# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# 	http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: geo
  title: Geo
  group: 2
  short: Fields describing a location.
  description: >
    Geo fields can carry data about a specific location related to an event.

    This geolocation information can be derived from techniques such as Geo IP,
    or be user-supplied.
  reusable:
    top_level: false
    expected:
      - client
      - destination
      - observer
      - host
      - server
      - source
      - at: threat.indicator
        as: geo
      - at: threat.enrichments.indicator
        as: geo
  type: group
  fields:

    - name: location
      level: core
      type: geo_point
      description: >
        Longitude and latitude.
      example: '{ "lon": -73.614830, "lat": 45.505918 }'

    - name: continent_code
      level: core
      type: keyword
      short: Continent code.
      description: >
        Two-letter code representing continent's name.
      example: NA

    - name: continent_name
      level: core
      type: keyword
      description: >
        Name of the continent.
      example: North America

    - name: country_name
      level: core
      type: keyword
      description: >
        Country name.
      example: Canada

    - name: region_name
      level: core
      type: keyword
      description: >
        Region name.
      example: Quebec

    - name: city_name
      level: core
      type: keyword
      description: >
        City name.
      example: Montreal

    - name: country_iso_code
      level: core
      type: keyword
      description: >
        Country ISO code.
      example: CA

    - name: postal_code
      level: core
      type: keyword
      short: Postal code.
      description: >
         Postal code associated with the location.

         Values appropriate for this field may also be known
         as a postcode or ZIP code and will vary widely from
         country to country.
      example: 94040

    - name: region_iso_code
      level: core
      type: keyword
      description: >
        Region ISO code.
      example: CA-QC

    - name: timezone
      level: core
      type: keyword
      short: Time zone.
      description: >
        The time zone of the location, such as IANA time zone name.
      example: "America/Argentina/Buenos_Aires"

    - name: name
      level: extended
      type: keyword
      short: User-defined description of a location.
      description: >
        User-defined description of a location, at the level of granularity they care about.

        Could be the name of their data centers, the floor number, if this describes
        a local physical entity, city names.

        Not typically used in automated geolocation.
      example: boston-dc