github elastic/ecs v1.5.0
ECS 1.5.0
on GitHub

latest releases: v8.11.0, v8.10.0, v8.9.0...
4 years ago

In this release, we continue fleshing out categorization by introducing the "network" and "iam" categories, with related event types.

We're adding new field sets: "dll", "pe", "code_signature", "interface" & "vlan". We're also adding a few fields here and there (check out the details below).

Implementers consuming ECS artifacts like generated/ecs/*.yml programmatically will be happy to know that we now clearly identify which fields are expected to contain an array of values. Shout-out to contributors on the ecs-logging libraries for raising this 👋🏼.

Finally, starting with ECS 1.5.0, the project is using Python 3.7.

Schema Changes

Added

  • Added dll.* fields #679
  • Added related.hash to keep track of all hashes seen on an event. #711
  • Added fieldset for PE metadata. #731
  • Added code_signature fieldset. #733
  • Added missing hash fields at process.parent.hash.*. #739
  • Added globally unique identifier entity_id to process and process.parent. #747
  • Added interface, vlan, observer zone fields #752
  • Added rule.author, rule.license fields #754
  • Added iam value for event.category and three related values for event.type. #756
  • Added fields event.reference and event.url to hold link to additional event info/actions. #757
  • Added file.mime_type to include MIME type information on file structures #760
  • Added event.category value of network and associated event.type values. #761

Improvements

  • Temporary workaround for Beats templates' default_field growing too big. #687
  • Identify which fields should contain arrays of values, rather than scalar values. #727, #661
  • Clarified examples and definitions regarding vulnerabilities. #758
  • Updated definition of event.outcome based on community feedback. #759

Tooling and Artifact Changes

Improvements

  • ECS scripts now use Python 3.6+. #674
  • schema_reader.py now reliably supports chaining reusable fieldsets together. #722
  • Allow the artifact generator to consider and output only a subset of fields. #737
  • Add support for reusing fields in places other than the top level of the destination fieldset. #739
  • Add support for specifying the directory to write the generated files. #748
Check out latest releases or
releases around elastic/ecs v1.5.0

Don't miss a new ecs release

NewReleases is sending notifications on new releases.

Get notifications