assigned location for the user account.
+
+- name: user.profile.mobile_phone
+    type:  keyword 
+    example: 222-222-2222
+    description: 
+
+- name: user.profile.primaryPhone
+    type:  keyword 
+    example: 222-222-2222
+    description: 
+
+- name: user.profile.secondEmail
+    type:  keyword 
+    example: first.l@elastic.co
+    description:  Additional email addresses associated with the user account.
+
+- name: user.profile.sup_org_id
+    type:  keyword 
+    example: SUP-ORG-75
+    description:  Primary organization ID for the user account.
+
+- name: user.profile.supervisory_Org
+    type:  keyword 
+    example: Field Sales
+    description:  Primary organization name for the user account.
+
+- name: user.profile.assigned_mdm_id
+    type:  keyword 
+    example: 2950
+    description:  The primary host identifier (usually `asset.id` value) assigned to the user. This field acts as a correlation identifier for the host event document.
+
+- name: user.account.create_date
+    type:  date 
+    example: June 5, 2023 @ 18:25:57.000
+    description:  Date account was created.
+
+- name: user.account.activated_date
+    type:  date 
+    example: June 5, 2023 @ 18:25:57.000
+    description:  Date account was activated.
+
+- name: user.account.change_date
+    type:  date 
+    example: June 5, 2023 @ 18:25:57.000
+    description:  Date user account record was last updated at source
+
+- name: user.account.status.recovery
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account is in recovery
+
+- name: user.account.status.locked_out
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account is currently locked out
+
+- name: user.account.status.suspended
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account has been suspended
+
+- name: user.account.isAdmin
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account is an Admin account
+
+- name: user.account.isDelegatedAdmin
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account has Delegated Admin rights
+
+- name: user.account.isPriviledged
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account is a Privileged account
+
+- name: user.account.status.password_expired
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account password has expired.
+
+- name: user.account.status.deprovisioned
+    type:  boolean 
+    example: true/ false
+    description:  A flag indicating if account has been deprovisioned
+
+- name: user.account.password_change_date
+    type:  date 
+    example: June 5, 2023 @ 18:25:57.000
+    description:  Last date/time when account password was updated

From a7581ff08c7abef4fe8402a7340c93e1d735cd75 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Thu, 13 Jul 2023 15:02:32 -0700
Subject: [PATCH 06/32] Update user.yml

Adding level keys
---
 rfcs/text/0041/user.yml | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 0cd0a98da..fae047c19 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -1,164 +1,199 @@
 - name: user.profile.id
+    level: extended
     type:  keyword
     example:  1234
     description:  User ID from the identity datasource.
 
 - name: user.profile.type
+    level: extended
     type:  keyword
     example:  Employee
     description:  Type of user account.
 
 - name: user.profile.status
+    level: extended
     type:  keyword 
     example: On board
     description:  Status of the user account.
 
 - name: user.profile.first_name
+    level: extended
     type:  keyword 
     example: First
     description:  First Name of the User.
 
 - name: user.profile.last_name
+    level: extended
     type:  keyword 
     example: Last
     description:  Last Name of the user.
 
 - name: user.profile.other_identities
-    type:  keyword, text 
+    level: extended
+    type:  keyword 
+    multi_fields:
+        - type: text 
     example: first.last@elk.elastic.co
     description:  Array of additional user identities (usually email addresses).
 
 - name: user.profile.manager
+    level: extended
     type:  keyword 
     example: John Doe
     description:  Assigned Manager for the user account.
 
 - name: user.profile.employee_type
+    level: extended
     type:  keyword 
     example: Regular 
     description:  Further classification type for the user account.
 
 - name: user.profile.job_family
+    level: extended
     type:  keyword 
     example: 65-Sales
     description:  Job family associated with the user account.
 
 - name: user.profile.job_family_group
+    level: extended
     type:  keyword 
     example: GTM
     description:  Job family group associated with the user account.
 
 - name: user.profile.management_level
+    level: extended
     type:  keyword 
     example: Individual Contributor
     description:  If the user account is identified as a Manager or Individual contributor.
 
 - name: user.profile.job_title
+    level: extended
     type:  keyword 
     example: Field Sales
     description:  Job title assigned to the user account.
 
 - name: user.profile.department
+    level: extended
     type:  keyword 
     example: x256
     description:  Department name associated with the user account.
 
 - name: user.profile.organization
+    level: extended
     type:  keyword 
     example: Elasticsearch Inc.
     description:  Organization name associated with the account.
 
 - name: user.profile.location
+    level: extended
     type:  keyword 
     example: US - Washington - Distributed
     description:  Assigned location for the user account.
 
 - name: user.profile.mobile_phone
+    level: extended
     type:  keyword 
     example: 222-222-2222
     description: 
 
 - name: user.profile.primaryPhone
+    level: extended
     type:  keyword 
     example: 222-222-2222
     description: 
 
 - name: user.profile.secondEmail
+    level: extended
     type:  keyword 
     example: first.l@elastic.co
     description:  Additional email addresses associated with the user account.
 
 - name: user.profile.sup_org_id
+    level: extended
     type:  keyword 
     example: SUP-ORG-75
     description:  Primary organization ID for the user account.
 
 - name: user.profile.supervisory_Org
+    level: extended
     type:  keyword 
     example: Field Sales
     description:  Primary organization name for the user account.
 
 - name: user.profile.assigned_mdm_id
+    level: extended
     type:  keyword 
     example: 2950
     description:  The primary host identifier (usually `asset.id` value) assigned to the user. This field acts as a correlation identifier for the host event document.
 
 - name: user.account.create_date
+    level: extended
     type:  date 
     example: June 5, 2023 @ 18:25:57.000
     description:  Date account was created.
 
 - name: user.account.activated_date
+    level: extended
     type:  date 
     example: June 5, 2023 @ 18:25:57.000
     description:  Date account was activated.
 
 - name: user.account.change_date
+    level: extended
     type:  date 
     example: June 5, 2023 @ 18:25:57.000
     description:  Date user account record was last updated at source
 
 - name: user.account.status.recovery
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account is in recovery
 
 - name: user.account.status.locked_out
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account is currently locked out
 
 - name: user.account.status.suspended
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account has been suspended
 
 - name: user.account.isAdmin
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account is an Admin account
 
 - name: user.account.isDelegatedAdmin
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account has Delegated Admin rights
 
 - name: user.account.isPriviledged
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account is a Privileged account
 
 - name: user.account.status.password_expired
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account password has expired.
 
 - name: user.account.status.deprovisioned
+    level: extended
     type:  boolean 
     example: true/ false
     description:  A flag indicating if account has been deprovisioned
 
 - name: user.account.password_change_date
+    level: extended
     type:  date 
     example: June 5, 2023 @ 18:25:57.000
     description:  Last date/time when account password was updated

From fe2fd7578a26ea8a9c48763a08236ffa966571f0 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Thu, 13 Jul 2023 15:06:02 -0700
Subject: [PATCH 07/32] Update 0041-asset-integration.md

I am removing the 'phone' fields from the proposal to reduce the risk of PII exposure.
---
 rfcs/text/0041-asset-integration.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index ab713eab9..7e0177e0d 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -58,8 +58,6 @@ user.profile.job_title	| keyword |	Field Sales	| Job title assigned to the user
 user.profile.department	| keyword |	x256	| Department name associated with the user account.
 user.profile.organization	| keyword |	Elasticsearch Inc.	| Organization name associated with the account.
 user.profile.location	| keyword |	US - Washington - Distributed	| Assigned location for the user account.
-user.profile.mobile_phone	| keyword |	222-222-2222
-user.profile.primaryPhone	| keyword |	222-222-2222
 user.profile.secondEmail	| keyword |	first.l@elastic.co	| Additional email addresses associated with the user account.
 user.profile.sup_org_id	| keyword |	SUP-ORG-75	| Primary organization ID for the user account.
 user.profile.supervisory_Org	| keyword |	Field Sales	| Primary organization name for the user account.

From 6a068c1cdacbf90590cee4fe9de17b0de07e7076 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Thu, 13 Jul 2023 15:33:07 -0700
Subject: [PATCH 08/32] Update asset.yml

---
 rfcs/text/0041/asset.yml | 173 +++++++++++++++++++++++++++++++++------
 1 file changed, 147 insertions(+), 26 deletions(-)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index 498ed4c38..6aa312c7f 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -1,26 +1,147 @@
-# Licensed to Elasticsearch B.V. under one or more contributor
-# license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright
-# ownership. Elasticsearch B.V. licenses this file to you under
-# the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# 	http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
----
-- name: asset
-  fields:
-    - name: asset.name
-      level: extended
-      type: keyword
-      short: 
-      example: 88a1f0ed-5ae5-41ee-af6b-41921c311872
-      description: >
-        Asset name of ....
+- name: asset.category
+    level: extend
+    level: extend
+    type: keyword
+    example: hardware
+    description: A further classification of the asset type beyond event.category. Example for host assets {hardware, virtual, container, node}. 
+- name: asset.type
+    level: extend
+    level: extend
+    type: keyword
+    example: workstation
+    description: A sub-classification of assets. For host assets {workstation, S3, Compute}. For user assets {NULL?}
+- name: asset.id
+    level: extend
+    type: keyword
+    example: 2950
+    description: A unique ID for the asset. For inventory integrations, it's the id generated from the inventory data source
+- name: asset.name
+    level: extend
+    type: keyword
+    example: Sourin Paul Macbook Pro
+    description: A common name for the asset
+- name: asset.vendor
+    level: extend
+    type: keyword
+    example: Apple
+    description: Used primarily for 'Host' entities, the vendor name or brand associated with the asset.
+- name: asset.product
+    level: extend
+    type: keyword
+    example: MacBook Pro
+    description: Used primarily for 'Host' entities, the product name associated with the asset.
+- name: asset.model
+    level: extend
+    type: keyword
+    example: TBD
+    description: Used primarily for 'Host' entities, the model name or number associated with this asset.
+- name: asset.version
+    level: extend
+    type: keyword
+    example: TBD
+    description: Used primarily for 'Host' entities, the version or year associated with the asset.
+- name: asset.owner
+    level: extend
+    type: keyword
+    example: sourin.paul@elastic.co
+    description: The primary user entity who owns the 'Host' asset
+- name: asset.priority
+    level: extend
+    type: keyword
+    example: Priority 1
+    description: A priority classification for the asset obtained from outside this system, such as from some external CMDB or Directory service.
+- name: asset.criticality
+    level: extend
+    type: keyword
+    example: Critical
+    description: A criticality classification obtained from outside this system, such as from some external CMDB or Directory service.
+- name: asset.business_unit
+    level: extend
+    type: keyword
+    example: Analyst Experience
+    description: Business Unit associated with the asset (user or host).
+- name: asset.costCenter
+    level: extend
+    type: keyword
+    example: Security - Protections
+    description: Cost Center associated with the asset (user or host).
+- name: asset.cost_center_hierarchy
+    level: extend
+    type: keyword
+    example: Engineering
+    description: Additional cost center information associated with the asset (user or host).
+- name: 
+    level: extend
+    type: 
+    example: 
+    description: 
+- name: asset.status
+    level: extend
+    type: keyword
+    example: ACTIVE
+    description: Current status of the asset in the inventory data source.
+- name: asset.last_status_change_date
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.000
+    description: The most recent date/time when the asset.status was updated.
+- name: asset.create_date
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.001
+    description: For users, it's the hire date. For other assets, it's the in-service date.
+- name: asset.end_date
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.002
+    description: For users, it's the termination date. For other assets, it's the out-of-service date.
+- name: asset.first_seen
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.003
+    description: The earliest date/time at which this asset was observed.  
+- name: asset.last_seen
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.004
+    description: The most recent date/time this asset was observed.  It would remain empty until the asset was observed.
+- name: asset.last_updated
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.005
+    description: The most recent date/time this asset was updated in the inventory data source
+- name: asset.serial_number
+    level: extend
+    type: keyword
+    example: C02FG1G1MD6T
+    description: Serial number of the asset
+- name: asset.tags
+    level: extend
+    type: keyword
+    example: watch, mdmaccess
+    description: Tags assigned at the MDM
+- name: asset.assigned_users
+    level: extend
+    type: keyword
+    example: user1@email.com, user2@email.com
+    description: List of users assigned to the asset
+- name: asset.assigned_users_are_admin
+    level: extend
+    type: boolean
+    example: TRUE
+    description: Flag to identify if the assigned users have admin privileges
+- name: asset.is_managed
+    level: extend
+    type: boolean
+    example: TRUE
+    description: Flag to identify if the organization manages the asset
+- name: asset.last_enrolled_date
+    level: extend
+    type: date
+    example: June 5, 2023 @ 18:25:57.005
+    description: The most recent date/time the asset checked in with MDM
+- name: asset.data_classification
+    level: extend
+    type: keyword
+    example: restricted
+    description: Data classification tier for the asset

From 034c97cebab4642042ec5b1f75ff92f1b84e010f Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Thu, 13 Jul 2023 15:38:09 -0700
Subject: [PATCH 09/32] Create os.yml

---
 rfcs/text/0041/os.yml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 rfcs/text/0041/os.yml

diff --git a/rfcs/text/0041/os.yml b/rfcs/text/0041/os.yml
new file mode 100644
index 000000000..c302161a5
--- /dev/null
+++ b/rfcs/text/0041/os.yml
@@ -0,0 +1,5 @@
+- name: build
+    level: extend
+    type: keyword
+    example:  FIELD4: 22F66
+    description: Host OS Build information

From 2c902078381ba190dd0d2e98f119bb85463b3581 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:25:12 -0700
Subject: [PATCH 10/32] Update rfcs/text/0041-asset-integration.md

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041-asset-integration.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 7e0177e0d..3de31d335 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -364,7 +364,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2215
-* Stage 1: https://github.com/elastic/ecs/pull/NNN
+* Stage 1: https://github.com/elastic/ecs/pull/2233
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN

From 51a966eabe225e6415cd99cec9bbe476ec878ce5 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:25:43 -0700
Subject: [PATCH 11/32] Update rfcs/text/0041/asset.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/asset.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index 6aa312c7f..a518542d8 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -60,7 +60,7 @@
     type: keyword
     example: Analyst Experience
     description: Business Unit associated with the asset (user or host).
-- name: asset.costCenter
+- name: asset.cost_center
     level: extend
     type: keyword
     example: Security - Protections

From 6c9609e48c804f1667516f3f2dcc8176a68f8d25 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:25:58 -0700
Subject: [PATCH 12/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index fae047c19..5acb49530 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -162,7 +162,7 @@
     example: true/ false
     description:  A flag indicating if account has been suspended
 
-- name: user.account.isAdmin
+- name: user.account.is_admin
     level: extended
     type:  boolean 
     example: true/ false

From 086b7f4726b8611713a6a8eef7ef150677c2c4f2 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:26:05 -0700
Subject: [PATCH 13/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 5acb49530..94bd7e303 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -168,7 +168,7 @@
     example: true/ false
     description:  A flag indicating if account is an Admin account
 
-- name: user.account.isDelegatedAdmin
+- name: user.account.is_delegated_admin
     level: extended
     type:  boolean 
     example: true/ false

From 117d0ede15630ff3212301a0e8674885f49082a6 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:26:11 -0700
Subject: [PATCH 14/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 94bd7e303..35bdcbcef 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -174,7 +174,7 @@
     example: true/ false
     description:  A flag indicating if account has Delegated Admin rights
 
-- name: user.account.isPriviledged
+- name: user.account.is_privileged
     level: extended
     type:  boolean 
     example: true/ false

From 3a8abf44f74027bc5c90f92b59250adf4bf27fd5 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:26:19 -0700
Subject: [PATCH 15/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 35bdcbcef..9de8f11a1 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -114,7 +114,7 @@
     example: SUP-ORG-75
     description:  Primary organization ID for the user account.
 
-- name: user.profile.supervisory_Org
+- name: user.profile.supervisory_org
     level: extended
     type:  keyword 
     example: Field Sales

From a765da33d4b5d8c2b504cd49427c6d7069a171bb Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:26:25 -0700
Subject: [PATCH 16/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 9de8f11a1..708199c7a 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -108,7 +108,7 @@
     example: first.l@elastic.co
     description:  Additional email addresses associated with the user account.
 
-- name: user.profile.sup_org_id
+- name: user.profile.supervisory_org_id
     level: extended
     type:  keyword 
     example: SUP-ORG-75

From e593af2c939e4f58429f44bc2ebd5b9318201080 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:26:55 -0700
Subject: [PATCH 17/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 708199c7a..76807c1c3 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -96,7 +96,7 @@
     example: 222-222-2222
     description: 
 
-- name: user.profile.primaryPhone
+- name: user.profile.primary_phone
     level: extended
     type:  keyword 
     example: 222-222-2222

From ccf7b23f6adaa82de075ddd0aa1a334d971c19a0 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 10:27:08 -0700
Subject: [PATCH 18/32] Update rfcs/text/0041/user.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/user.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 76807c1c3..2f8139265 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -102,7 +102,7 @@
     example: 222-222-2222
     description: 
 
-- name: user.profile.secondEmail
+- name: user.profile.second_email
     level: extended
     type:  keyword 
     example: first.l@elastic.co

From 525c1089df2777afe8678c01428c2bd6fb451cb6 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 14:40:59 -0700
Subject: [PATCH 19/32] Update rfcs/text/0041/asset.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/asset.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index a518542d8..af2517a5a 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -120,6 +120,8 @@
     type: keyword
     example: watch, mdmaccess
     description: Tags assigned at the MDM
+    normalize:
+      - array
 - name: asset.assigned_users
     level: extend
     type: keyword

From 4331778139b106469e490cf98f3c923bb22b976a Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 14:41:14 -0700
Subject: [PATCH 20/32] Update rfcs/text/0041/asset.yml

Co-authored-by: Eric Beahan <eric.beahan@elastic.co>
---
 rfcs/text/0041/asset.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index af2517a5a..e86d5771d 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -1,5 +1,4 @@
 - name: asset.category
-    level: extend
     level: extend
     type: keyword
     example: hardware

From 5c8f251b1686a72fffb9ea50d9567437a023148e Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 19 Jul 2023 14:57:07 -0700
Subject: [PATCH 21/32] Update asset.yml

---
 rfcs/text/0041/asset.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index e86d5771d..26b78ce0f 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -69,11 +69,6 @@
     type: keyword
     example: Engineering
     description: Additional cost center information associated with the asset (user or host).
-- name: 
-    level: extend
-    type: 
-    example: 
-    description: 
 - name: asset.status
     level: extend
     type: keyword

From 64827ec39141f2ca52fbe6bf00dfecea7a27c36f Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Mon, 24 Jul 2023 18:26:02 -0700
Subject: [PATCH 22/32] Update 0041-asset-integration.md

- Context for baselining schema for entity/ asset store
- Added reference to the RFC, which extends existing risk.* fields
---
 rfcs/text/0041-asset-integration.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 3de31d335..51b73df8a 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -26,8 +26,9 @@ This proposal includes the following:
 * Additional fields in the `users` and `os` objects.
 * Introduces a new field set called `assets`.
 <!-- * Additional fields in the `host` object --->
+* Fields required for storing host and user metadata as the Elastic Security entity store/ index. 
 
-This proposal will also facilitate storing host and user inventory within the security solution (the entity store). Schema/ field sets defined here focus on asset inventory data sources. Additional fields may need to be appended (ideally within this RFC lifecycle) to support the entity store needs.
+We will create new enhancement RFCs to extend these schemas as needed.
 
 <!--
 Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
@@ -111,9 +112,13 @@ asset.installed_extensions 	| keyword	  | Nested objects	  | List of installed e
 asset.installed_applications	| keyword	    | Nested objects	  | List of installed applications along with their metadata
 
 #### Nesting of existing risk.* fields under asset object
-* We have a set of risk.* fields in ECS that can be further nested under the asset.* object. Reference to [Risk RFC](https://github.com/elastic/ecs/blob/main/rfcs/text/0031-risk-fields.md).
 
+We have a set of risk.* fields in ECS. A quick reference to past risk.* RFCs:
 
+* [Initial Risk RFC](https://github.com/elastic/ecs/blob/main/rfcs/text/0031-risk-fields.md)
+* [Risk Score Extenstions](https://github.com/elastic/ecs/pull/2236)
+
+These risk.* fields can be further nested under the asset.*
 
 ### Proposed New Fields for os.* object
 Field | Type | Example | Description

From 1a2e6dc5ce9a42bc1ae941985ba40ca5d3e3d9db Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 9 Aug 2023 12:14:46 -0700
Subject: [PATCH 23/32] Update 0041-asset-integration.md

- Redacting the user.profile.organization field from the proposal. We will reuse organization.* fields.

- Update 'Examples of Real-world mapping:' to include ECS mapping.
---
 rfcs/text/0041-asset-integration.md | 411 +++++++++++++++++++++++++++-
 1 file changed, 408 insertions(+), 3 deletions(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 51b73df8a..703375b34 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -57,7 +57,6 @@ user.profile.job_family_group	| keyword |	GTM	| Job family group associated with
 user.profile.management_level	| keyword |	Individual Contributor	| If the user account is identified as a Manager or Individual contributor.
 user.profile.job_title	| keyword |	Field Sales	| Job title assigned to the user account.
 user.profile.department	| keyword |	x256	| Department name associated with the user account.
-user.profile.organization	| keyword |	Elasticsearch Inc.	| Organization name associated with the account.
 user.profile.location	| keyword |	US - Washington - Distributed	| Assigned location for the user account.
 user.profile.secondEmail	| keyword |	first.l@elastic.co	| Additional email addresses associated with the user account.
 user.profile.sup_org_id	| keyword |	SUP-ORG-75	| Primary organization ID for the user account.
@@ -76,6 +75,11 @@ user.account.status.password_expired	| boolean |	true/ false	| A flag indicating
 user.account.status.deprovisioned	| boolean |	true/ false	| A flag indicating if account has been deprovisioned
 user.account.password_change_date	| date |	June 5, 2023 @ 18:25:57.000	| Last date/time when account password was updated
 
+**Update:**
+Updated proposal to redact the below field. ECS guidance is to reuse existing organization.* fields instead 
+
+> user.profile.organization	| keyword |	Elasticsearch Inc.	| Organization name associated with the account.
+
 ### Proposed New Fields for Asset object
 
 Field | Type | Generic Example |	User Entity Example | Host Entity Example | Description
@@ -232,9 +236,71 @@ Stage 3: Add more real world example source documents so we have at least 2 tota
 
 ### Examples of Real-world mapping: 
 
-#### Mapping User object from Okta (partial):
+#### Mapping User object from Okta into ECS (partial):
 ```yml
-- set:
+description: Pipeline for processing User logs.
+processors:
+  - set:
+      field: ecs.version
+      tag: set_ecs_version
+      value: 8.8.0
+  - set:
+      field: event.kind
+      tag: set_event_kind
+      value: asset
+  - set:
+      field: event.category
+      tag: set_event_category
+      value: ['iam']
+  - set:
+      field: event.type
+      tag: set_event_type
+      value: ['user','info']
+  - rename:
+      field: okta.id
+      target_field: entityanalytics_okta.user.id
+      tag: rename_user_id
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.id}}}'
+      tag: append_user_id_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.id != null
+  - script:
+      lang: painless
+      description: Set User Account Status properties.
+      tag: painless_set_user_account_status
+      if: ctx.okta?.status != null
+      source: |-
+        if (ctx.user == null) {
+          ctx.user = new HashMap();
+        }
+        if (ctx.user.account == null) {
+          ctx.user.account = new HashMap();
+        }
+        if (ctx.user.account.status == null) {
+          ctx.user.account.status = new HashMap();
+        }
+        ctx.user.account.status.put('recovery', false);
+        ctx.user.account.status.put('locked_out', false);
+        ctx.user.account.status.put('suspended', false);
+        ctx.user.account.status.put('password_expired', false);
+        ctx.user.account.status.put('deprovisioned', false);
+        def status = ctx.okta.status.toLowerCase();
+        if (['recovery', 'locked_out', 'suspended', 'password_expired', 'deprovisioned'].contains(status)) {
+          ctx.user.account.status[status] = true;
+        }
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - rename:
+      field: okta.status
+      target_field: entityanalytics_okta.user.status
+      tag: rename_user_status
+      ignore_missing: true
+  - set:
       field: asset.status
       copy_from: entityanalytics_okta.user.status
       tag: set_asset_status
@@ -298,6 +364,345 @@ Stage 3: Add more real world example source documents so we have at least 2 tota
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: user.account.change_date
+      copy_from: entityanalytics_okta.user.status_changed
+      tag: set_user_account_change_date
+      ignore_empty_value: true
+  - set:
+      field: asset.last_status_change_date
+      copy_from: entityanalytics_okta.user.status_changed
+      tag: set_asset_last_status_change_date
+      ignore_empty_value: true
+  - date:
+      field: okta.lastLogin
+      target_field: entityanalytics_okta.user.last_login
+      tag: date_user_last_login
+      formats:
+        - ISO8601
+      if: ctx.okta?.lastLogin != null && ctx.okta.lastLogin != ''
+      on_failure:
+        - remove:
+            field: okta.lastLogin
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: asset.last_seen
+      copy_from: entityanalytics_okta.user.last_login
+      tag: set_asset_last_seen
+      ignore_empty_value: true
+  - date:
+      field: okta.lastUpdated
+      target_field: entityanalytics_okta.user.last_updated
+      tag: date_user_last_updated
+      formats:
+        - ISO8601
+      if: ctx.okta?.lastUpdated != null && ctx.okta.lastUpdated != ''
+      on_failure:
+        - remove:
+            field: okta.lastUpdated
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: asset.last_updated
+      copy_from: entityanalytics_okta.user.last_updated
+      tag: set_asset_last_seen
+      ignore_empty_value: true
+  - date:
+      field: okta.passwordChanged
+      target_field: entityanalytics_okta.user.password_changed
+      tag: date_user_password_changed
+      formats:
+        - ISO8601
+      if: ctx.okta?.passwordChanged != null && ctx.okta.passwordChanged != ''
+      on_failure:
+        - remove:
+            field: okta.passwordChanged
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - set:
+      field: user.account.password_change_date
+      copy_from: entityanalytics_okta.user.password_changed
+      tag: set_user_account_password_change_date
+      ignore_empty_value: true
+  - rename:
+      field: okta.type
+      target_field: entityanalytics_okta.user.type
+      tag: rename_user_type
+      ignore_missing: true
+  - rename:
+      field: okta.transitioningToStatus
+      target_field: entityanalytics_okta.user.transitioning_to_status
+      tag: user_transitioning_to_status
+      ignore_missing: true
+  - rename:
+      field: okta.profile.login
+      target_field: entityanalytics_okta.user.profile.login
+      tag: rename_user_profile_login
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.login}}}'
+      tag: append_user_profile_login_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.login != null
+  - set:
+      field: user.name
+      copy_from: entityanalytics_okta.user.profile.login
+      tag: set_user_name
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.email
+      target_field: entityanalytics_okta.user.profile.email
+      tag: rename_user_profile_email
+      ignore_missing: true
+  - set:
+      field: user.email
+      copy_from: entityanalytics_okta.user.profile.email
+      tag: set_user_email
+      ignore_empty_value: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.email}}}'
+      tag: append_user_profile_email_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.email != null
+  - rename:
+      field: okta.profile.secondEmail
+      target_field: entityanalytics_okta.user.profile.second_email
+      tag: rename_user_profile_second_email
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.second_email}}}'
+      tag: append_user_profile_second_email_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.second_email != null
+  - set:
+      field: user.profile.other_identities
+      copy_from: entityanalytics_okta.user.profile.second_email
+      tag: set_user_profile_other_identities
+      ignore_empty_value: true
+  - set:
+      field: user.profile.secondEmail
+      copy_from: entityanalytics_okta.user.profile.second_email
+      tag: set_user_profile_secondEmail
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.firstName
+      target_field: entityanalytics_okta.user.profile.first_name
+      tag: rename_user_profile_first_name
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.first_name}}}'
+      tag: append_user_profile_first_name_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.first_name != null
+  - set:
+      field: user.profile.first_name
+      copy_from: entityanalytics_okta.user.profile.first_name
+      tag: set_user_profile_first_name
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.lastName
+      target_field: entityanalytics_okta.user.profile.last_name
+      tag: rename_user_profile_last_name
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.last_name}}}'
+      tag: append_user_profile_last_name_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.last_name != null
+  - set:
+      field: user.profile.last_name
+      copy_from: entityanalytics_okta.user.profile.last_name
+      tag: set_user_profile_last_name
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.middleName
+      target_field: entityanalytics_okta.user.profile.middle_name
+      tag: rename_user_profile_middle_name
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.middle_name}}}'
+      tag: append_user_profile_middle_name_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.middle_name != null
+  - rename:
+      field: okta.profile.honorificPrefix
+      target_field: entityanalytics_okta.user.profile.honorific.prefix
+      tag: rename_user_profile_honorific_prefix
+      ignore_missing: true
+  - rename:
+      field: okta.profile.honorificSuffix
+      target_field: entityanalytics_okta.user.profile.honorific.suffix
+      tag: rename_user_profile_honorific_suffix
+      ignore_missing: true
+  - rename:
+      field: okta.profile.title
+      target_field: entityanalytics_okta.user.profile.title
+      tag: rename_user_profile_title
+      ignore_missing: true
+  - set:
+      field: user.profile.job_title
+      copy_from: entityanalytics_okta.user.profile.title
+      tag: set_user_profile_job_title
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.displayName
+      target_field: entityanalytics_okta.user.profile.display_name
+      tag: rename_user_profile_display_name
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.display_name}}}'
+      tag: append_user_profile_display_name_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.display_name != null
+  - set:
+      field: user.full_name
+      copy_from: entityanalytics_okta.user.profile.display_name
+      tag: set_user_full_name
+      ignore_empty_value: true
+  - set:
+      field: asset.name
+      copy_from: entityanalytics_okta.user.profile.display_name
+      tag: set_asset_name
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.nickName
+      target_field: entityanalytics_okta.user.profile.nick_name
+      tag: rename_user_profile_nick_name
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.nick_name}}}'
+      tag: append_user_profile_nick_name_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.nick_name != null
+  - rename:
+      field: okta.profile.profileUrl
+      target_field: entityanalytics_okta.user.profile.url
+      tag: rename_user_profile_url
+      ignore_missing: true
+  - rename:
+      field: okta.profile.primaryPhone
+      target_field: entityanalytics_okta.user.profile.primary_phone
+      tag: rename_user_profile_primary_phone
+      ignore_missing: true
+  - set:
+      field: user.profile.primaryPhone
+      copy_from: entityanalytics_okta.user.profile.primary_phone
+      tag: set_user_profile_primaryPhone
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.mobilePhone
+      target_field: entityanalytics_okta.user.profile.mobile_phone
+      tag: rename_user_profile_mobile_phone
+      ignore_missing: true
+  - set:
+      field: user.profile.mobile_phone
+      copy_from: entityanalytics_okta.user.profile.mobile_phone
+      tag: set_user_profile_mobile_phone
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.streetAddress
+      target_field: entityanalytics_okta.user.profile.street_address
+      tag: rename_user_profile_street_address
+      ignore_missing: true
+  - rename:
+      field: okta.profile.city
+      target_field: entityanalytics_okta.user.profile.city
+      tag: rename_user_profile_city
+      ignore_missing: true
+  - rename:
+      field: okta.profile.state
+      target_field: entityanalytics_okta.user.profile.state
+      tag: rename_user_profile_state
+      ignore_missing: true
+  - rename:
+      field: okta.profile.zipCode
+      target_field: entityanalytics_okta.user.profile.zip_code
+      tag: rename_user_profile_zip_code
+      ignore_missing: true
+  - rename:
+      field: okta.profile.countryCode
+      target_field: entityanalytics_okta.user.profile.country_code
+      tag: rename_user_profile_country_code
+      ignore_missing: true
+  - rename:
+      field: okta.profile.postalAddress
+      target_field: entityanalytics_okta.user.profile.postal_address
+      tag: rename_user_profile_postal_address
+      ignore_missing: true
+  - rename:
+      field: okta.profile.preferredLanguage
+      target_field: entityanalytics_okta.user.profile.preferred_language
+      tag: rename_user_profile_preferred_language
+      ignore_missing: true
+  - rename:
+      field: okta.profile.locale
+      target_field: entityanalytics_okta.user.profile.locale
+      tag: rename_user_profile_locale
+      ignore_missing: true
+  - rename:
+      field: okta.profile.timezone
+      target_field: entityanalytics_okta.user.profile.timezone
+      tag: rename_user_profile_timezone
+      ignore_missing: true
+  - rename:
+      field: okta.profile.userType
+      target_field: entityanalytics_okta.user.profile.user_type
+      tag: rename_user_profile_user_type
+      ignore_missing: true
+  - set:
+      field: user.profile.type
+      copy_from: entityanalytics_okta.user.profile.user_type
+      tag: set_user_profile_type
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.employeeNumber
+      target_field: entityanalytics_okta.user.profile.employee_number
+      tag: rename_user_profile_employee_number
+      ignore_missing: true
+  - append:
+      field: related.user
+      value: '{{{entityanalytics_okta.user.profile.employee_number}}}'
+      tag: append_user_profile_employee_number_into_related_user
+      allow_duplicates: false
+      if: ctx.entityanalytics_okta?.user?.profile?.employee_number != null
+  - set:
+      field: user.profile.id
+      copy_from: entityanalytics_okta.user.profile.employee_number
+      tag: set_user_profile_id
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.costCenter
+      target_field: entityanalytics_okta.user.profile.cost_center
+      tag: rename_user_profile_cost_center
+      ignore_missing: true
+  - set:
+      field: asset.costCenter
+      copy_from: entityanalytics_okta.user.profile.cost_center
+      tag: set_asset_costCenter
+      ignore_empty_value: true
+  - rename:
+      field: okta.profile.organization
+      target_field: entityanalytics_okta.user.profile.organization
+      tag: rename_user_profile_organization
+      ignore_missing: true
+  - set:
+      field: organization.name
+      copy_from: entityanalytics_okta.user.profile.organization
+      tag: set_user_profile_organization
+      ignore_empty_value: true
+
 ```
 
  

From 6603b1ef22da9c93bf662517561730206b2e7703 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Wed, 9 Aug 2023 13:50:53 -0700
Subject: [PATCH 24/32] Update 0041-asset-integration.md

Correct syntax error for mapping.
---
 rfcs/text/0041-asset-integration.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 703375b34..b0c9ae9e4 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -698,7 +698,7 @@ processors:
       tag: rename_user_profile_organization
       ignore_missing: true
   - set:
-      field: organization.name
+      field: user.organization.name
       copy_from: entityanalytics_okta.user.profile.organization
       tag: set_user_profile_organization
       ignore_empty_value: true

From 6fd05a060752d46aafafbc81c28503c8dab871a5 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 5 Jan 2024 13:48:40 -0800
Subject: [PATCH 25/32] Update os.yml

Fix linting errors
---
 rfcs/text/0041/os.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rfcs/text/0041/os.yml b/rfcs/text/0041/os.yml
index c302161a5..dadbab3de 100644
--- a/rfcs/text/0041/os.yml
+++ b/rfcs/text/0041/os.yml
@@ -1,5 +1,6 @@
+---
 - name: build
-    level: extend
-    type: keyword
-    example:  FIELD4: 22F66
-    description: Host OS Build information
+  level: extend
+  type: keyword
+  example: "FIELD4: 22F66"
+  description: Host OS Build information

From 73b53e0082f9aefffa74279b505a911a8f646cea Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 5 Jan 2024 14:02:41 -0800
Subject: [PATCH 26/32] Update asset.yml

Udapting asset.tags definition && correcting linting errors
---
 rfcs/text/0041/asset.yml | 241 ++++++++++++++++++++-------------------
 1 file changed, 126 insertions(+), 115 deletions(-)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index 26b78ce0f..2eec5befe 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -1,143 +1,154 @@
+---
 - name: asset.category
-    level: extend
-    type: keyword
-    example: hardware
-    description: A further classification of the asset type beyond event.category. Example for host assets {hardware, virtual, container, node}. 
+  level: extend
+  type: keyword
+  example: hardware
+  description: A further classification of the asset type beyond event.category.
+    Example for host assets {hardware, virtual, container, node}."
 - name: asset.type
-    level: extend
-    level: extend
-    type: keyword
-    example: workstation
-    description: A sub-classification of assets. For host assets {workstation, S3, Compute}. For user assets {NULL?}
+  level: extend
+  type: keyword
+  example: workstation
+  description: A sub-classification of assets. For host assets {workstation, S3,
+    Compute}. For user assets {NULL?}
 - name: asset.id
-    level: extend
-    type: keyword
-    example: 2950
-    description: A unique ID for the asset. For inventory integrations, it's the id generated from the inventory data source
+  level: extend
+  type: keyword
+  example: 2950
+  description: A unique ID for the asset. For inventory integrations, it's the id
+    generated from the inventory data source
 - name: asset.name
-    level: extend
-    type: keyword
-    example: Sourin Paul Macbook Pro
-    description: A common name for the asset
+  level: extend
+  type: keyword
+  example: Sourin Paul Macbook Pro
+  description: A common name for the asset
 - name: asset.vendor
-    level: extend
-    type: keyword
-    example: Apple
-    description: Used primarily for 'Host' entities, the vendor name or brand associated with the asset.
+  level: extend
+  type: keyword
+  example: Apple
+  description: Used primarily for 'Host' entities, the vendor name or brand
+    associated with the asset.
 - name: asset.product
-    level: extend
-    type: keyword
-    example: MacBook Pro
-    description: Used primarily for 'Host' entities, the product name associated with the asset.
+  level: extend
+  type: keyword
+  example: MacBook Pro
+  description: Used primarily for 'Host' entities, the product name associated
+    with the asset.
 - name: asset.model
-    level: extend
-    type: keyword
-    example: TBD
-    description: Used primarily for 'Host' entities, the model name or number associated with this asset.
+  level: extend
+  type: keyword
+  example: TBD
+  description: Used primarily for 'Host' entities, the model name or number
+    associated with this asset.
 - name: asset.version
-    level: extend
-    type: keyword
-    example: TBD
-    description: Used primarily for 'Host' entities, the version or year associated with the asset.
+  level: extend
+  type: keyword
+  example: TBD
+  description: Used primarily for 'Host' entities, the version or year associated
+    with the asset.
 - name: asset.owner
-    level: extend
-    type: keyword
-    example: sourin.paul@elastic.co
-    description: The primary user entity who owns the 'Host' asset
+  level: extend
+  type: keyword
+  example: sourin.paul@elastic.co
+  description: The primary user entity who owns the 'Host' asset
 - name: asset.priority
-    level: extend
-    type: keyword
-    example: Priority 1
-    description: A priority classification for the asset obtained from outside this system, such as from some external CMDB or Directory service.
+  level: extend
+  type: keyword
+  example: Priority 1
+  description: A priority classification for the asset obtained from outside this
+    system, such as from some external CMDB or Directory service.
 - name: asset.criticality
-    level: extend
-    type: keyword
-    example: Critical
-    description: A criticality classification obtained from outside this system, such as from some external CMDB or Directory service.
+  level: extend
+  type: keyword
+  example: Critical
+  description: A criticality classification obtained from outside this system,
+    such as from some external CMDB or Directory service.
 - name: asset.business_unit
-    level: extend
-    type: keyword
-    example: Analyst Experience
-    description: Business Unit associated with the asset (user or host).
+  level: extend
+  type: keyword
+  example: Analyst Experience
+  description: Business Unit associated with the asset (user or host).
 - name: asset.cost_center
-    level: extend
-    type: keyword
-    example: Security - Protections
-    description: Cost Center associated with the asset (user or host).
+  level: extend
+  type: keyword
+  example: Security - Protections
+  description: Cost Center associated with the asset (user or host).
 - name: asset.cost_center_hierarchy
-    level: extend
-    type: keyword
-    example: Engineering
-    description: Additional cost center information associated with the asset (user or host).
+  level: extend
+  type: keyword
+  example: Engineering
+  description: Additional cost center information associated with the asset (user or host).
 - name: asset.status
-    level: extend
-    type: keyword
-    example: ACTIVE
-    description: Current status of the asset in the inventory data source.
+  level: extend
+  type: keyword
+  example: ACTIVE
+  description: Current status of the asset in the inventory data source.
 - name: asset.last_status_change_date
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.000
-    description: The most recent date/time when the asset.status was updated.
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.000
+  description: The most recent date/time when the asset.status was updated.
 - name: asset.create_date
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.001
-    description: For users, it's the hire date. For other assets, it's the in-service date.
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.001
+  description: For users, it's the hire date. For other assets, it's the in-service date.
 - name: asset.end_date
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.002
-    description: For users, it's the termination date. For other assets, it's the out-of-service date.
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.002
+  description: For users, it's the termination date. For other assets, it's the
+    out-of-service date.
 - name: asset.first_seen
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.003
-    description: The earliest date/time at which this asset was observed.  
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.003
+  description: The earliest date/time at which this asset was observed.
 - name: asset.last_seen
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.004
-    description: The most recent date/time this asset was observed.  It would remain empty until the asset was observed.
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.004
+  description: The most recent date/time this asset was observed.  It would remain
+    empty until the asset was observed.
 - name: asset.last_updated
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.005
-    description: The most recent date/time this asset was updated in the inventory data source
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.005
+  description: The most recent date/time this asset was updated in the inventory data source
 - name: asset.serial_number
-    level: extend
-    type: keyword
-    example: C02FG1G1MD6T
-    description: Serial number of the asset
+  level: extend
+  type: keyword
+  example: C02FG1G1MD6T
+  description: Serial number of the asset
 - name: asset.tags
-    level: extend
-    type: keyword
-    example: watch, mdmaccess
-    description: Tags assigned at the MDM
-    normalize:
-      - array
+  level: extend
+  type: keyword
+  example: watch, mdmaccess, SMBIOS, AWStags
+  description: Tags assigned to the asset
+  normalize:
+    - array
 - name: asset.assigned_users
-    level: extend
-    type: keyword
-    example: user1@email.com, user2@email.com
-    description: List of users assigned to the asset
+  level: extend
+  type: keyword
+  example: user1@email.com, user2@email.com
+  description: List of users assigned to the asset
 - name: asset.assigned_users_are_admin
-    level: extend
-    type: boolean
-    example: TRUE
-    description: Flag to identify if the assigned users have admin privileges
+  level: extend
+  type: boolean
+  example: true
+  description: Flag to identify if the assigned users have admin privileges
 - name: asset.is_managed
-    level: extend
-    type: boolean
-    example: TRUE
-    description: Flag to identify if the organization manages the asset
+  level: extend
+  type: boolean
+  example: true
+  description: Flag to identify if the organization manages the asset
 - name: asset.last_enrolled_date
-    level: extend
-    type: date
-    example: June 5, 2023 @ 18:25:57.005
-    description: The most recent date/time the asset checked in with MDM
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.005
+  description: The most recent date/time the asset checked in with MDM
 - name: asset.data_classification
-    level: extend
-    type: keyword
-    example: restricted
-    description: Data classification tier for the asset
+  level: extend
+  type: keyword
+  example: restricted
+  description: Data classification tier for the asset

From 150292b0e2638831c551024c21df0240f236f93e Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 5 Jan 2024 15:56:59 -0800
Subject: [PATCH 27/32] Update user.yml

Fixed linting errors
---
 rfcs/text/0041/user.yml | 303 ++++++++++++++++++----------------------
 1 file changed, 137 insertions(+), 166 deletions(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 2f8139265..1472a8bf4 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -1,199 +1,170 @@
+---
 - name: user.profile.id
-    level: extended
-    type:  keyword
-    example:  1234
-    description:  User ID from the identity datasource.
-
+  level: extend
+  type: keyword
+  example: 1234
+  description: User ID from the identity datasource.
 - name: user.profile.type
-    level: extended
-    type:  keyword
-    example:  Employee
-    description:  Type of user account.
-
+  level: extend
+  type: keyword
+  example: Employee
+  description: Type of user account.
 - name: user.profile.status
-    level: extended
-    type:  keyword 
-    example: On board
-    description:  Status of the user account.
-
+  level: extend
+  type: keyword
+  example: On board
+  description: Status of the user account.
 - name: user.profile.first_name
-    level: extended
-    type:  keyword 
-    example: First
-    description:  First Name of the User.
-
+  level: extend
+  type: keyword
+  example: First
+  description: First Name of the User.
 - name: user.profile.last_name
-    level: extended
-    type:  keyword 
-    example: Last
-    description:  Last Name of the user.
-
+  level: extend
+  type: keyword
+  example: Last
+  description: Last Name of the user.
 - name: user.profile.other_identities
-    level: extended
-    type:  keyword 
-    multi_fields:
-        - type: text 
-    example: first.last@elk.elastic.co
-    description:  Array of additional user identities (usually email addresses).
-
+  level: extend
+  type: keyword
+  multi_fields:
+    - type: text
+  example: first.last@elk.elastic.co
+  description: Array of additional user identities (usually email addresses).
 - name: user.profile.manager
-    level: extended
-    type:  keyword 
-    example: John Doe
-    description:  Assigned Manager for the user account.
-
+  level: extend
+  type: keyword
+  example: John Doe
+  description: Assigned Manager for the user account.
 - name: user.profile.employee_type
-    level: extended
-    type:  keyword 
-    example: Regular 
-    description:  Further classification type for the user account.
-
+  level: extend
+  type: keyword
+  example: Regular
+  description: Further classification type for the user account.
 - name: user.profile.job_family
-    level: extended
-    type:  keyword 
-    example: 65-Sales
-    description:  Job family associated with the user account.
-
+  level: extend
+  type: keyword
+  example: 65-Sales
+  description: Job family associated with the user account.
 - name: user.profile.job_family_group
-    level: extended
-    type:  keyword 
-    example: GTM
-    description:  Job family group associated with the user account.
-
+  level: extend
+  type: keyword
+  example: GTM
+  description: Job family group associated with the user account.
 - name: user.profile.management_level
-    level: extended
-    type:  keyword 
-    example: Individual Contributor
-    description:  If the user account is identified as a Manager or Individual contributor.
-
+  level: extend
+  type: keyword
+  example: Individual Contributor
+  description: If the user account is identified as a Manager or Individual contributor.
 - name: user.profile.job_title
-    level: extended
-    type:  keyword 
-    example: Field Sales
-    description:  Job title assigned to the user account.
-
+  level: extend
+  type: keyword
+  example: Field Sales
+  description: Job title assigned to the user account.
 - name: user.profile.department
-    level: extended
-    type:  keyword 
-    example: x256
-    description:  Department name associated with the user account.
-
+  level: extend
+  type: keyword
+  example: x256
+  description: Department name associated with the user account.
 - name: user.profile.organization
-    level: extended
-    type:  keyword 
-    example: Elasticsearch Inc.
-    description:  Organization name associated with the account.
-
+  level: extend
+  type: keyword
+  example: Elasticsearch Inc.
+  description: Organization name associated with the account.
 - name: user.profile.location
-    level: extended
-    type:  keyword 
-    example: US - Washington - Distributed
-    description:  Assigned location for the user account.
-
+  level: extend
+  type: keyword
+  example: US - Washington - Distributed
+  description: Assigned location for the user account.
 - name: user.profile.mobile_phone
-    level: extended
-    type:  keyword 
-    example: 222-222-2222
-    description: 
-
+  level: extend
+  type: keyword
+  example: 222-222-2222
+  description: Mobile phone for the user account
 - name: user.profile.primary_phone
-    level: extended
-    type:  keyword 
-    example: 222-222-2222
-    description: 
-
+  level: extend
+  type: keyword
+  example: 222-222-2222
+  description: Primary phone for the user account
 - name: user.profile.second_email
-    level: extended
-    type:  keyword 
-    example: first.l@elastic.co
-    description:  Additional email addresses associated with the user account.
-
+  level: extend
+  type: keyword
+  example: first.l@elastic.co
+  description: Additional email addresses associated with the user account.
 - name: user.profile.supervisory_org_id
-    level: extended
-    type:  keyword 
-    example: SUP-ORG-75
-    description:  Primary organization ID for the user account.
-
+  level: extend
+  type: keyword
+  example: SUP-ORG-75
+  description: Primary organization ID for the user account.
 - name: user.profile.supervisory_org
-    level: extended
-    type:  keyword 
-    example: Field Sales
-    description:  Primary organization name for the user account.
-
+  level: extend
+  type: keyword
+  example: Field Sales
+  description: Primary organization name for the user account.
 - name: user.profile.assigned_mdm_id
-    level: extended
-    type:  keyword 
-    example: 2950
-    description:  The primary host identifier (usually `asset.id` value) assigned to the user. This field acts as a correlation identifier for the host event document.
-
+  level: extend
+  type: keyword
+  example: 2950
+  description: The primary host identifier (usually `asset.id` value) assigned to
+    the user. This field acts as a correlation identifier for the host event
+    document.
 - name: user.account.create_date
-    level: extended
-    type:  date 
-    example: June 5, 2023 @ 18:25:57.000
-    description:  Date account was created.
-
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.000
+  description: Date account was created.
 - name: user.account.activated_date
-    level: extended
-    type:  date 
-    example: June 5, 2023 @ 18:25:57.000
-    description:  Date account was activated.
-
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.000
+  description: Date account was activated.
 - name: user.account.change_date
-    level: extended
-    type:  date 
-    example: June 5, 2023 @ 18:25:57.000
-    description:  Date user account record was last updated at source
-
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.000
+  description: Date user account record was last updated at source
 - name: user.account.status.recovery
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account is in recovery
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account is in recovery
 - name: user.account.status.locked_out
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account is currently locked out
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account is currently locked out
 - name: user.account.status.suspended
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account has been suspended
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account has been suspended
 - name: user.account.is_admin
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account is an Admin account
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account is an Admin account
 - name: user.account.is_delegated_admin
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account has Delegated Admin rights
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account has Delegated Admin rights
 - name: user.account.is_privileged
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account is a Privileged account
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account is a Privileged account
 - name: user.account.status.password_expired
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account password has expired.
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if the account password has expired.
 - name: user.account.status.deprovisioned
-    level: extended
-    type:  boolean 
-    example: true/ false
-    description:  A flag indicating if account has been deprovisioned
-
+  level: extend
+  type: boolean
+  example: true/ false
+  description: A flag indicating if an account has been deprovisioned
 - name: user.account.password_change_date
-    level: extended
-    type:  date 
-    example: June 5, 2023 @ 18:25:57.000
-    description:  Last date/time when account password was updated
+  level: extend
+  type: date
+  example: June 5, 2023 @ 18:25:57.000
+  description: Last date/time when account password was updated

From ef6f6d8809b8d9b7300c60b7a460b5ec6e0290d2 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 5 Jan 2024 16:37:47 -0800
Subject: [PATCH 28/32] Update asset.yml

I am updating the asset schema to be reusable under host, users, and other entities.
---
 rfcs/text/0041/asset.yml | 326 +++++++++++++++++++++------------------
 1 file changed, 173 insertions(+), 153 deletions(-)

diff --git a/rfcs/text/0041/asset.yml b/rfcs/text/0041/asset.yml
index 2eec5befe..3c7bcf0dd 100644
--- a/rfcs/text/0041/asset.yml
+++ b/rfcs/text/0041/asset.yml
@@ -1,154 +1,174 @@
 ---
-- name: asset.category
-  level: extend
-  type: keyword
-  example: hardware
-  description: A further classification of the asset type beyond event.category.
-    Example for host assets {hardware, virtual, container, node}."
-- name: asset.type
-  level: extend
-  type: keyword
-  example: workstation
-  description: A sub-classification of assets. For host assets {workstation, S3,
-    Compute}. For user assets {NULL?}
-- name: asset.id
-  level: extend
-  type: keyword
-  example: 2950
-  description: A unique ID for the asset. For inventory integrations, it's the id
-    generated from the inventory data source
-- name: asset.name
-  level: extend
-  type: keyword
-  example: Sourin Paul Macbook Pro
-  description: A common name for the asset
-- name: asset.vendor
-  level: extend
-  type: keyword
-  example: Apple
-  description: Used primarily for 'Host' entities, the vendor name or brand
-    associated with the asset.
-- name: asset.product
-  level: extend
-  type: keyword
-  example: MacBook Pro
-  description: Used primarily for 'Host' entities, the product name associated
-    with the asset.
-- name: asset.model
-  level: extend
-  type: keyword
-  example: TBD
-  description: Used primarily for 'Host' entities, the model name or number
-    associated with this asset.
-- name: asset.version
-  level: extend
-  type: keyword
-  example: TBD
-  description: Used primarily for 'Host' entities, the version or year associated
-    with the asset.
-- name: asset.owner
-  level: extend
-  type: keyword
-  example: sourin.paul@elastic.co
-  description: The primary user entity who owns the 'Host' asset
-- name: asset.priority
-  level: extend
-  type: keyword
-  example: Priority 1
-  description: A priority classification for the asset obtained from outside this
-    system, such as from some external CMDB or Directory service.
-- name: asset.criticality
-  level: extend
-  type: keyword
-  example: Critical
-  description: A criticality classification obtained from outside this system,
-    such as from some external CMDB or Directory service.
-- name: asset.business_unit
-  level: extend
-  type: keyword
-  example: Analyst Experience
-  description: Business Unit associated with the asset (user or host).
-- name: asset.cost_center
-  level: extend
-  type: keyword
-  example: Security - Protections
-  description: Cost Center associated with the asset (user or host).
-- name: asset.cost_center_hierarchy
-  level: extend
-  type: keyword
-  example: Engineering
-  description: Additional cost center information associated with the asset (user or host).
-- name: asset.status
-  level: extend
-  type: keyword
-  example: ACTIVE
-  description: Current status of the asset in the inventory data source.
-- name: asset.last_status_change_date
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.000
-  description: The most recent date/time when the asset.status was updated.
-- name: asset.create_date
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.001
-  description: For users, it's the hire date. For other assets, it's the in-service date.
-- name: asset.end_date
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.002
-  description: For users, it's the termination date. For other assets, it's the
-    out-of-service date.
-- name: asset.first_seen
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.003
-  description: The earliest date/time at which this asset was observed.
-- name: asset.last_seen
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.004
-  description: The most recent date/time this asset was observed.  It would remain
-    empty until the asset was observed.
-- name: asset.last_updated
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.005
-  description: The most recent date/time this asset was updated in the inventory data source
-- name: asset.serial_number
-  level: extend
-  type: keyword
-  example: C02FG1G1MD6T
-  description: Serial number of the asset
-- name: asset.tags
-  level: extend
-  type: keyword
-  example: watch, mdmaccess, SMBIOS, AWStags
-  description: Tags assigned to the asset
-  normalize:
-    - array
-- name: asset.assigned_users
-  level: extend
-  type: keyword
-  example: user1@email.com, user2@email.com
-  description: List of users assigned to the asset
-- name: asset.assigned_users_are_admin
-  level: extend
-  type: boolean
-  example: true
-  description: Flag to identify if the assigned users have admin privileges
-- name: asset.is_managed
-  level: extend
-  type: boolean
-  example: true
-  description: Flag to identify if the organization manages the asset
-- name: asset.last_enrolled_date
-  level: extend
-  type: date
-  example: June 5, 2023 @ 18:25:57.005
-  description: The most recent date/time the asset checked in with MDM
-- name: asset.data_classification
-  level: extend
-  type: keyword
-  example: restricted
-  description: Data classification tier for the asset
+- name: asset
+  title: Asset information
+  group: 2
+  short: Fields for describing an asset
+  beta: |
+    These fields are in beta and are subject to change.
+  description: >
+    Fields to describe an organization asset such as a host, user, or
+    an infrastructure. These fields can be nested under other objects that
+    identifies an asset such as host, user, network, and cloud schemas.
+  reusable:
+    top_level: false
+    expected:
+      - host
+      - user
+      - network
+      - cloud
+  type: group
+  fields:
+    - name: category
+      level: extended
+      type: keyword
+      example: hardware
+      description: A further classification of the asset type beyond event.category.
+        Example for host assets {hardware, virtual, container, node}."
+    - name: type
+      level: extended
+      type: keyword
+      example: workstation
+      description: "A sub-classification of assets. Possible values for host assets:
+        workstation, S3,Compute. Possible values for host assets: (NULL/ TBD)"
+    - name: id
+      level: extended
+      type: keyword
+      example: 2950
+      description: A unique ID generated from the inventory data source
+    - name: name
+      level: extended
+      type: keyword
+      example: Sourin Paul Macbook Pro
+      description: A common name for the asset
+    - name: vendor
+      level: extended
+      type: keyword
+      example: Apple
+      description: Used primarily for 'Host' entities, the vendor name or brand
+        associated with a host
+    - name: product
+      level: extended
+      type: keyword
+      example: MacBook Pro
+      description: Used primarily for 'Host' entities, the product name associated
+        with a host
+    - name: model
+      level: extended
+      type: keyword
+      example: TBD
+      description: Used primarily for 'Host' entities, the model name or number
+        associated with a host
+    - name: version
+      level: extended
+      type: keyword
+      example: TBD
+      description: Used primarily for 'Host' entities, the version or year associated
+        with a host
+    - name: owner
+      level: extended
+      type: keyword
+      example: sourin.paul@elastic.co
+      description: The primary user entity who owns the 'Host' asset
+    - name: priority
+      level: extended
+      type: keyword
+      example: Priority 1
+      description: A priority classification for the asset obtained from outside this
+        system, such as from external CMDB or Directory service.
+    - name: criticality
+      level: extended
+      type: keyword
+      example: Critical
+      description: A business criticality classification assigned to the asset.
+    - name: business_unit
+      level: extended
+      type: keyword
+      example: Analyst Experience
+      description: Business Unit associated with the asset (user or host).
+    - name: cost_center
+      level: extended
+      type: keyword
+      example: Security - Protections
+      description: Cost Center associated with the asset (user or host).
+    - name: cost_center_hierarchy
+      level: extended
+      type: keyword
+      example: Engineering
+      description: Additional cost center information associated with the asset (user
+        or host).
+    - name: status
+      level: extended
+      type: keyword
+      example: ACTIVE
+      description: Current status of the asset in the inventory data source.
+    - name: last_status_change_date
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.000
+      description: The most recent date/time when the status was updated.
+    - name: create_date
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.001
+      description: For users, it's the hire date. For other assets, it's the
+        in-service date.
+    - name: end_date
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.002
+      description: For users, it's the termination date. For other assets, it's the
+        out-of-service date.
+    - name: first_seen
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.003
+      description: The earliest date/time at which this asset was observed.
+    - name: last_seen
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.004
+      description: The most recent date/time this asset was observed.  It would remain
+        empty until the asset was observed.
+    - name: last_updated
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.005
+      description: The most recent date/time this asset was updated in the inventory
+        data source
+    - name: serial_number
+      level: extended
+      type: keyword
+      example: C02FG1G1MD6T
+      description: Serial number of the asset
+    - name: tags
+      level: extended
+      type: keyword
+      example: watch, mdmaccess, SMBIOS, AWStags
+      description: Tags assigned to the asset
+      normalize:
+        - array
+    - name: assigned_users
+      level: extended
+      type: keyword
+      example: user1@email.com, user2@email.com
+      description: List of users assigned to the asset
+    - name: assigned_users_are_admin
+      level: extended
+      type: boolean
+      example: true
+      description: Flag to identify if the assigned users have admin privileges
+    - name: is_managed
+      level: extended
+      type: boolean
+      example: true
+      description: Flag to identify if the organization manages the asset
+    - name: last_enrolled_date
+      level: extended
+      type: date
+      example: June 5, 2023 @ 18:25:57.005
+      description: The most recent date/time the asset checked in with MDM
+    - name: data_classification
+      level: extended
+      type: keyword
+      example: restricted
+      description: Data classification tier for the asset

From 5e61c8eee30359426cff681f578473e068b1e668 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 5 Jan 2024 16:38:10 -0800
Subject: [PATCH 29/32] Update os.yml

nit
---
 rfcs/text/0041/os.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0041/os.yml b/rfcs/text/0041/os.yml
index dadbab3de..ea757af7f 100644
--- a/rfcs/text/0041/os.yml
+++ b/rfcs/text/0041/os.yml
@@ -1,6 +1,6 @@
 ---
 - name: build
-  level: extend
+  level: extended
   type: keyword
   example: "FIELD4: 22F66"
   description: Host OS Build information

From a570e8b1cfdee4dab5cb2568b442207bf94a033a Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Fri, 5 Jan 2024 16:41:18 -0800
Subject: [PATCH 30/32] Update user.yml

nit
---
 rfcs/text/0041/user.yml | 66 ++++++++++++++++++++---------------------
 1 file changed, 33 insertions(+), 33 deletions(-)

diff --git a/rfcs/text/0041/user.yml b/rfcs/text/0041/user.yml
index 1472a8bf4..8ac1fe81d 100644
--- a/rfcs/text/0041/user.yml
+++ b/rfcs/text/0041/user.yml
@@ -1,170 +1,170 @@
 ---
 - name: user.profile.id
-  level: extend
+  level: extended
   type: keyword
   example: 1234
   description: User ID from the identity datasource.
 - name: user.profile.type
-  level: extend
+  level: extended
   type: keyword
   example: Employee
   description: Type of user account.
 - name: user.profile.status
-  level: extend
+  level: extended
   type: keyword
   example: On board
   description: Status of the user account.
 - name: user.profile.first_name
-  level: extend
+  level: extended
   type: keyword
   example: First
   description: First Name of the User.
 - name: user.profile.last_name
-  level: extend
+  level: extended
   type: keyword
   example: Last
   description: Last Name of the user.
 - name: user.profile.other_identities
-  level: extend
+  level: extended
   type: keyword
   multi_fields:
     - type: text
   example: first.last@elk.elastic.co
   description: Array of additional user identities (usually email addresses).
 - name: user.profile.manager
-  level: extend
+  level: extended
   type: keyword
   example: John Doe
   description: Assigned Manager for the user account.
 - name: user.profile.employee_type
-  level: extend
+  level: extended
   type: keyword
   example: Regular
   description: Further classification type for the user account.
 - name: user.profile.job_family
-  level: extend
+  level: extended
   type: keyword
   example: 65-Sales
   description: Job family associated with the user account.
 - name: user.profile.job_family_group
-  level: extend
+  level: extended
   type: keyword
   example: GTM
   description: Job family group associated with the user account.
 - name: user.profile.management_level
-  level: extend
+  level: extended
   type: keyword
   example: Individual Contributor
   description: If the user account is identified as a Manager or Individual contributor.
 - name: user.profile.job_title
-  level: extend
+  level: extended
   type: keyword
   example: Field Sales
   description: Job title assigned to the user account.
 - name: user.profile.department
-  level: extend
+  level: extended
   type: keyword
   example: x256
   description: Department name associated with the user account.
 - name: user.profile.organization
-  level: extend
+  level: extended
   type: keyword
   example: Elasticsearch Inc.
   description: Organization name associated with the account.
 - name: user.profile.location
-  level: extend
+  level: extended
   type: keyword
   example: US - Washington - Distributed
   description: Assigned location for the user account.
 - name: user.profile.mobile_phone
-  level: extend
+  level: extended
   type: keyword
   example: 222-222-2222
   description: Mobile phone for the user account
 - name: user.profile.primary_phone
-  level: extend
+  level: extended
   type: keyword
   example: 222-222-2222
   description: Primary phone for the user account
 - name: user.profile.second_email
-  level: extend
+  level: extended
   type: keyword
   example: first.l@elastic.co
   description: Additional email addresses associated with the user account.
 - name: user.profile.supervisory_org_id
-  level: extend
+  level: extended
   type: keyword
   example: SUP-ORG-75
   description: Primary organization ID for the user account.
 - name: user.profile.supervisory_org
-  level: extend
+  level: extended
   type: keyword
   example: Field Sales
   description: Primary organization name for the user account.
 - name: user.profile.assigned_mdm_id
-  level: extend
+  level: extended
   type: keyword
   example: 2950
   description: The primary host identifier (usually `asset.id` value) assigned to
     the user. This field acts as a correlation identifier for the host event
     document.
 - name: user.account.create_date
-  level: extend
+  level: extended
   type: date
   example: June 5, 2023 @ 18:25:57.000
   description: Date account was created.
 - name: user.account.activated_date
-  level: extend
+  level: extended
   type: date
   example: June 5, 2023 @ 18:25:57.000
   description: Date account was activated.
 - name: user.account.change_date
-  level: extend
+  level: extended
   type: date
   example: June 5, 2023 @ 18:25:57.000
   description: Date user account record was last updated at source
 - name: user.account.status.recovery
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account is in recovery
 - name: user.account.status.locked_out
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account is currently locked out
 - name: user.account.status.suspended
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account has been suspended
 - name: user.account.is_admin
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account is an Admin account
 - name: user.account.is_delegated_admin
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account has Delegated Admin rights
 - name: user.account.is_privileged
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account is a Privileged account
 - name: user.account.status.password_expired
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if the account password has expired.
 - name: user.account.status.deprovisioned
-  level: extend
+  level: extended
   type: boolean
   example: true/ false
   description: A flag indicating if an account has been deprovisioned
 - name: user.account.password_change_date
-  level: extend
+  level: extended
   type: date
   example: June 5, 2023 @ 18:25:57.000
   description: Last date/time when account password was updated

From f74c82f4736442287bbb8b90417b0916171eb6e7 Mon Sep 17 00:00:00 2001
From: Sourin Paul <82123779+SourinPaul@users.noreply.github.com>
Date: Tue, 30 Jan 2024 10:32:46 -0800
Subject: [PATCH 31/32] Update 0041-asset-integration.md

Captured agreements to stage 1 concern.
---
 rfcs/text/0041-asset-integration.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index b0c9ae9e4..7b98c3d0b 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -731,7 +731,8 @@ The goal here is to research and understand the impact of these changes on users
 Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
 -->
 
-* In stage1, @jasonrhodes identified fields from o11y use cases and a potential conflict: https://github.com/elastic/ecs/pull/2215#pullrequestreview-1498781860
+~~* In stage1, @jasonrhodes identified fields from o11y use cases and a potential conflict: https://github.com/elastic/ecs/pull/2215#pullrequestreview-1498781860~~
+--> Resolution: Exclude `asset.ean`, `asset.parents`, and `asset.children` from this RFC proposal and reintroduce these fields at a later time. Refer to: [[PR comment]](https://github.com/elastic/ecs/pull/2233#issuecomment-1917633738).
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.

From dc621012b7a2e8a262a03a9639352556d69a2db4 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 22 Feb 2024 07:51:03 -0600
Subject: [PATCH 32/32] revisted to stage 2

---
 rfcs/text/0041-asset-integration.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/rfcs/text/0041-asset-integration.md b/rfcs/text/0041-asset-integration.md
index 7b98c3d0b..9526392c0 100644
--- a/rfcs/text/0041-asset-integration.md
+++ b/rfcs/text/0041-asset-integration.md
@@ -1,8 +1,8 @@
 # 0041: Asset Integration
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
-- Stage: **1 (Draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
-- Date: **2023-07-07** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
+- Stage: **2 (Candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Date: **2024-02-22** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 <!--
 As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
@@ -26,7 +26,7 @@ This proposal includes the following:
 * Additional fields in the `users` and `os` objects.
 * Introduces a new field set called `assets`.
 <!-- * Additional fields in the `host` object --->
-* Fields required for storing host and user metadata as the Elastic Security entity store/ index. 
+* Fields required for storing host and user metadata as the Elastic Security entity store/ index.
 
 We will create new enhancement RFCs to extend these schemas as needed.
 
@@ -76,7 +76,7 @@ user.account.status.deprovisioned	| boolean |	true/ false	| A flag indicating if
 user.account.password_change_date	| date |	June 5, 2023 @ 18:25:57.000	| Last date/time when account password was updated
 
 **Update:**
-Updated proposal to redact the below field. ECS guidance is to reuse existing organization.* fields instead 
+Updated proposal to redact the below field. ECS guidance is to reuse existing organization.* fields instead
 
 > user.profile.organization	| keyword |	Elasticsearch Inc.	| Organization name associated with the account.
 
@@ -234,7 +234,7 @@ Stage 2: Included a real world example source document. Ideally this example com
 Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2.
 -->
 
-### Examples of Real-world mapping: 
+### Examples of Real-world mapping:
 
 #### Mapping User object from Okta into ECS (partial):
 ```yml
@@ -705,7 +705,7 @@ processors:
 
 ```
 
- 
+
 #### AzureAD Hosts
 
 
@@ -775,7 +775,7 @@ e.g.:
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/2215
-* Stage 1: https://github.com/elastic/ecs/pull/2233
+* Stage 2: https://github.com/elastic/ecs/pull/2233
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN