The following RFCs have advanced as a part of this release:
Stage 3 (GA)
- RFC 0018 - extend
threat.*
field set - RFC 0001 - wildcard field migration
- RFC 0023 - migrate
text
tomatch_only_text
type
Stage 2 (beta)
Stage 1 (experimental)
There's also been a couple of new field additions in 1.12: file.fork_name
, service.address
, process.end
, code_signature.digest_algorithm
and code_signature.timestamp
.
Lastly, a couple tooling and documentation improvements. There now exists support for multi-field type fallback to better support ES 6 types as well as the new match_only_text
type. And finally, we updated examples within user
to better clarify things.
Changelog
Schema Changes
Bugfixes
- Updating
hash
order to correct nesting. #1603 - Removing incorrect
hash
reuses. #1604 - Updating
pe
order to correct nesting. #1605 - Removing incorrect
pe
reuses. #1606 - Correcting
enrichments
to anarray
type. #1608
Added
- Added
file.fork_name
field. #1288 - Added
service.address
field. #1537 - Added
service.environment
as a beta field. #1541 - Added
process.end
field. #1544 - Added container metric fields into experimental schema. #1546
- Add
code_signature.digest_algorithm
andcode_signature.timestamp
fields. #1557 - Add
email.*
field set in the experimental fields. #1569
Improvements
- Beta migration on some
keyword
fields towildcard
. #1517 - Promote
threat.software.*
andthreat.group.*
fields to GA. #1540 - Update
user.name
anduser.id
examples for clarity. #1566 - Beta migration of
text
and.text
multi-fields tomatch_only_text
. #1532, #1571
Tooling and Artifact Changes
Added
- Support ES 6.x type fallback for
match_only_text
field types. #1528
Bugfixes
- Prevent failure if no files need to be deleted
find | xargs rm
. #1588
Improvements
- Document field type family interoperability in FAQ. #1591