[RFC] Threat Enrichment - Stage 2

[rylnd]

As follow up to #1400, this is the stage 2 RFC for threat enrichment. I believe that most of the stage 2 work has already been done, but I'm happy to be told otherwise.

RFC Preview

TODO

• If submitting schema/fields updates, have you generated new artifacts by running make and committed those changes?
• Have you added an entry to the CHANGELOG.next.md?

[rylnd]

@ebeahan my first question for stage 2 is: should this PR promote the declared fields so that they are included as beta fields, or is that done once this is merged (a la #1438) ?

[ebeahan]

@rylnd We've found separating the RFC PR from the implementation PR is cleaner, and it lets us focus more on the content and details of the proposal vs. clogging up the RFC discussion with potential ECS build issues, testing, tooling challenges, etc.

[devonakerr]

Minor updates reflecting the stage advancement of this RFC look good to me.

[ebeahan]

LGTM 👍

Review Criteria for Stage 2

• Opened pull request for this draft revising the existing proposal
• Completed field definitions
• Included a real world example source document
• Identifies scope of impact of changes to ingestion mechanisms (e.g. beats/logstash), usage mechanisms (e.g. Kibana applications, detections), and the ECS project (e.g. docs, tooling)
• Subject matter experts weighed in on technical utility of field definitions in the pull request