ECS 1.12.0

The following RFCs have advanced as a part of this release:

Stage 3 (GA)

• RFC 0018 - extend threat.* field set
• RFC 0001 - wildcard field migration
• RFC 0023 - migrate text to match_only_text type

Stage 2 (beta)

• RFC 0002 - service.environment field

Stage 1 (experimental)

• RFC 0010 - email.* field set
• RFC 0025 - container metric fields

There's also been a couple of new field additions in 1.12: file.fork_name, service.address, process.end, code_signature.digest_algorithm and code_signature.timestamp.

Lastly, a couple tooling and documentation improvements. There now exists support for multi-field type fallback to better support ES 6 types as well as the new match_only_text type. And finally, we updated examples within user to better clarify things.

Changelog

Schema Changes

Bugfixes

• Updating hash order to correct nesting. #1603
• Removing incorrect hash reuses. #1604
• Updating pe order to correct nesting. #1605
• Removing incorrect pe reuses. #1606
• Correcting enrichments to an array type. #1608

Added

• Added file.fork_name field. #1288
• Added service.address field. #1537
• Added service.environment as a beta field. #1541
• Added process.end field. #1544
• Added container metric fields into experimental schema. #1546
• Add code_signature.digest_algorithm and code_signature.timestamp fields. #1557
• Add email.* field set in the experimental fields. #1569

Improvements

• Beta migration on some keyword fields to wildcard. #1517
• Promote threat.software.* and threat.group.* fields to GA. #1540
• Update user.name and user.id examples for clarity. #1566
• Beta migration of text and .text multi-fields to match_only_text. #1532, #1571

Tooling and Artifact Changes

Added

• Support ES 6.x type fallback for match_only_text field types. #1528

Bugfixes

• Prevent failure if no files need to be deleted find | xargs rm. #1588

Improvements

• Document field type family interoperability in FAQ. #1591

ECS 1.11.0

The following RFCs have advanced as part of this release:

Stage 3 (GA)

• RFC 0012 - orchestrator field set

Stage 2 (beta)

• RFC 0008 - Threat indicator fields
• RFC 0015 - elf file fields
• RFC 0018 - Extend the threat.* field set with threat.software.* and threat.group.* fields
• RFC 0021 - Threat enrichment

Stage 1 (experimental)

• RFC 0016 - Target process fields

The event.agent_id_status field is also new in 1.11 to reflect the status of the agent.id verification performed by a receiving system or data pipeline.

Lastly, many tooling and documentation improvements, including the --exclude flag. The --exclude flag adds the ability to remove individual fields from the schema. More detail is available in the usage doc.

Changelog

Schema Changes

Added

• elf.* field set added as beta. #1410
• Remove beta from orchestrator field set. #1417
• Extend threat.* field set beta. #1438
• Added event.agent_id_status field. #1454
• process.target and process.target.parent added to experimental schema. #1467
• Threat indicator fields progress to beta stage. #1471, #1504
• threat.enrichments beta fields. #1478, #1504

Improvements

• Fix ecs GitHub repo link source branch #1393
• Add --exclude flag to Generator to support field removal testing #1411
• Explicitly include user identifiers in relater.user description. #1420
• Improve descriptions for cloud.region and cloud.availability fields. #1452
• Clarify event.kind descriptions for alert and signal. #1548

Deprecated

• Note deprecation of the host.user.* field reuse. #1422
• Note deprecation of log.original superseded by event.original #1469

Tooling and Artifact Changes

Bugfixes

• Remove ignore_above when index: false and doc_values: false. #1483
• Ensure doc_values is carried into Beats artifacts. #1488

Added

• Support match_only_text data type in Go code generator. #1418
• Support for multi-level, self-nestings. #1459
• beta attribute now supported on categorization allowed values. #1511

Improvements

• Swap Location and Field Set columns in Field Reuse table for better readability. #1472, #1476
• Use a bullet points to list field reuses. #1473
• Improve wording in Threat schema #1505

ECS 1.10.0

A handful of new additions from the ECS RFC process are included in this release:

• The host metrics RFC has advanced to Finished status with host metrics fields becoming GA.
• The orchestrator fieldset RFC has advanced to Stage 3, and the fieldset has been released for beta.
• The data_stream fields moved to Stage 2, and are released for beta.
• We are extending the existing `threat.* fields, which are released as experimental.

In addition to RFC proposed changes, ECS 1.10.0 also adds some documentation updates, including the ability to add a short_override to field reuses for a custom description.

Finally, there is now support for flattened and nested types in the Go code generator script.

Changelog

Schema Changes

Added

• Add data_stream fieldset. #1307
• Add orchestrator fieldset as beta fields. #1326
• Extend threat.* experimental fields with proposed changes from RFC 0018. #1344, #1351
• Allow custom descriptions for self-nesting reuses via short_override #1366

Improvements

• Updated descriptions to use Elastic Security #1305
• Host metrics fields from RFC 0005 are now GA. #1319
• Adjustments to the field set "usage" docs #1345
• Adjustments to the sidebar naming convention for usage and examples docs #1354
• Update user.* field reuse descriptions. #1382

Tooling and Artifact Changes

Bugfixes

• Correcting fieldset name capitalization for generated ES template #1323

Improvements

• Support nested types in go code generator. #1254, #1350
• Go code generator now supports the flattened data type. #1302
• Adjustments to use terminology that doesn't have negative connotation. #1315

ECS 1.9.0

Several additions introduced from the ECS RFC process are included in this release:

• The multiple users proposal has advanced to Finished status with user.changes.*, user.effective.*, and user.target.* field reuses becoming GA.
• Host metrics fields are now beta.
• The threat.indicator fields, elf.* fields, pe.* extensions, and data_stream.* fieldset are now in the experimental ECS schema.

A new section has been added to the ECS event categorization documentation. Real-world example events are categorized to demonstrate using the event categorization fields to group and identify similar events from multiple data sources.

In addition to RFC proposed changes, ECS 1.9.0 also adds:

• http.request.id
• cloud.service.name
• hash.ssdeep
• code_signature.team_id and code_signature.signing_id
• Additional fields to the geo.* fieldset: geo.timezone, geo.postal_code, geo.continent_code

Finally, *.mac field descriptions now suggest normalizing MAC address values to the RFC7042 format.

Changelog

Schema Changes

Added

• Added hash.ssdeep. #1169
• Added cloud.service.name. #1204
• Added http.request.id. #1208
• data_stream.* fieldset introduced in experimental schema and artifacts. #1215
• Added geo.timezone, geo.postal_code, and geo.continent_code. #1229
• Added beta host metrics fields. #1248
• Added code_signature.team_id, code_signature.signing_id. #1249
• Extended pe fields added to experimental schema. #1256
• Add elf fieldset to experimental schema. #1261
• Add threat.indicator fields to experimental schema. #1268

Improvements

• Include formatting guidance and examples for MAC address fields. #456
• New section in ECS detailing event categorization fields usage. #1242
• user.changes.*, user.effective.*, and user.target.* field reuses are GA. #1271

Tooling and Artifact Changes

Improvements

• Update Python dependencies #1310, #1318
• Adjustments to use terminology that doesn't have negative connotation. #1315

ECS 1.8.0

In this release, two ECS RFCs are advancing. The multiple users in an event RFC proposed field reuses now appear in the ECS documentation as beta. The host metrics fields are also advancing and are available in the experimental schema and artifacts.

Accompanying the multiple user changes, the user.* fieldset adds ECS' first usage doc. The user usage page contains guidance on categorization, user ids, field reuse, and mapping examples.

The event categorization fields, with the initial set of allowed values, were introduced as beta in ECS 1.4.0. Over the past several ECS released, we've iterated and further fleshed out these fields and values. We're excited to announce that the event categorization fields are now generally available!

In addition to the event categorizations fields becoming GA, two additional event.category allowed values have also been introduced: registry and session.

A new field, os.type, is intended to ease filtering for Windows, Unix, Linux, and macOS events.

Finally, a component template and composable templates (per fieldset) have been added as generated artifacts. The legacy index templates for Elasticsearch 6.x and 7.x are still being maintained. More details covered here.

Changelog

Schema Changes

Bugfixes

• Clean up event.reference description. #1181
• Go code generator fails if scaled_float type is used. #1250

Added

• Added event.category "registry". #1040
• Added event.category "session". #1049
• Added usage documentation for user fields. #1066
• Added user fields at user.effective.*, user.target.* and user.changes.*. #1066
• Added os.type. #1111

Improvements

• Event categorization fields GA. #1067
• Note [ and ] bracket characters may enclose a literal IPv6 address when populating url.domain. #1131
• Reinforce the exclusion of the leading dot from url.extension. #1151

Deprecated

• Deprecated host.user.* fields for removal at the next major. #1066

Tooling and Artifact Changes

Bugfixes

• tracing fields should be at root of Beats fields.ecs.yml artifacts. #1164

Added

• Added the path key when type is alias, to support the alias field type. #877
• Added support for scaled_float's mandatory parameter scaling_factor. #1042
• Added ability for --oss flag to fall back constant_keyword to keyword. #1046
• Added support in the generated Go source go for wildcard, version, and constant_keyword data types. #1050
• Added support for marking fields, field sets, or field reuse as beta in the documentation. #1051
• Added support for constant_keyword's optional parameter value. #1112
• Added component templates for ECS field sets. #1156, #1186, #1191
• Added functionality for merging custom and core multi-fields. #982

Improvements

• Make all fields linkable directly. #1148
• Added a notice highlighting that the tracing fields are not nested under the
  namespace tracing. #1162
• ES 6.x template data types will fallback to supported types. #1171, #1176, #1186
• Add a documentation page discussing the experimental artifacts. #1189

ECS 1.7.0

Experimental Changes

A few months ago, we introduced the RFC process. This process is meant to fully vet big additions or changes to ECS. A key aspect of this process is that proposals advance in stages. Each stage represents the vetting and maturity of the proposal.

We won’t go over the process in detail here, but one of its key aspects is that accepted “stage 2” proposals appear in “experimental” ECS artifacts. They don’t yet appear officially in ECS documentation. Proposals that reach “stage 3” are the ones that will officially appear in ECS documentation.

ECS 1.7 is the first release that includes RFCs that have reached stage 2 / experimental changes. A new directory has therefore been added, where all the usual generated artifacts are published including the experimental changes. This is at experimental/generated.

This release includes experimental changes from two RFCs reaching stage 2:

• Replace the keyword type on many existing ECS fields with the new wildcard type.
• Adding more places where user fields can be nested, in order to capture privilege escalations & demotions as well as IAM. These experimental nestings are user.effective.*, user.target.*, and user.changes.*.

“Normal” Changes

Contrary to the new experimental changes described above, the following changes are reflected in the documentation.

Two new fields are introduced: http.[request|response].mime_type/ and threat.technique.subtechnique.

Both the network.direction and event.category fields add support for additional allowed values.

The ECS generator script adds two new arguments, --oss and --strict. See usage for more details and examples.

Lastly, we have changed the index pattern of the sample Elasticsearch template from ecs-* to try-ecs-* to avoid conflicting with Logstash' template when run in ECS compatibility mode.

Changelog

Schema Changes

Bugfixes

• The protocol allowed value under event.type should not have the expected_event_types defined. #964
• Clarify the definition of file.extension (no dots). #1016

Added

• Added Mime Type fields to HTTP request and response. #944
• Added network directions ingress and egress. #945
• Added threat.technique.subtechnique to capture MITRE ATT&CK® subtechniques. #951
• Added configuration as an allowed event.category. #963
• Added a new directory with experimental artifacts, which includes all changes
  from RFCs that have reached stage 2. #993, #1053, #1115, #1117, #1118

Improvements

• Expanded field set definitions for source.* and destination.*. #967
• Provided better guidance for mapping network events. #969
• Added the field .subdomain under client, destination, server, source
  and url, to match its presence at dns.question.subdomain. #981
• Clarified ambiguity in guidance on how to use x509 fields for connections with
  only one certificate. #1114

Tooling and Artifact Changes

Breaking changes

• Changed the index pattern of the sample Elasticsearch template from ecs-* to
  try-ecs-* to avoid conflicting with Logstash' ecs-logstash-*. #1048

Bugfixes

• Addressed issue where foreign reuses weren't using the user-supplied as value for their destination. #960
• Experimental artifacts failed to install due to event.original index setting. #1053

Added

• Introduced --strict flag to perform stricter schema validation when running the generator script. #937
• Added check under --strict that ensures composite types in example fields are quoted. #966
• Added ignore_above and normalizer support for keyword multi-fields. #971
• Added --oss flag for users who want to generate ECS templates for use on OSS clusters. #991

Improvements

• Field details Jinja2 template components have been consolidated into one template #897
• Add [discrete] marker before each section header in field details. #989
• --ref now loads experimental/schemas based on git ref in addition to schemas. #1063

ECS 1.6.0

This release adds the x509.* field set to capture common core fields for x509 certificates. Other notable schema changes include the introduction of event.reason , adding span.id to the transaction.* field set, and new related.* fields. Please see the full schema change details below.

Before this release, there was no way to reuse field sets as different names inside themselves. Now nesting fields within themselves, such as process => process.parent, and defining nested sets using a different name are both available.

Did you know you can use the Python scripts in the ECS repository to generate Elasticsearch templates containing the only ECS fields you need + your custom fields? A lot of the changes in the "tooling and artifact" changelog below are about how we improved this experience. However you can jump directly to the new usage documentation to learn how to do this.

Finally in previous releases, reusable fields not expected at the root of documents were accidentally defined at the root in some generated artifacts. This incorrect behavior is fixed in this release.

Schema Changes

Bugfixes

• Field registry.data.strings should have been marked as an array field. #790

Added

• Added x509.* field set. #762
• Add architecture and imphash for PE field set. #763
• Added agent.build.* for extended agent version information. #764
• Added log.file.path to capture the log file an event came from. #802
• Added more account and project cloud metadata. #816
• Added missing field reuse of pe at process.parent.pe #868
• Added span.id to the tracing fieldset, for additional log correlation #882
• Added event.reason for the reason why an event's outcome or action was taken. #907
• Added related.hosts to capture all hostnames and host identifiers on an event. #913
• Added user.roles to capture a list of role names that apply to the user. #917

Improvements

• Removed misleading pluralization in the description of user.id, it should
  contain one ID, not many. #801
• Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
• Improved verbiage about the MITRE ATT&CK® framework. #866
• Removed the default object_type=keyword that was being applied to object fields.
  This attribute is Beats-specific. It's still supported, but needs to be set explicitly
  on a case by case basis now. This default being removed affects dns.answers,
  log.syslog, network.inner, observer.egress, and observer.ingress. #871
• Improved attribute dashed_name in generated/ecs/*.yml to also
  replace @ with -. #871
• Updated several URLs in the documentation with "example.com" domain. #910

Deprecated

• Deprecate guidance to lowercase http.request.method #840

Tooling and Artifact Changes

Breaking changes

• Removed field definitions at the root of documents for fieldsets that
  had reusable.top_level:false. This PR affects ecs_flat.yml, the csv file
  and the sample Elasticsearch templates. #495, #813
• Removed the order attribute from the ecs_nested.yml and ecs_flat.yml files. #811
• In ecs_nested.yml, the array of strings that used to be in reusable.expected
  has been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864
• The subset format now requires name and fields keys at the top level. #873

Bugfixes

• Subsets are created after duplicating reusable fields now so subsets can
  be applied to each reused instance independently. #753
• Quoted the example for labels to avoid YAML interpreting it, and having
  slightly different results in different situations. #782
• Fix incorrect listing of where field sets are nested in asciidoc,
  when they are nested deep. #784
• Allow beats output to be generated when using --include or --subset flags. #814
• Field parameter index is now correctly populated in the Beats field definition file. #824

Improvements

• Add support for reusing official fieldsets in custom schemas. #751
• Add full path names to reused fieldsets in nestings array in ecs_nested.yml. #803
• Allow shorthand notation for including all subfields in subsets. #805
• Add support for Elasticsearch enabled field parameter. #824
• Add ref option to generator allowing schemas to be built for a specific ECS version. #851
• Add template-settings and mapping-settings options to allow override of defaults in generated ES templates. #856
• When overriding ECS field sets via the --include flag, it's no longer necessary
  to duplicate the field set's mandatory attributes. The customizations are merged
  before validation. #864
• Add ability to nest field sets as another name. #864
• Add ability to nest field sets within themselves (e.g. process => process.parent). #864
• New attribute reused_here is added in ecs_nested.yml. It obsoletes the
  previous attribute nestings, and is able to fully capture details of other
  field sets reused under this one. #864
• When chained reuses are needed (e.g. group => user, then user => many places),
  it's now necessary to force the order with new attribute reusable.order. This
  attribute is otherwise optional. It's currently only needed for group. #864
• There's a new representation of ECS at generated/ecs/ecs.yml, which is a deeply nested
  representation of the fields. This file is not in git, as it's only meant for
  developers working on the ECS tools. #864
• Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
• Intermediate ecs_flat.yml and ecs_nested.yml files are now generated for each individual subset,
  in addition to the intermediate files generated for the combined subset. #873

Deprecated

• In ecs_nested.yml, we're deprecating the attribute nestings. It will be
  removed in a future release. The deprecated nestings attribute was an array of
  flat field names describing where fields are nested within the field set.
  This is replaced with the attribute reused_here, which is an array of objects.
  The new format still lists where the fields are nested via the same flat field name,
  but also specifies additional information about each field reuse. #864

ECS 1.5.0

In this release, we continue fleshing out categorization by introducing the "network" and "iam" categories, with related event types.

We're adding new field sets: "dll", "pe", "code_signature", "interface" & "vlan". We're also adding a few fields here and there (check out the details below).

Implementers consuming ECS artifacts like generated/ecs/*.yml programmatically will be happy to know that we now clearly identify which fields are expected to contain an array of values. Shout-out to contributors on the ecs-logging libraries for raising this 👋🏼.

Finally, starting with ECS 1.5.0, the project is using Python 3.7.

Schema Changes

Added

• Added dll.* fields #679
• Added related.hash to keep track of all hashes seen on an event. #711
• Added fieldset for PE metadata. #731
• Added code_signature fieldset. #733
• Added missing hash fields at process.parent.hash.*. #739
• Added globally unique identifier entity_id to process and process.parent. #747
• Added interface, vlan, observer zone fields #752
• Added rule.author, rule.license fields #754
• Added iam value for event.category and three related values for event.type. #756
• Added fields event.reference and event.url to hold link to additional event info/actions. #757
• Added file.mime_type to include MIME type information on file structures #760
• Added event.category value of network and associated event.type values. #761

Improvements

• Temporary workaround for Beats templates' default_field growing too big. #687
• Identify which fields should contain arrays of values, rather than scalar values. #727, #661
• Clarified examples and definitions regarding vulnerabilities. #758
• Updated definition of event.outcome based on community feedback. #759

Tooling and Artifact Changes

Improvements

• ECS scripts now use Python 3.6+. #674
• schema_reader.py now reliably supports chaining reusable fieldsets together. #722
• Allow the artifact generator to consider and output only a subset of fields. #737
• Add support for reusing fields in places other than the top level of the destination fieldset. #739
• Add support for specifying the directory to write the generated files. #748

ECS 1.4.0

This release introduces two much-awaited changes.

The text analyzer has been added to many existing fields. This enables full text search queries on fields that contain a lot of text, or semi-structured data (such as file paths and urls). Look at #575 and #680 to learn more. As an example, the field user_agent.original can now service full text search queries at user_agent.original.text.

We're also introducing the first set of allowed values for the 4 previously reserved fields (event.kind, event.category, event.type and event.outcome). We're calling them the "categorization fields". More allowed values will be released over time. You can preview future values, and provide feedback in this public document: https://ela.st/ecs-categories-draft. Learn more in the new "ECS Categorization Fields" section of the documentation.

Schema Changes

Added

• Added default text analyzer as a multi-field to user_agent.original. #575
• Added file.attributes. #611
• Added file.drive_letter. #620
• Added rule fields. #665
• Added default text analyzer as a multi-field to around 25 more fields. #680
• Added registry.* fieldset for the Windows registry. #673
• Publish initial list of allowed values for the categorization fields (previously reserved)
  event.kind, event.category, event.type and event.outcome. #684, #691, #692
• Added related.user #694

Tooling and Artifact Changes

Bugfixes

• Fix support for multi-fields. #575

ECS 1.3.1

Schema Changes

Bugfixes

• Removed unnecessary field tls.server.supported_ciphers. #662