ECS 8.6.0

8.6.0 RELEASE

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

ECS 8.6.0-rc1

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

ECS 8.5.2

What's new in ECS 8.5.2

Schema Changes

Bugfixes

• Fixes invalid number type on 4 process.io subfields. #2105

ECS 8.5.1

What's new in ECS 8.5.1

Tooling and Artifact Changes

Bugfixes

• Fix type of normalize in process.io.bytes_skipped. #2094

ECS 8.5.0

What's new in ECS 8.5.0

Schema Changes

Added

• Adding risk.* fields as experimental. #1994, #2010
• Adding process.io.* as beta fields. #1956, #2031
• Adding process.tty.rows and process.tty.columns as beta fields. #2031
• Changed process.env_vars field type to be an array of keywords. #2038
• process.attested_user and process.attested_groups as beta fields. #2050
• Added risk.* fieldset to beta. #2051, #2058
• Moved Linux event model fields to GA. #2082

Improvements

• Advances threat.enrichments.indicator to GA. #1928
• Added ios and android as valid values for os.type #1999

Tooling and Artifact Changes

Bugfixes

• Added Deprecation Warning for misspell task #1993
• Fix typo in client schema #2014

ECS 8.5.0-rc1

ECS Release Candidate

Schema Changes

Added

• Adding risk.* fields as experimental. #1994, #2010
• Adding process.io.* as beta fields. #1956, #2031
• Adding process.tty.rows and process.tty.columns as beta fields. #2031
• Changed process.env_vars field type to be an array of keywords. #2038
• process.attested_user and process.attested_groups as beta fields. #2050
• Added risk.* fieldset to beta. #2051

Improvements

• Advances threat.enrichments.indicator to GA. #1928
• Added ios and android as valid values for os.type #1999

Tooling and Artifact Changes

Bugfixes

• Added Deprecation Warning for misspell task #1993
• Fix typo in client schema #2014

ECS 8.4.0

What's new in ECS 8.4

New field attribute expected_values

ECS schema field definitions will now support an attribute to provide a consistent location to capture a list of expected values.

Schema Changes

Added

• Initial set of expected_values. #1962
• Adding service.node.roles. #1981

Tooling and Artifact Changes

Added

• Introduce expected_values attribute. #1952

Improvements

• Additional type annotations. #1950

ECS 8.4.0-rc1

ECS Release Candidate

ECS will publish a release candidate version, starting with 8.4.0, to better aid in development efforts.

Changelog

Schema Changes

Added

• Initial set of expected_values. #1962
• Adding service.node.roles. #1981

Tooling and Artifact Changes

Added

• Introduce expected_values attribute. #1952

Improvements

• Additional type annotations. #1950

ECS 8.3.1

Schema Changes

Deprecated

• Deprecate service.node.role in favor of upcoming service.node.roles. #1976

ECS 8.3.0

What's new in ECS 8.3

GA additions to the schema

The container.* metrics fieldset

Proposed in RFC 0025, this release introduces the container.* field set as GA. These additional container metric fields capture container CPU, memory, disk and network performance information.

Pattern attribute for .mac fields

ECS sets the pattern attribute for the .mac address fields. The regex value is based on the format suggested in IETF RFC 7042.

Schema Changes

Added

• Added pattern attribute to .mac fields. #1871
• Add orchestrator.cluster.id #1875
• Add orchestrator.resource.id #1878
• Add orchestrator.resource.parent.type #1889
• Add orchestrator.resource.ip #1889
• Add container.image.hash.all #1889
• Add service.node.role #1916
• Advanced container.* metric fields to GA. #1927

Important

After adding service.node.role, it was realized that we intend for this field to have multiple values, and therefore we will be removing role and replacing with roles at the earliest opportunity. Please do not use service.node.role.