ECS 8.9.0

8.9.0

Schema Changes

Bugfixes

Added

• Added process.vpid for namespaced process ids. #2211

Improvements

Deprecated

• Removed faas.trigger: nested since we only have one trigger. #2194

ECS 8.8.0

ECS 8.8.0

Schema Changes

Added

• Add access as an allowed type for event.type: file. #2174
• Add orchestrator.resource.annotation and orchestrator.resource.label. #2181
• Add event.kind: asset as a beta category. #2191

Tooling and Artifact Changes

Added

• Add parameters property for field definitions, to provide any mapping parameter. #2084

ECS 8.7.0

Schema Changes

Bugfixes

• remove duplicated client.domain definition #2120

Added

• adding name field to threat.indicator #2121
• adding api option to event.category #2147
• adding library option to event.category #2154

Improvements

• description for host.name definition updated to encourage use of FDQN #2122

Tooling and Artifact Changes

Improvements

• Updated usage docs to include threat.indicator.url.domain and changed indicator.marking.tlp and indicator.enrichments.marking.tlp from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
• Bump gitpython from 3.1.27 to 3.1.30 in /scripts. #2139

ECS 8.7.0-rc1

Schema Changes

Bugfixes

• remove duplicated client.domain definition #2120

Added

• adding name field to threat.indicator #2121
• adding api option to event.category #2147
• adding library option to event.category #2154

Improvements

• description for host.name definition updated to encourage use of FDQN #2122

Tooling and Artifact Changes

Improvements

• Updated usage docs to include threat.indicator.url.domain and changed indicator.marking.tlp and indicator.enrichments.marking.tlp from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
• Bump gitpython from 3.1.27 to 3.1.30 in /scripts. #2139

ECS 8.6.1

What's new in ECS 8.5.1

Schema Changes

Bugfixes

• Fixing tlp_version and tlp field for threat. #2156

ECS 8.6.0

8.6.0 RELEASE

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

ECS 8.6.0-rc1

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

ECS 8.5.2

What's new in ECS 8.5.2

Schema Changes

Bugfixes

• Fixes invalid number type on 4 process.io subfields. #2105

ECS 8.5.1

What's new in ECS 8.5.1

Tooling and Artifact Changes

Bugfixes

• Fix type of normalize in process.io.bytes_skipped. #2094

ECS 8.5.0

What's new in ECS 8.5.0

Schema Changes

Added

• Adding risk.* fields as experimental. #1994, #2010
• Adding process.io.* as beta fields. #1956, #2031
• Adding process.tty.rows and process.tty.columns as beta fields. #2031
• Changed process.env_vars field type to be an array of keywords. #2038
• process.attested_user and process.attested_groups as beta fields. #2050
• Added risk.* fieldset to beta. #2051, #2058
• Moved Linux event model fields to GA. #2082

Improvements

• Advances threat.enrichments.indicator to GA. #1928
• Added ios and android as valid values for os.type #1999

Tooling and Artifact Changes

Bugfixes

• Added Deprecation Warning for misspell task #1993
• Fix typo in client schema #2014