Description

The Box Events integration define some custom fields at root level that could collide with the ECS managed namespace.

In particular, the non-ECS fields that are added by the integration are:

• related.location.lat
• related.location.lon
• related.description
• related.indicator_typ

We should plan to remove these fields from the integration.

On the other hand, there are two more classes of non-ECS fields being added into ECS managed namespaces:

Fields produced by beat processors that are always enabled

• cloud.image.id
• host.containerized
• host.os.build
• host.os.codename

These are added in many integrations by beats processors such as add_host_metadata. I am not sure why they are not part of ECS, but seems that this discussion has been taken from a long time ago (elastic/ecs#294).

These fields should be kept as part of the integration fieldset.

Fields never produced by beat processors or cel/httpjson inputs

• host.cpu.pct
• host.network.in.bytes
• host.network.in.packets
• host.network.out.bytes
• host.network.out.packets

These fields are defined but never populated, they can be removed.