Schema Changes

Bugfixes

• Remove expected_values from threat.*.indicator.name fields. #2281

Added

• Added volume.* as beta field set. #2269

Tooling and Artifact Changes

Bugfixes

• Respect reusable.top_level in Beats generator #2278

ECS 8.10.0

Schema Changes

Added

• Added container.security_context.privileged to indicated whether a container was started in privileged mode. #2219, #2225, #2246
• Added process.thread.capabilities.permitted to contain the current thread's possible capabilities. #2245
• Added process.thread.capabilities.effective to contain the current thread's effective capabilities. #2245

Improvements

• Permit ignore_above if explicitly set on a flattened field. #2248

Tooling and Artifact Changes

Improvements

• Improved documentation formatting to better follow the contributing guide. #2226
• Bump gitpython dependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265

8.9.0

Schema Changes

Bugfixes

Added

• Added process.vpid for namespaced process ids. #2211

Improvements

Deprecated

• Removed faas.trigger: nested since we only have one trigger. #2194

ECS 8.8.0

Schema Changes

Added

• Add access as an allowed type for event.type: file. #2174
• Add orchestrator.resource.annotation and orchestrator.resource.label. #2181
• Add event.kind: asset as a beta category. #2191

Tooling and Artifact Changes

Added

• Add parameters property for field definitions, to provide any mapping parameter. #2084

Schema Changes

Bugfixes

• remove duplicated client.domain definition #2120

Added

• adding name field to threat.indicator #2121
• adding api option to event.category #2147
• adding library option to event.category #2154

Improvements

• description for host.name definition updated to encourage use of FDQN #2122

Tooling and Artifact Changes

Improvements

• Updated usage docs to include threat.indicator.url.domain and changed indicator.marking.tlp and indicator.enrichments.marking.tlp from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
• Bump gitpython from 3.1.27 to 3.1.30 in /scripts. #2139

Schema Changes

Bugfixes

• remove duplicated client.domain definition #2120

Added

• adding name field to threat.indicator #2121
• adding api option to event.category #2147
• adding library option to event.category #2154

Improvements

• description for host.name definition updated to encourage use of FDQN #2122

Tooling and Artifact Changes

Improvements

• Updated usage docs to include threat.indicator.url.domain and changed indicator.marking.tlp and indicator.enrichments.marking.tlp from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
• Bump gitpython from 3.1.27 to 3.1.30 in /scripts. #2139

What's new in ECS 8.5.1

Schema Changes

Bugfixes

• Fixing tlp_version and tlp field for threat. #2156

8.6.0 RELEASE

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

What's new in ECS 8.5.2

Schema Changes

Bugfixes

• Fixes invalid number type on 4 process.io subfields. #2105

What's new in ECS 8.5.1

Tooling and Artifact Changes

Bugfixes

• Fix type of normalize in process.io.bytes_skipped. #2094

What's new in ECS 8.5.0

Schema Changes

Added

• Adding risk.* fields as experimental. #1994, #2010
• Adding process.io.* as beta fields. #1956, #2031
• Adding process.tty.rows and process.tty.columns as beta fields. #2031
• Changed process.env_vars field type to be an array of keywords. #2038
• process.attested_user and process.attested_groups as beta fields. #2050
• Added risk.* fieldset to beta. #2051, #2058
• Moved Linux event model fields to GA. #2082

Improvements

• Advances threat.enrichments.indicator to GA. #1928
• Added ios and android as valid values for os.type #1999

Tooling and Artifact Changes

Bugfixes

• Added Deprecation Warning for misspell task #1993
• Fix typo in client schema #2014

ECS Release Candidate

Schema Changes

Added

• Adding risk.* fields as experimental. #1994, #2010
• Adding process.io.* as beta fields. #1956, #2031
• Adding process.tty.rows and process.tty.columns as beta fields. #2031
• Changed process.env_vars field type to be an array of keywords. #2038
• process.attested_user and process.attested_groups as beta fields. #2050
• Added risk.* fieldset to beta. #2051

Improvements

• Advances threat.enrichments.indicator to GA. #1928
• Added ios and android as valid values for os.type #1999

Tooling and Artifact Changes

Bugfixes

• Added Deprecation Warning for misspell task #1993
• Fix typo in client schema #2014

What's new in ECS 8.4

New field attribute expected_values

ECS schema field definitions will now support an attribute to provide a consistent location to capture a list of expected values.

Schema Changes

Added

• Initial set of expected_values. #1962
• Adding service.node.roles. #1981

Tooling and Artifact Changes

Added

• Introduce expected_values attribute. #1952

Improvements

• Additional type annotations. #1950

ECS Release Candidate

ECS will publish a release candidate version, starting with 8.4.0, to better aid in development efforts.

Changelog

Schema Changes

Added

• Initial set of expected_values. #1962
• Adding service.node.roles. #1981

Tooling and Artifact Changes

Added

• Introduce expected_values attribute. #1952

Improvements

• Additional type annotations. #1950

Schema Changes

Deprecated

• Deprecate service.node.role in favor of upcoming service.node.roles. #1976

What's new in ECS 8.3

GA additions to the schema

The container.* metrics fieldset

Proposed in RFC 0025, this release introduces the container.* field set as GA. These additional container metric fields capture container CPU, memory, disk and network performance information.

Pattern attribute for .mac fields

ECS sets the pattern attribute for the .mac address fields. The regex value is based on the format suggested in IETF RFC 7042.

Schema Changes

Added

• Added pattern attribute to .mac fields. #1871
• Add orchestrator.cluster.id #1875
• Add orchestrator.resource.id #1878
• Add orchestrator.resource.parent.type #1889
• Add orchestrator.resource.ip #1889
• Add container.image.hash.all #1889
• Add service.node.role #1916
• Advanced container.* metric fields to GA. #1927

Important

After adding service.node.role, it was realized that we intend for this field to have multiple values, and therefore we will be removing role and replacing with roles at the earliest opportunity. Please do not use service.node.role.

Schema Changes

Bugfixes

• Adding missing process fields for documentation. #1906

Tooling and Artifact Changes

Improvements

• Add type hints to schema modules. #1771
• Support docs_only param to subset defs. #1909

What's new in ECS 8.2

Beta additions to the schema

The linux event model fields

Proposed in RFC 0030, this release introduces a variety of new beta fields that model a linux event model in order to drive Session view in Kibana.

The container.* metrics fieldset

Proposed in RFC 0025, this release introduces a beta container.* field set. These additional container metric fields capture container CPU, memory, disk and network performance information.

Tooling improvements

In 8.2, ECS has introduced a new optional field definition attribute: pattern. The pattern attribute holds a regular expression (regex) which expresses the expected constraint on a string field's value. This field is intended to be utilized in automated testing for validation of the values populating ECS fields.

Changelog

Schema Changes

Added

• Add beta container.* metric fields. #1789
• Add six new syslog fields to log.syslog.*. #1793
• Added faas.id, faas.name and faas.version fields as beta. #1796
• Added linux event model beta fields and reuses to support RFC 0030. #1842, #1847, #1884
• Added threat.feed.dashboard_id, threat.feed.description, threat.feed.name, threat.feed.reference fields. #1844

Improvements

• email.* field set now GA. #1794, #1841

Tooling and Artifact Changes

Added

• Adding optional field attribute, pattern. #1834
• Added support for re-using a fieldset as an array. #1838
• Added --force-docs option to generator. #1879

Improvements

• Update refs from master to main in USAGE.md etc #1658
• Clean up trailing spaces and additional newlines in schemas #1667
• Use higher compression as default in composable index template settings. #1712

What's new in ECS 8.1

The email.* field set

Proposed in RFC 0010, this release introduces a beta email.* field set. These fields capture event details from email message headers, bodies, and attachments.

Additional hash fields

ECS 8.1 also adds three additional hash fields:

• hash.sha384
• hash.tlsh
• pe.pehash

These fields help align ECS with Threat Intelligence features available in the Elastic platform.

Changelog

Schema Changes

Added

• Added two new fields (sha384,tlsh) to hash schema and one field to pe schema (pehash). #1678
• Added email.* beta field set. ##1688, #1705

Removed

• Removing process.target.* reuses from experimental schema. #1666
• Removing RFC 0014 pe.* fields from experimental schema. #1670

Tooling and Artifact Changes

Bugfixes

• Fix invalid documentation link generation in component templates _meta. #1728

Improvements

• Update refs from master to main in USAGE.md etc #1658
• Clean up trailing spaces and additional newlines in schemas #1667
• Use higher compression as default in composable index template settings. #1712
• Bump dependencies. #1782