Several additions introduced from the ECS RFC process are included in this release:
- The multiple users proposal has advanced to
Finished
status withuser.changes.*
,user.effective.*
, anduser.target.*
field reuses becoming GA. - Host metrics fields are now beta.
- The
threat.indicator
fields,elf.*
fields,pe.*
extensions, anddata_stream.*
fieldset are now in the experimental ECS schema.
A new section has been added to the ECS event categorization documentation. Real-world example events are categorized to demonstrate using the event categorization fields to group and identify similar events from multiple data sources.
In addition to RFC proposed changes, ECS 1.9.0 also adds:
http.request.id
cloud.service.name
hash.ssdeep
code_signature.team_id
andcode_signature.signing_id
- Additional fields to the
geo.*
fieldset:geo.timezone
,geo.postal_code
,geo.continent_code
Finally, *.mac
field descriptions now suggest normalizing MAC address values to the RFC7042 format.
Changelog
Schema Changes
Added
- Added
hash.ssdeep
. #1169 - Added
cloud.service.name
. #1204 - Added
http.request.id
. #1208 data_stream.*
fieldset introduced in experimental schema and artifacts. #1215- Added
geo.timezone
,geo.postal_code
, andgeo.continent_code
. #1229 - Added
beta
host metrics fields. #1248 - Added
code_signature.team_id
,code_signature.signing_id
. #1249 - Extended
pe
fields added to experimental schema. #1256 - Add
elf
fieldset to experimental schema. #1261 - Add
threat.indicator
fields to experimental schema. #1268
Improvements
- Include formatting guidance and examples for MAC address fields. #456
- New section in ECS detailing event categorization fields usage. #1242
user.changes.*
,user.effective.*
, anduser.target.*
field reuses are GA. #1271