This release adds the x509.* field set to capture common core fields for x509 certificates. Other notable schema changes include the introduction of event.reason , adding span.id to the transaction.* field set, and new related.* fields. Please see the full schema change details below.
Before this release, there was no way to reuse field sets as different names inside themselves. Now nesting fields within themselves, such as process => process.parent, and defining nested sets using a different name are both available.
Did you know you can use the Python scripts in the ECS repository to generate Elasticsearch templates containing the only ECS fields you need + your custom fields? A lot of the changes in the "tooling and artifact" changelog below are about how we improved this experience. However you can jump directly to the new usage documentation to learn how to do this.
Finally in previous releases, reusable fields not expected at the root of documents were accidentally defined at the root in some generated artifacts. This incorrect behavior is fixed in this release.
Schema Changes
Bugfixes
- Field
registry.data.stringsshould have been marked as an array field. #790
Added
- Added
x509.*field set. #762 - Add architecture and imphash for PE field set. #763
- Added
agent.build.*for extended agent version information. #764 - Added
log.file.pathto capture the log file an event came from. #802 - Added more account and project cloud metadata. #816
- Added missing field reuse of
peatprocess.parent.pe#868 - Added
span.idto the tracing fieldset, for additional log correlation #882 - Added
event.reasonfor the reason why an event's outcome or action was taken. #907 - Added
related.hoststo capture all hostnames and host identifiers on an event. #913 - Added
user.rolesto capture a list of role names that apply to the user. #917
Improvements
- Removed misleading pluralization in the description of
user.id, it should
contain one ID, not many. #801 - Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
- Improved verbiage about the MITRE ATT&CK® framework. #866
- Removed the default
object_type=keywordthat was being applied toobjectfields.
This attribute is Beats-specific. It's still supported, but needs to be set explicitly
on a case by case basis now. This default being removed affectsdns.answers,
log.syslog,network.inner,observer.egress, andobserver.ingress. #871 - Improved attribute
dashed_nameingenerated/ecs/*.ymlto also
replace@with-. #871 - Updated several URLs in the documentation with "example.com" domain. #910
Deprecated
- Deprecate guidance to lowercase
http.request.method#840
Tooling and Artifact Changes
Breaking changes
- Removed field definitions at the root of documents for fieldsets that
hadreusable.top_level:false. This PR affectsecs_flat.yml, the csv file
and the sample Elasticsearch templates. #495, #813 - Removed the
orderattribute from theecs_nested.ymlandecs_flat.ymlfiles. #811 - In
ecs_nested.yml, the array of strings that used to be inreusable.expected
has been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864 - The subset format now requires
nameandfieldskeys at the top level. #873
Bugfixes
- Subsets are created after duplicating reusable fields now so subsets can
be applied to each reused instance independently. #753 - Quoted the example for
labelsto avoid YAML interpreting it, and having
slightly different results in different situations. #782 - Fix incorrect listing of where field sets are nested in asciidoc,
when they are nested deep. #784 - Allow beats output to be generated when using
--includeor--subsetflags. #814 - Field parameter
indexis now correctly populated in the Beats field definition file. #824
Improvements
- Add support for reusing official fieldsets in custom schemas. #751
- Add full path names to reused fieldsets in
nestingsarray inecs_nested.yml. #803 - Allow shorthand notation for including all subfields in subsets. #805
- Add support for Elasticsearch
enabledfield parameter. #824 - Add
refoption to generator allowing schemas to be built for a specific ECS version. #851 - Add
template-settingsandmapping-settingsoptions to allow override of defaults in generated ES templates. #856 - When overriding ECS field sets via the
--includeflag, it's no longer necessary
to duplicate the field set's mandatory attributes. The customizations are merged
before validation. #864 - Add ability to nest field sets as another name. #864
- Add ability to nest field sets within themselves (e.g.
process=>process.parent). #864 - New attribute
reused_hereis added inecs_nested.yml. It obsoletes the
previous attributenestings, and is able to fully capture details of other
field sets reused under this one. #864 - When chained reuses are needed (e.g.
group=>user, thenuser=> many places),
it's now necessary to force the order with new attributereusable.order. This
attribute is otherwise optional. It's currently only needed forgroup. #864 - There's a new representation of ECS at
generated/ecs/ecs.yml, which is a deeply nested
representation of the fields. This file is not in git, as it's only meant for
developers working on the ECS tools. #864 - Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
- Intermediate
ecs_flat.ymlandecs_nested.ymlfiles are now generated for each individual subset,
in addition to the intermediate files generated for the combined subset. #873
Deprecated
- In
ecs_nested.yml, we're deprecating the attributenestings. It will be
removed in a future release. The deprecatednestingsattribute was an array of
flat field names describing where fields are nested within the field set.
This is replaced with the attributereused_here, which is an array of objects.
The new format still lists where the fields are nested via the same flat field name,
but also specifies additional information about each field reuse. #864