Checkout files from main

susan-shu-c · susan-shu-c · commit 9b1cc754bc8c · 2025-10-02T12:14:08.000-04:00
diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
@@ -158,16 +158,16 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-process-args-count$$$ [process.args_count](/reference/ecs-process.md#field-process-args-count) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-command-line$$$ [process.command_line](/reference/ecs-process.md#field-process-command-line) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-executable$$$ [process.executable](/reference/ecs-process.md#field-process-executable) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-real-user-id$$$ process.real_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-id$$$ process.saved_user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-user-id$$$ process.user.id | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-interactive$$$ [process.interactive](/reference/ecs-process.md#field-process-interactive) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.interactive](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-interactive) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-real-user-name$$$ process.real_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.real_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-real-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-saved-user-name$$$ process.saved_user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.saved_user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-saved-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-user-name$$$ process.user.name | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.user.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-user-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-pid$$$ [process.pid](/reference/ecs-process.md#field-process-pid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-session-leader-pid$$$ process.session_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.session_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-session-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-process-group-leader-pid$$$ process.group_leader.pid | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.group_leader.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-group-leader-pid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-title$$$ [process.title](/reference/ecs-process.md#field-process-title) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.title](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-title) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-uptime$$$ [process.uptime](/reference/ecs-process.md#field-process-uptime) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.process.uptime+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-process-vpid$$$ [process.vpid](/reference/ecs-process.md#field-process-vpid) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [process.vpid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-vpid) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
@@ -85,7 +85,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
 | PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
 | Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · |  |
-| Process | [40](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
+| Process | [34](/reference/ecs-process.md) | [34](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process) | 15 | 2 | · | · | 1 | · | · |
 | Profile Frame | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/profile) | · | · | · | · | · | · |  |
 | Registry | [7](/reference/ecs-registry.md) | · | · | · | · | · | · | · | · |
 | Related | [4](/reference/ecs-related.md) | · | · | · | · | · | · | · | 4 |
diff --git a/docs/reference/ecs-process.md b/docs/reference/ecs-process.md
@@ -21,9 +21,7 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-args-count$$$ [process.args_count](#field-process-args-count) | Length of the process.args array.<br><br>This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.<br><br>type: long<br><br>example: `4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.args_count](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-args-count) | extended |
 | $$$field-process-command-line$$$ [process.command_line](#field-process-command-line) | Full command line that started the process, including the absolute path to the executable, and all arguments.<br><br>Some arguments may be filtered to protect sensitive information.<br><br>type: wildcard<br><br>Multi-fields:<br><br>* process.command_line.text (type: match_only_text)<br><br>example: `/usr/bin/ssh -l user 10.0.0.16`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.command_line](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-command-line) | extended |
 | $$$field-process-end$$$ [process.end](#field-process-end) | The time the process ended.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
-| $$$field-process-endpoint-security-client$$$ [process.endpoint_security_client](#field-process-endpoint-security-client) | _This field is beta and subject to change._ Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message.<br><br>type: boolean | extended |
 | $$$field-process-entity-id$$$ [process.entity_id](#field-process-entity-id) | Unique identifier for the process.<br><br>The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.<br><br>Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.<br><br>type: keyword<br><br>example: `c2c455d9f99375d` | extended |
-| $$$field-process-entry-meta-type$$$ [process.entry_meta.type](#field-process-entry-meta-type) | The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console<br><br>Note: This field is only set on process.session_leader.<br><br>type: keyword | extended |
 | $$$field-process-env-vars$$$ [process.env_vars](#field-process-env-vars) | Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.<br><br>May be filtered to protect sensitive information.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]` | extended |
 | $$$field-process-executable$$$ [process.executable](#field-process-executable) | Absolute path to the process executable.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.executable.text (type: match_only_text)<br><br>example: `/usr/bin/ssh`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.executable.path](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-executable-path) | extended |
 | $$$field-process-exit-code$$$ [process.exit_code](#field-process-exit-code) | The exit code of the process, if this is a termination event.<br><br>The field should be absent if there is no exit code for the event (e.g. process start).<br><br>type: long<br><br>example: `137` | extended |
@@ -38,11 +36,7 @@ These fields can help you correlate metrics information with a process id/name f
 | $$$field-process-io-total-bytes-skipped$$$ [process.io.total_bytes_skipped](#field-process-io-total-bytes-skipped) | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero<br><br>type: long | extended |
 | $$$field-process-io-type$$$ [process.io.type](#field-process-io-type) | The type of object on which the IO action (read or write) was taken.<br><br>Currently only 'tty' is supported. Other types may be added in the future for 'file' and 'socket' support.<br><br>type: keyword | extended |
 | $$$field-process-name$$$ [process.name](#field-process-name) | Process name.<br><br>Sometimes called program name or similar.<br><br>type: keyword<br><br>Multi-fields:<br><br>* process.name.text (type: match_only_text)<br><br>example: `ssh` | extended |
-| $$$field-process-origin-referrer-url$$$ [process.origin_referrer_url](#field-process-origin-referrer-url) | _This field is beta and subject to change._ The URL of the webpage that linked to the process's executable file.<br><br>type: keyword<br><br>example: `http://example.com/article1.html` | extended |
-| $$$field-process-origin-url$$$ [process.origin_url](#field-process-origin-url) | _This field is beta and subject to change._ The URL where the process's executable file is hosted.<br><br>type: keyword<br><br>example: `http://example.com/files/example.exe` | extended |
 | $$$field-process-pid$$$ [process.pid](#field-process-pid) | Process id.<br><br>type: long<br><br>example: `4242`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [process.pid](https://opentelemetry.io/docs/specs/semconv/attributes-registry/process/#process-pid) | core |
-| $$$field-process-platform-binary$$$ [process.platform_binary](#field-process-platform-binary) | _This field is beta and subject to change._ Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true.<br><br>type: boolean | extended |
-| $$$field-process-same-as-process$$$ [process.same_as_process](#field-process-same-as-process) | This boolean is used to identify if a leader process is the same as the top level process.<br><br>For example, if `process.group_leader.same_as_process = true`, it means the process event in question is the leader of its process group. Details under `process.*` like `pid` would be the same under `process.group_leader.*` The same applies for both `process.session_leader` and `process.entry_leader`.<br><br>This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document. e.g `process.entity_id` = `process.group_leader.entity_id` (top level process is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` (top level process is the entry session leader)<br><br>Instead these rules could be written like: `process.group_leader.same_as_process: true` OR `process.entry_leader.same_as_process: true`<br><br>Note: This field is only set on `process.entry_leader`, `process.session_leader` and `process.group_leader`.<br><br>type: boolean<br><br>example: `True` | extended |
 | $$$field-process-start$$$ [process.start](#field-process-start) | The time the process started.<br><br>type: date<br><br>example: `2016-05-23T08:05:34.853Z` | extended |
 | $$$field-process-thread-capabilities-effective$$$ [process.thread.capabilities.effective](#field-process-thread-capabilities-effective) | This is the set of capabilities used by the kernel to perform permission checks for the thread.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
 | $$$field-process-thread-capabilities-permitted$$$ [process.thread.capabilities.permitted](#field-process-thread-capabilities-permitted) | This is a limiting superset for the effective capabilities that the thread may assume.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["CAP_BPF", "CAP_SYS_ADMIN"]` | extended |
