Skip to content

ECS 1.4.0
Compare
Choose a tag to compare
@webmat webmat released this 19 Dec 14:08
· 8 commits to 1.4 since this release
v1.4.0
cc4b36e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

This release introduces two much-awaited changes.

The text analyzer has been added to many existing fields. This enables full text search queries on fields that contain a lot of text, or semi-structured data (such as file paths and urls). Look at #575 and #680 to learn more. As an example, the field user_agent.original can now service full text search queries at user_agent.original.text.

We're also introducing the first set of allowed values for the 4 previously reserved fields (event.kind, event.category, event.type and event.outcome). We're calling them the "categorization fields". More allowed values will be released over time. You can preview future values, and provide feedback in this public document: https://ela.st/ecs-categories-draft. Learn more in the new "ECS Categorization Fields" section of the documentation.

Schema Changes

Added

  • Added default text analyzer as a multi-field to user_agent.original. #575
  • Added file.attributes. #611
  • Added file.drive_letter. #620
  • Added rule fields. #665
  • Added default text analyzer as a multi-field to around 25 more fields. #680
  • Added registry.* fieldset for the Windows registry. #673
  • Publish initial list of allowed values for the categorization fields (previously reserved)
    event.kind, event.category, event.type and event.outcome. #684, #691, #692
  • Added related.user #694

Tooling and Artifact Changes

Bugfixes

  • Fix support for multi-fields. #575
Assets 2
Loading