Bot releases are hidden (Show)
expected_values
from threat.*.indicator.name
fields. #2281volume.*
as beta field set. #2269Published by chrisberkhout about 1 year ago
container.security_context.privileged
to indicated whether a container was started in privileged mode. #2219, #2225, #2246process.thread.capabilities.permitted
to contain the current thread's possible capabilities. #2245process.thread.capabilities.effective
to contain the current thread's effective capabilities. #2245ignore_above
if explicitly set on a flattened
field. #2248gitpython
dependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265Published by kgeller over 1 year ago
access
as an allowed type for event.type: file
. #2174orchestrator.resource.annotation
and orchestrator.resource.label
. #2181event.kind: asset
as a beta category. #2191parameters
property for field definitions, to provide any mapping parameter. #2084Published by marc-gr over 1 year ago
client.domain
definition #2120name
field to threat.indicator
#2121api
option to event.category
#2147library
option to event.category
#2154host.name
definition updated to encourage use of FDQN #2122threat.indicator.url.domain
and changed indicator.marking.tlp
and indicator.enrichments.marking.tlp
from "WHITE" to "CLEAR" to align with TLP 2.0. #2124gitpython
from 3.1.27
to 3.1.30
in /scripts
. #2139Published by marc-gr over 1 year ago
client.domain
definition #2120name
field to threat.indicator
#2121api
option to event.category
#2147library
option to event.category
#2154host.name
definition updated to encourage use of FDQN #2122threat.indicator.url.domain
and changed indicator.marking.tlp
and indicator.enrichments.marking.tlp
from "WHITE" to "CLEAR" to align with TLP 2.0. #2124gitpython
from 3.1.27
to 3.1.30
in /scripts
. #2139Published by kgeller over 1 year ago
tlp_version
and tlp
field for threat. #2156Published by djptek almost 2 years ago
vulnerability
option for event.category
. #2029device.*
field set as beta. #2030tlp.version
to threat #2074CLEAR
and AMBER+STRICT
as valid values for threat.indicator.marking.tlp
and enrichments.indicator.marking.tlp
to accept new TLP 2.0 markings #2022, #2074Published by djptek almost 2 years ago
vulnerability
option for event.category
. #2029device.*
field set as beta. #2030tlp.version
to threat #2074CLEAR
and AMBER+STRICT
as valid values for threat.indicator.marking.tlp
and enrichments.indicator.marking.tlp
to accept new TLP 2.0 markings #2022, #2074Published by kgeller almost 2 years ago
number
type on 4 process.io
subfields. #2105Published by taylor-swanson almost 2 years ago
normalize
in process.io.bytes_skipped
. #2094Published by taylor-swanson almost 2 years ago
risk.*
fields as experimental. #1994, #2010process.io.*
as beta fields. #1956, #2031process.tty.rows
and process.tty.columns
as beta fields. #2031process.env_vars
field type to be an array of keywords. #2038process.attested_user
and process.attested_groups
as beta fields. #2050risk.*
fieldset to beta. #2051, #2058threat.enrichments.indicator
to GA. #1928ios
and android
as valid values for os.type
#1999misspell
task #1993Published by taylor-swanson about 2 years ago
risk.*
fields as experimental. #1994, #2010process.io.*
as beta fields. #1956, #2031process.tty.rows
and process.tty.columns
as beta fields. #2031process.env_vars
field type to be an array of keywords. #2038process.attested_user
and process.attested_groups
as beta fields. #2050risk.*
fieldset to beta. #2051threat.enrichments.indicator
to GA. #1928ios
and android
as valid values for os.type
#1999misspell
task #1993Published by kgeller about 2 years ago
expected_values
ECS schema field definitions will now support an attribute to provide a consistent location to capture a list of expected values.
expected_values
. #1962service.node.roles
. #1981expected_values
attribute. #1952Published by kgeller about 2 years ago
ECS will publish a release candidate version, starting with 8.4.0, to better aid in development efforts.
expected_values
. #1962service.node.roles
. #1981expected_values
attribute. #1952Published by kgeller over 2 years ago
service.node.role
in favor of upcoming service.node.roles
. #1976Published by kgeller over 2 years ago
GA
additions to the schemaProposed in RFC 0025, this release introduces the container.* field set as GA. These additional container metric fields capture container CPU, memory, disk and network performance information.
.mac
fieldsECS sets the pattern attribute for the .mac address fields. The regex value is based on the format suggested in IETF RFC 7042.
pattern
attribute to .mac
fields. #1871orchestrator.cluster.id
#1875orchestrator.resource.id
#1878orchestrator.resource.parent.type
#1889orchestrator.resource.ip
#1889container.image.hash.all
#1889service.node.role
#1916container.*
metric fields to GA. #1927After adding service.node.role
, it was realized that we intend for this field to have multiple values, and therefore we will be removing role
and replacing with roles
at the earliest opportunity. Please do not use service.node.role
.
Published by ebeahan over 2 years ago
schema
modules. #1771docs_only
param to subset defs. #1909Published by kgeller over 2 years ago
Beta
additions to the schemaProposed in RFC 0030, this release introduces a variety of new beta fields that model a linux event model in order to drive Session view in Kibana.
container.*
metrics fieldsetProposed in RFC 0025, this release introduces a beta container.* field set. These additional container metric fields capture container CPU, memory, disk and network performance information.
In 8.2, ECS has introduced a new optional field definition attribute: pattern. The pattern attribute holds a regular expression (regex) which expresses the expected constraint on a string field's value. This field is intended to be utilized in automated testing for validation of the values populating ECS fields.
container.*
metric fields. #1789log.syslog.*
. #1793faas.id
, faas.name
and faas.version
fields as beta. #1796threat.feed.dashboard_id
, threat.feed.description
, threat.feed.name
, threat.feed.reference
fields. #1844email.*
field set now GA. #1794, #1841pattern
. #1834--force-docs
option to generator. #1879Published by ebeahan over 2 years ago
email.*
field setProposed in RFC 0010, this release introduces a beta email.*
field set. These fields capture event details from email message headers, bodies, and attachments.
ECS 8.1 also adds three additional hash fields:
hash.sha384
hash.tlsh
pe.pehash
These fields help align ECS with Threat Intelligence features available in the Elastic platform.
email.*
beta field set. ##1688, #1705process.target.*
reuses from experimental schema. #1666pe.*
fields from experimental schema. #1670_meta
. #1728