elastic/ecs v1.12.0

ECS 1.12.0

on GitHub

The following RFCs have advanced as a part of this release:

Stage 3 (GA)

• RFC 0018 - extend threat.* field set
• RFC 0001 - wildcard field migration
• RFC 0023 - migrate text to match_only_text type

Stage 2 (beta)

• RFC 0002 - service.environment field

Stage 1 (experimental)

• RFC 0010 - email.* field set
• RFC 0025 - container metric fields

There's also been a couple of new field additions in 1.12: file.fork_name, service.address, process.end, code_signature.digest_algorithm and code_signature.timestamp.

Lastly, a couple tooling and documentation improvements. There now exists support for multi-field type fallback to better support ES 6 types as well as the new match_only_text type. And finally, we updated examples within user to better clarify things.

Changelog

Schema Changes

Bugfixes

• Updating hash order to correct nesting. #1603
• Removing incorrect hash reuses. #1604
• Updating pe order to correct nesting. #1605
• Removing incorrect pe reuses. #1606
• Correcting enrichments to an array type. #1608

Added

• Added file.fork_name field. #1288
• Added service.address field. #1537
• Added service.environment as a beta field. #1541
• Added process.end field. #1544
• Added container metric fields into experimental schema. #1546
• Add code_signature.digest_algorithm and code_signature.timestamp fields. #1557
• Add email.* field set in the experimental fields. #1569

Improvements

• Beta migration on some keyword fields to wildcard. #1517
• Promote threat.software.* and threat.group.* fields to GA. #1540
• Update user.name and user.id examples for clarity. #1566
• Beta migration of text and .text multi-fields to match_only_text. #1532, #1571

Tooling and Artifact Changes

Added

• Support ES 6.x type fallback for match_only_text field types. #1528

Bugfixes

• Prevent failure if no files need to be deleted find | xargs rm. #1588

Improvements

• Document field type family interoperability in FAQ. #1591