This release introduces two much-awaited changes.
The text analyzer has been added to many existing fields. This enables full text search queries on fields that contain a lot of text, or semi-structured data (such as file paths and urls). Look at #575 and #680 to learn more. As an example, the field user_agent.original can now service full text search queries at user_agent.original.text.
We're also introducing the first set of allowed values for the 4 previously reserved fields (event.kind, event.category, event.type and event.outcome). We're calling them the "categorization fields". More allowed values will be released over time. You can preview future values, and provide feedback in this public document: https://ela.st/ecs-categories-draft. Learn more in the new "ECS Categorization Fields" section of the documentation.
Schema Changes
Added
- Added default
textanalyzer as a multi-field touser_agent.original. #575 - Added
file.attributes. #611 - Added
file.drive_letter. #620 - Added
rulefields. #665 - Added default
textanalyzer as a multi-field to around 25 more fields. #680 - Added
registry.*fieldset for the Windows registry. #673 - Publish initial list of allowed values for the categorization fields (previously reserved)
event.kind,event.category,event.typeandevent.outcome. #684, #691, #692 - Added
related.user#694
Tooling and Artifact Changes
Bugfixes
- Fix support for multi-fields. #575