Add process.thread.capabilities to ECS fields

These fields are only present in ECS 8.10, it seems beats is still tracking ECS 8.0, is this the right way to do until we track 8.10+? It's enough for `mage integTest` to pass, otherwise it will complain about undocumented new fields
elastic · Dec 18, 2023 · c058cf1 · c058cf1
1 parent 335bc8a
commit c058cf1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/x-pack/auditbeat/module/system/_meta/fields.yml b/x-pack/auditbeat/module/system/_meta/fields.yml
@@ -1,3 +1,16 @@
+- key: ecs
+  fields:
+  - name: process.thread.capabilities.effective
+    type: keyword
+    description: >
+      This is the set of capabilities used by the kernel to perform permission checks for the thread.
+    example: ["CAP_BPF", "CAP_SYS_ADMIN"]
+  - name: process.thread.capabilities.permitted
+    type: keyword
+    description: >
+      This is a limiting superset for the effective capabilities that the thread may assume.
+    example: ["CAP_BPF", "CAP_SYS_ADMIN"]
+
 - key: system
   title: "System"
   description: >

diff --git a/x-pack/auditbeat/module/system/fields.go b/x-pack/auditbeat/module/system/fields.go