From 8da306533d7e8803d59ff314d1b4d847a0bfbaed Mon Sep 17 00:00:00 2001
From: djptek <dominic.page@elastic.co>
Date: Thu, 8 Jul 2021 09:58:57 +0200
Subject: [PATCH 1/3] add one word to threat.yml

---
 code/go/ecs/threat.go                       | 6 +++---
 docs/field-details.asciidoc                 | 2 +-
 experimental/generated/beats/fields.ecs.yml | 8 ++++----
 experimental/generated/ecs/ecs_nested.yml   | 8 ++++----
 generated/beats/fields.ecs.yml              | 8 ++++----
 generated/ecs/ecs_nested.yml                | 8 ++++----
 schemas/threat.yml                          | 2 +-
 7 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go
index becd75adad..049cd52b55 100644
--- a/code/go/ecs/threat.go
+++ b/code/go/ecs/threat.go
@@ -26,9 +26,9 @@ import (
 // Fields to classify events and alerts according to a threat taxonomy such as
 // the MITRE ATT&CK® framework.
 // These fields are for users to classify alerts from all of their sources
-// (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are
-// meant to capture the high level category of the threat (e.g. "impact"). The
-// threat.technique.* fields are meant to capture which kind of approach is
+// (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields
+// are meant to capture the high level category of the threat (e.g. "impact").
+// The threat.technique.* fields are meant to capture which kind of approach is
 // used by this detected threat, to accomplish the goal (e.g. "endpoint denial
 // of service").
 type Threat struct {
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index 0b4eaf9bbc..2fc6976759 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -7652,7 +7652,7 @@ example: `co.uk`
 
 Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
 
-These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
+These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
 
 [discrete]
 ==== Threat Field Details
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 9a9c890735..c715f1ae13 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -8171,10 +8171,10 @@
     description: "Fields to classify events and alerts according to a threat taxonomy\
       \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
       \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
-      \ The threat.tactic.* are meant to capture the high level category of the threat\
-      \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
-      \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
-      \ \"endpoint denial of service\")."
+      \ The threat.tactic.* fields are meant to capture the high level category of\
+      \ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
+      \ which kind of approach is used by this detected threat, to accomplish the\
+      \ goal (e.g. \"endpoint denial of service\")."
     type: group
     fields:
     - name: enrichments
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index cfc7bb5b9a..edaa348624 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -14326,10 +14326,10 @@ threat:
   description: "Fields to classify events and alerts according to a threat taxonomy\
     \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
     \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
-    \ The threat.tactic.* are meant to capture the high level category of the threat\
-    \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
-    \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
-    \ \"endpoint denial of service\")."
+    \ The threat.tactic.* fields are meant to capture the high level category of the\
+    \ threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
+    \ which kind of approach is used by this detected threat, to accomplish the goal\
+    \ (e.g. \"endpoint denial of service\")."
   fields:
     threat.enrichments:
       beta: This field is beta and subject to change.
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 2854637315..df16e7ddb1 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5839,10 +5839,10 @@
     description: "Fields to classify events and alerts according to a threat taxonomy\
       \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
       \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
-      \ The threat.tactic.* are meant to capture the high level category of the threat\
-      \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
-      \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
-      \ \"endpoint denial of service\")."
+      \ The threat.tactic.* fields are meant to capture the high level category of\
+      \ the threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
+      \ which kind of approach is used by this detected threat, to accomplish the\
+      \ goal (e.g. \"endpoint denial of service\")."
     type: group
     fields:
     - name: enrichments
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index c44dd00cdf..7dbe87555f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -10204,10 +10204,10 @@ threat:
   description: "Fields to classify events and alerts according to a threat taxonomy\
     \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
     \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
-    \ The threat.tactic.* are meant to capture the high level category of the threat\
-    \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
-    \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
-    \ \"endpoint denial of service\")."
+    \ The threat.tactic.* fields are meant to capture the high level category of the\
+    \ threat (e.g. \"impact\"). The threat.technique.* fields are meant to capture\
+    \ which kind of approach is used by this detected threat, to accomplish the goal\
+    \ (e.g. \"endpoint denial of service\")."
   fields:
     threat.enrichments:
       beta: This field is beta and subject to change.
diff --git a/schemas/threat.yml b/schemas/threat.yml
index 0e20fe332a..05e371cef4 100644
--- a/schemas/threat.yml
+++ b/schemas/threat.yml
@@ -7,7 +7,7 @@
    Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
 
    These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a
-   common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat
+   common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat
    (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by
    this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
 

From 8b7b15257ff9921a26a8ab37f8e85275185230e7 Mon Sep 17 00:00:00 2001
From: djptek <dominic.page@elastic.co>
Date: Thu, 8 Jul 2021 10:02:32 +0200
Subject: [PATCH 2/3] changelog

---
 CHANGELOG.next.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a051b25ad4..901f79a962 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -68,6 +68,7 @@ Thanks, you're awesome :-) -->
 
 * Swap `Location` and `Field Set` columns in `Field Reuse` table for better readability. #1472, #1476
 * Use a bullet points to list field reuses. #1473
+* Improve wording in `Threat` schema
 
 <!-- All empty sections:
 

From e5a26a14e790c7e0ad883e2d30eb5c7cc2622a97 Mon Sep 17 00:00:00 2001
From: djptek <dominic.page@elastic.co>
Date: Thu, 8 Jul 2021 18:33:17 +0200
Subject: [PATCH 3/3] added PR number

---
 CHANGELOG.next.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 901f79a962..d0fe686a29 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -68,7 +68,7 @@ Thanks, you're awesome :-) -->
 
 * Swap `Location` and `Field Set` columns in `Field Reuse` table for better readability. #1472, #1476
 * Use a bullet points to list field reuses. #1473
-* Improve wording in `Threat` schema
+* Improve wording in `Threat` schema #1505
 
 <!-- All empty sections: