Several additions introduced from the ECS RFC process are included in this release:
- The multiple users proposal has advanced to
Finishedstatus withuser.changes.*,user.effective.*, anduser.target.*field reuses becoming GA. - Host metrics fields are now beta.
- The
threat.indicatorfields,elf.*fields,pe.*extensions, anddata_stream.*fieldset are now in the experimental ECS schema.
A new section has been added to the ECS event categorization documentation. Real-world example events are categorized to demonstrate using the event categorization fields to group and identify similar events from multiple data sources.
In addition to RFC proposed changes, ECS 1.9.0 also adds:
http.request.idcloud.service.namehash.ssdeepcode_signature.team_idandcode_signature.signing_id- Additional fields to the
geo.*fieldset:geo.timezone,geo.postal_code,geo.continent_code
Finally, *.mac field descriptions now suggest normalizing MAC address values to the RFC7042 format.
Changelog
Schema Changes
Added
- Added
hash.ssdeep. #1169 - Added
cloud.service.name. #1204 - Added
http.request.id. #1208 data_stream.*fieldset introduced in experimental schema and artifacts. #1215- Added
geo.timezone,geo.postal_code, andgeo.continent_code. #1229 - Added
betahost metrics fields. #1248 - Added
code_signature.team_id,code_signature.signing_id. #1249 - Extended
pefields added to experimental schema. #1256 - Add
elffieldset to experimental schema. #1261 - Add
threat.indicatorfields to experimental schema. #1268
Improvements
- Include formatting guidance and examples for MAC address fields. #456
- New section in ECS detailing event categorization fields usage. #1242
user.changes.*,user.effective.*, anduser.target.*field reuses are GA. #1271