The following RFCs have advanced as part of this release:
Stage 3 (GA)
Stage 2 (beta)
- RFC 0008 - Threat indicator fields
- RFC 0015 -
elffile fields - RFC 0018 - Extend the
threat.*field set withthreat.software.*andthreat.group.*fields - RFC 0021 - Threat enrichment
Stage 1 (experimental)
The event.agent_id_status field is also new in 1.11 to reflect the status of the agent.id verification performed by a receiving system or data pipeline.
Lastly, many tooling and documentation improvements, including the --exclude flag. The --exclude flag adds the ability to remove individual fields from the schema. More detail is available in the usage doc.
Changelog
Schema Changes
Added
elf.*field set added as beta. #1410- Remove
betafromorchestratorfield set. #1417 - Extend
threat.*field set beta. #1438 - Added
event.agent_id_statusfield. #1454 process.targetandprocess.target.parentadded to experimental schema. #1467- Threat indicator fields progress to beta stage. #1471, #1504
threat.enrichmentsbeta fields. #1478, #1504
Improvements
- Fix ecs GitHub repo link source branch #1393
- Add --exclude flag to Generator to support field removal testing #1411
- Explicitly include user identifiers in
relater.userdescription. #1420 - Improve descriptions for
cloud.regionandcloud.availabilityfields. #1452 - Clarify
event.kinddescriptions foralertandsignal. #1548
Deprecated
- Note deprecation of the
host.user.*field reuse. #1422 - Note deprecation of
log.originalsuperseded byevent.original#1469
Tooling and Artifact Changes
Bugfixes
- Remove
ignore_abovewhenindex: falseanddoc_values: false. #1483 - Ensure
doc_valuesis carried into Beats artifacts. #1488
Added
- Support
match_only_textdata type in Go code generator. #1418 - Support for multi-level, self-nestings. #1459
betaattribute now supported on categorization allowed values. #1511