From 8f880e8218454f93c6e97030e156a73a6aeec228 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Fri, 5 Apr 2024 12:31:12 +0200
Subject: [PATCH 01/11] Update 0000-rfc-template.md

Updating the temaplate for RFC Stage 0 for adding 2 new rule fields: rule.tags and rule.remediation
---
 rfcs/0000-rfc-template.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/rfcs/0000-rfc-template.md b/rfcs/0000-rfc-template.md
index 1ac7c95052..82f0b5c488 100644
--- a/rfcs/0000-rfc-template.md
+++ b/rfcs/0000-rfc-template.md
@@ -12,6 +12,7 @@ Feel free to remove these comments as you go along.
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
+This RFC proposes addition of 2 new fields (rule.tags and rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of these fields is to provide more context to the users in the rule fieldset, rule.tags will be used to track the set of tags applied to the rule, customers can use it to indicate metadata about the rule, and rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. 
 
 <!--
 Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
@@ -23,6 +24,13 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban
 
 ## Fields
 
+The `rule` fields being proposed are as follows:
+
+Field | Type | Description /Usage
+-- | -- | -- | -- | -- 
+rule.tags | array | Used to track the set of tags applied to a rule | Customers can use it to indicate: author, benchmark partial name, rule number, rule category etc. It will be useful when we extend the capability to add more rules
+rule.remediation | array | Used to capture remediation instructions that come from the benchmark / framework the rule is from 
+
 <!--
 Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
@@ -79,7 +87,10 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 
 The following are the people that consulted on the contents of this RFC.
 
-* TBD | author
+* @smriti0321 | author 
+* @tinnytintin10 | Product Manager Cloud Security
+* @oren-zohar | Engineering Manager Cloud Security
+* @orouz | Engineer
 
 <!--
 Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
@@ -97,6 +108,7 @@ e.g.:
 ## References
 
 <!-- Insert any links appropriate to this RFC in this section. -->
+EPIC with detailed discussion on addition of these fields - https://github.com/elastic/security-team/issues/7658
 
 ### RFC Pull Requests
 

From 0bee3ac821ffb862b3cd18e324119f85fee6008f Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 25 Apr 2024 12:40:17 +0200
Subject: [PATCH 02/11] Update 0000-rfc-template.md

Incorporating review comments.
---
 rfcs/0000-rfc-template.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rfcs/0000-rfc-template.md b/rfcs/0000-rfc-template.md
index 82f0b5c488..d2770cdef4 100644
--- a/rfcs/0000-rfc-template.md
+++ b/rfcs/0000-rfc-template.md
@@ -27,8 +27,8 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban
 The `rule` fields being proposed are as follows:
 
 Field | Type | Description /Usage
--- | -- | -- | -- | -- 
-rule.tags | array | Used to track the set of tags applied to a rule | Customers can use it to indicate: author, benchmark partial name, rule number, rule category etc. It will be useful when we extend the capability to add more rules
+-- | -- | -- 
+
 rule.remediation | array | Used to capture remediation instructions that come from the benchmark / framework the rule is from 
 
 <!--
@@ -108,7 +108,7 @@ e.g.:
 ## References
 
 <!-- Insert any links appropriate to this RFC in this section. -->
-EPIC with detailed discussion on addition of these fields - https://github.com/elastic/security-team/issues/7658
+
 
 ### RFC Pull Requests
 

From 0dce6ad47437c3129a66a638291e67ca45b87f36 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 27 Jun 2024 14:21:28 +0200
Subject: [PATCH 03/11] Renaming the template file with recommended name

---
 ...plate.md => 0000-additional-rule-field.md} | 50 ++++++++++---------
 1 file changed, 27 insertions(+), 23 deletions(-)
 rename rfcs/{0000-rfc-template.md => 0000-additional-rule-field.md} (77%)

diff --git a/rfcs/0000-rfc-template.md b/rfcs/0000-additional-rule-field.md
similarity index 77%
rename from rfcs/0000-rfc-template.md
rename to rfcs/0000-additional-rule-field.md
index d2770cdef4..3d4bf4702d 100644
--- a/rfcs/0000-rfc-template.md
+++ b/rfcs/0000-additional-rule-field.md
@@ -1,29 +1,29 @@
-# 0000: Name of RFC
+# 0000: Additional Rule Field
 <!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->
 
 - Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
-<!--
-As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
-Feel free to remove these comments as you go along.
--->
 
+<<<<<<< HEAD
+=======
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
 This RFC proposes addition of 2 new fields (rule.tags and rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of these fields is to provide more context to the users in the rule fieldset, rule.tags will be used to track the set of tags applied to the rule, customers can use it to indicate metadata about the rule, and rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. 
+>>>>>>> 8ee34ce1711cf2650998fffac178295a89396c56
 
 <!--
-Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon.
+Stage 0: 
+Proposal is to add 2 new fields in the ECS Rule fieldset, to extend the scope of this fieldset to incorporate tags and remediation information. Current fieldset does not support these two pieces of information. 
+Detailed discussion in this EPIC- https://github.com/elastic/security-team/issues/7658
 -->
 
-<!--
-Stage X: Provide a brief explanation of why the proposal is being marked as abandoned. This is useful context for anyone revisiting this proposal or considering similar changes later on.
--->
 
 ## Fields
 
+<<<<<<< HEAD
+=======
 The `rule` fields being proposed are as follows:
 
 Field | Type | Description /Usage
@@ -34,10 +34,16 @@ rule.remediation | array | Used to capture remediation instructions that come fr
 <!--
 Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
 -->
+>>>>>>> 8ee34ce1711cf2650998fffac178295a89396c56
+
+The `rule` fields being proposed are as follows:
+
+Field | Type | Example | Description/Usage
+-- | -- | -- 
+rule.tags | array  | Used to track the set of tags applied to a rule | Customers can use it to indicate: author, benchmark partial name, rule number, rule category etc. It will be useful when we extend the capability to add more rules
+rule.remediation | array | Enable encryption on all S3 buckets | Used to capture remediation instructions that come from the benchmark / framework the rule is from 
+
 
-<!--
-Stage 2: Add or update all remaining field definitions. The list should now be exhaustive. The goal here is to validate the technical details of all remaining fields and to provide a basis for releasing these field definitions as beta in the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
--->
 
 ## Usage
 
@@ -87,27 +93,25 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 
 The following are the people that consulted on the contents of this RFC.
 
+<<<<<<< HEAD
+* @smriti0321 | author
+* @tinnytintin10 | Product Manager
+* @oren-zohar | Engineering Manager
+* @orouz | Engineer
+* @trisch-me | Security ECS team
+=======
 * @smriti0321 | author 
 * @tinnytintin10 | Product Manager Cloud Security
 * @oren-zohar | Engineering Manager Cloud Security
 * @orouz | Engineer
+>>>>>>> 8ee34ce1711cf2650998fffac178295a89396c56
 
-<!--
-Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage.
-
-e.g.:
-
-* @Yasmina | author
-* @Monique | sponsor
-* @EunJung | subject matter expert
-* @JaneDoe | grammar, spelling, prose
-* @Mariana
--->
 
 
 ## References
 
 <!-- Insert any links appropriate to this RFC in this section. -->
+* EPIC- https://github.com/elastic/security-team/issues/7658
 
 
 ### RFC Pull Requests

From 6a66ed158de30f2547ca696085b94dd6de805b26 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 27 Jun 2024 14:31:12 +0200
Subject: [PATCH 04/11] Resolving conflicts

---
 rfcs/0000-additional-rule-field.md | 31 ++----------------------------
 1 file changed, 2 insertions(+), 29 deletions(-)

diff --git a/rfcs/0000-additional-rule-field.md b/rfcs/0000-additional-rule-field.md
index 3d4bf4702d..e1018a09eb 100644
--- a/rfcs/0000-additional-rule-field.md
+++ b/rfcs/0000-additional-rule-field.md
@@ -5,37 +5,16 @@
 - Date: **TBD** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 
-<<<<<<< HEAD
-=======
+
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
 This RFC proposes addition of 2 new fields (rule.tags and rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of these fields is to provide more context to the users in the rule fieldset, rule.tags will be used to track the set of tags applied to the rule, customers can use it to indicate metadata about the rule, and rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. 
->>>>>>> 8ee34ce1711cf2650998fffac178295a89396c56
 
-<!--
-Stage 0: 
-Proposal is to add 2 new fields in the ECS Rule fieldset, to extend the scope of this fieldset to incorporate tags and remediation information. Current fieldset does not support these two pieces of information. 
-Detailed discussion in this EPIC- https://github.com/elastic/security-team/issues/7658
--->
 
 
 ## Fields
 
-<<<<<<< HEAD
-=======
-The `rule` fields being proposed are as follows:
-
-Field | Type | Description /Usage
--- | -- | -- 
-
-rule.remediation | array | Used to capture remediation instructions that come from the benchmark / framework the rule is from 
-
-<!--
-Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder.
--->
->>>>>>> 8ee34ce1711cf2650998fffac178295a89396c56
-
 The `rule` fields being proposed are as follows:
 
 Field | Type | Example | Description/Usage
@@ -93,18 +72,12 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should
 
 The following are the people that consulted on the contents of this RFC.
 
-<<<<<<< HEAD
 * @smriti0321 | author
 * @tinnytintin10 | Product Manager
 * @oren-zohar | Engineering Manager
 * @orouz | Engineer
 * @trisch-me | Security ECS team
-=======
-* @smriti0321 | author 
-* @tinnytintin10 | Product Manager Cloud Security
-* @oren-zohar | Engineering Manager Cloud Security
-* @orouz | Engineer
->>>>>>> 8ee34ce1711cf2650998fffac178295a89396c56
+
 
 
 

From af356f60538a62acb681fe911a06f079b91a5a33 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 27 Jun 2024 14:35:08 +0200
Subject: [PATCH 05/11] Removing Tag Field

---
 rfcs/0000-additional-rule-field.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rfcs/0000-additional-rule-field.md b/rfcs/0000-additional-rule-field.md
index e1018a09eb..55f407e6ce 100644
--- a/rfcs/0000-additional-rule-field.md
+++ b/rfcs/0000-additional-rule-field.md
@@ -18,8 +18,7 @@ This RFC proposes addition of 2 new fields (rule.tags and rule.remediation) in r
 The `rule` fields being proposed are as follows:
 
 Field | Type | Example | Description/Usage
--- | -- | -- 
-rule.tags | array  | Used to track the set of tags applied to a rule | Customers can use it to indicate: author, benchmark partial name, rule number, rule category etc. It will be useful when we extend the capability to add more rules
+-- | -- | -- | --
 rule.remediation | array | Enable encryption on all S3 buckets | Used to capture remediation instructions that come from the benchmark / framework the rule is from 
 
 

From 8fcb9b72ec9cdc04d9ccc018964d3b3f4243f614 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 4 Jul 2024 14:39:05 +0200
Subject: [PATCH 06/11] Resolving comments from @trisch-me

---
 rfcs/0000-additional-rule-field.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfcs/0000-additional-rule-field.md b/rfcs/0000-additional-rule-field.md
index 55f407e6ce..f9354ce2f2 100644
--- a/rfcs/0000-additional-rule-field.md
+++ b/rfcs/0000-additional-rule-field.md
@@ -9,7 +9,7 @@
 <!--
 Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences.
 -->
-This RFC proposes addition of 2 new fields (rule.tags and rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of these fields is to provide more context to the users in the rule fieldset, rule.tags will be used to track the set of tags applied to the rule, customers can use it to indicate metadata about the rule, and rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. 
+This RFC proposes addition of 1 new field (rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of this field is to provide more context to the users in the rule fieldset, rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. 
 
 
 
@@ -83,7 +83,7 @@ The following are the people that consulted on the contents of this RFC.
 ## References
 
 <!-- Insert any links appropriate to this RFC in this section. -->
-* EPIC- https://github.com/elastic/security-team/issues/7658
+
 
 
 ### RFC Pull Requests

From 63e9f397af39c452be49c5e0bc2fbc397651fffd Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 4 Jul 2024 15:20:11 +0200
Subject: [PATCH 07/11] Moving file to rfcs/text folder as per @trisch-me
 comment. using next number in series.

---
 .../0044-additional-rule-field.md}                                | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rfcs/{0000-additional-rule-field.md => text/0044-additional-rule-field.md} (100%)

diff --git a/rfcs/0000-additional-rule-field.md b/rfcs/text/0044-additional-rule-field.md
similarity index 100%
rename from rfcs/0000-additional-rule-field.md
rename to rfcs/text/0044-additional-rule-field.md

From 9f2c00548e9c57d2bc92a3c5da083b1634523567 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Thu, 4 Jul 2024 16:00:11 +0200
Subject: [PATCH 08/11] I saw number 44 was used in a recent RFC, using next
 number in series

---
 ...044-additional-rule-field.md => 0046-additional-rule-field.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rfcs/text/{0044-additional-rule-field.md => 0046-additional-rule-field.md} (100%)

diff --git a/rfcs/text/0044-additional-rule-field.md b/rfcs/text/0046-additional-rule-field.md
similarity index 100%
rename from rfcs/text/0044-additional-rule-field.md
rename to rfcs/text/0046-additional-rule-field.md

From a6be9928819beeadf89c5a9f05c387b435ab18b2 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Fri, 20 Sep 2024 13:07:16 +0200
Subject: [PATCH 09/11] adding stage 1 yml for rule field

---
 rfcs/text/0046/rule.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 rfcs/text/0046/rule.yml

diff --git a/rfcs/text/0046/rule.yml b/rfcs/text/0046/rule.yml
new file mode 100644
index 0000000000..43abe3dd39
--- /dev/null
+++ b/rfcs/text/0046/rule.yml
@@ -0,0 +1,16 @@
+---
+- name: rule
+  fields:
+    - name: remediation
+      level: extended
+      type: array
+      short: Recommended remediation steps if the rule evaluation fails 
+      description: >
+          Used to capture remediation instructions that come from the benchmark / framework the rule is from 
+      example: >
+        Perform the following to enable MFA:
+        From Console:
+        Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'
+        In the left pane, select Users.
+        and so on.
+

From d677cecc1d5c441ed2be9478f80106d63e41a2a1 Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Fri, 20 Sep 2024 16:23:14 +0200
Subject: [PATCH 10/11] Adhering to array json syntax

---
 rfcs/text/0046/rule.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/rfcs/text/0046/rule.yml b/rfcs/text/0046/rule.yml
index 43abe3dd39..c2dcef8ee0 100644
--- a/rfcs/text/0046/rule.yml
+++ b/rfcs/text/0046/rule.yml
@@ -3,14 +3,19 @@
   fields:
     - name: remediation
       level: extended
-      type: array
+      type: wildcard
       short: Recommended remediation steps if the rule evaluation fails 
       description: >
           Used to capture remediation instructions that come from the benchmark / framework the rule is from 
       example: >
-        Perform the following to enable MFA:
+        '["Perform the following to enable MFA:
         From Console:
         Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'
         In the left pane, select Users.
-        and so on.
+        and so on", "From cli: <comman>"]' 
+      normalize: 
+      - array
+
+
+    
 

From 21626895fa4374e0ec8af2b3433c5aa456a9ff3b Mon Sep 17 00:00:00 2001
From: Smriti <152067238+smriti0321@users.noreply.github.com>
Date: Fri, 14 Feb 2025 14:10:05 +0100
Subject: [PATCH 11/11] changing type to text

---
 rfcs/text/0046/rule.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfcs/text/0046/rule.yml b/rfcs/text/0046/rule.yml
index c2dcef8ee0..e3838214aa 100644
--- a/rfcs/text/0046/rule.yml
+++ b/rfcs/text/0046/rule.yml
@@ -3,7 +3,7 @@
   fields:
     - name: remediation
       level: extended
-      type: wildcard
+      type: text
       short: Recommended remediation steps if the rule evaluation fails 
       description: >
           Used to capture remediation instructions that come from the benchmark / framework the rule is from