Skip to content

Releases: elastic/ecs

ECS 8.5.0-rc1

21 Sep 14:59
@taylor-swanson taylor-swanson
v8.5.0-rc1
8bfa1a4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.5.0-rc1

ECS Release Candidate

Schema Changes

Added

  • Adding risk.* fields as experimental. #1994, #2010
  • Adding process.io.* as beta fields. #1956, #2031
  • Adding process.tty.rows and process.tty.columns as beta fields. #2031
  • Changed process.env_vars field type to be an array of keywords. #2038
  • process.attested_user and process.attested_groups as beta fields. #2050
  • Added risk.* fieldset to beta. #2051

Improvements

  • Advances threat.enrichments.indicator to GA. #1928
  • Added ios and android as valid values for os.type #1999

Tooling and Artifact Changes

Bugfixes

  • Added Deprecation Warning for misspell task #1993
  • Fix typo in client schema #2014
Loading

ECS 8.4.0

24 Aug 19:03
@kgeller kgeller
v8.4.0
f09fa45
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.4.0

What's new in ECS 8.4

New field attribute expected_values

ECS schema field definitions will now support an attribute to provide a consistent location to capture a list of expected values.

Schema Changes

Added

  • Initial set of expected_values. #1962
  • Adding service.node.roles. #1981

Tooling and Artifact Changes

Added

  • Introduce expected_values attribute. #1952

Improvements

  • Additional type annotations. #1950
Loading

ECS 8.4.0-rc1

26 Jul 21:04
@kgeller kgeller
v8.4.0-rc1
4683401
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.4.0-rc1

ECS Release Candidate

ECS will publish a release candidate version, starting with 8.4.0, to better aid in development efforts.

Changelog

Schema Changes

Added

  • Initial set of expected_values. #1962
  • Adding service.node.roles. #1981

Tooling and Artifact Changes

Added

  • Introduce expected_values attribute. #1952

Improvements

  • Additional type annotations. #1950
Loading

ECS 8.3.1

06 Jul 17:48
@kgeller kgeller
v8.3.1
f1d8127
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.3.1

Schema Changes

Deprecated

  • Deprecate service.node.role in favor of upcoming service.node.roles. #1976
Loading

ECS 8.3.0

28 Jun 13:55
@kgeller kgeller
v8.3.0
e59adac
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.3.0

What's new in ECS 8.3

GA additions to the schema

The container.* metrics fieldset

Proposed in RFC 0025, this release introduces the container.* field set as GA. These additional container metric fields capture container CPU, memory, disk and network performance information.

Pattern attribute for .mac fields

ECS sets the pattern attribute for the .mac address fields. The regex value is based on the format suggested in IETF RFC 7042.

Schema Changes

Added

  • Added pattern attribute to .mac fields. #1871
  • Add orchestrator.cluster.id #1875
  • Add orchestrator.resource.id #1878
  • Add orchestrator.resource.parent.type #1889
  • Add orchestrator.resource.ip #1889
  • Add container.image.hash.all #1889
  • Add service.node.role #1916
  • Advanced container.* metric fields to GA. #1927

Important

After adding service.node.role, it was realized that we intend for this field to have multiple values, and therefore we will be removing role and replacing with roles at the earliest opportunity. Please do not use service.node.role.

Loading

ECS 8.2.1

24 May 19:51
@ebeahan ebeahan
v8.2.1
f121eac
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.2.1

Schema Changes

Bugfixes

  • Adding missing process fields for documentation. #1906

Tooling and Artifact Changes

Improvements

  • Add type hints to schema modules. #1771
  • Support docs_only param to subset defs. #1909
Loading

ECS 8.2.0

03 May 17:55
@kgeller kgeller
v8.2.0
11a817f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.2.0

What's new in ECS 8.2

Beta additions to the schema

The linux event model fields

Proposed in RFC 0030, this release introduces a variety of new beta fields that model a linux event model in order to drive Session view in Kibana.

The container.* metrics fieldset

Proposed in RFC 0025, this release introduces a beta container.* field set. These additional container metric fields capture container CPU, memory, disk and network performance information.

Tooling improvements

In 8.2, ECS has introduced a new optional field definition attribute: pattern. The pattern attribute holds a regular expression (regex) which expresses the expected constraint on a string field's value. This field is intended to be utilized in automated testing for validation of the values populating ECS fields.

Changelog

Schema Changes

Added

  • Add beta container.* metric fields. #1789
  • Add six new syslog fields to log.syslog.*. #1793
  • Added faas.id, faas.name and faas.version fields as beta. #1796
  • Added linux event model beta fields and reuses to support RFC 0030. #1842, #1847, #1884
  • Added threat.feed.dashboard_id, threat.feed.description, threat.feed.name, threat.feed.reference fields. #1844

Improvements

Tooling and Artifact Changes

Added

  • Adding optional field attribute, pattern. #1834
  • Added support for re-using a fieldset as an array. #1838
  • Added --force-docs option to generator. #1879

Improvements

  • Update refs from master to main in USAGE.md etc #1658
  • Clean up trailing spaces and additional newlines in schemas #1667
  • Use higher compression as default in composable index template settings. #1712
Loading

ECS 8.1.0

08 Mar 18:17
@ebeahan ebeahan
v8.1.0
83977a2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.1.0

What's new in ECS 8.1

The email.* field set

Proposed in RFC 0010, this release introduces a beta email.* field set. These fields capture event details from email message headers, bodies, and attachments.

Additional hash fields

ECS 8.1 also adds three additional hash fields:

  • hash.sha384
  • hash.tlsh
  • pe.pehash

These fields help align ECS with Threat Intelligence features available in the Elastic platform.

Changelog

Schema Changes

Added

  • Added two new fields (sha384,tlsh) to hash schema and one field to pe schema (pehash). #1678
  • Added email.* beta field set. ##1688, #1705

Removed

  • Removing process.target.* reuses from experimental schema. #1666
  • Removing RFC 0014 pe.* fields from experimental schema. #1670

Tooling and Artifact Changes

Bugfixes

  • Fix invalid documentation link generation in component templates _meta. #1728

Improvements

  • Update refs from master to main in USAGE.md etc #1658
  • Clean up trailing spaces and additional newlines in schemas #1667
  • Use higher compression as default in composable index template settings. #1712
  • Bump dependencies. #1782
Loading

ECS 8.0.1

01 Mar 22:36
@ebeahan ebeahan
v8.0.1
89fad83
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.0.1

Tooling and Artifact Changes

Bugfixes

  • Pin markupsafe==2.0.1 to resolve ImportError exception. #1804
Loading

ECS 8.0.0

10 Feb 16:19
@ebeahan ebeahan
v8.0.0
d4d302d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
ECS 8.0.0

What's new in ECS 8.0

We're pleased to announce ECS 8.0.

Thank you to all the ECS contributors who help support the broader Elastic community.

Versioning: 1.x -> 8.0

ECS versioning now aligns with the Elastic platform beginning with 8.0.

ECS didn't follow the same release cadence as the Elastic platform when first introduced. Over time this approach added complexity for our users. For example, users might find themselves asking, "which Elastic version maps to ECS 1.6.0?". By aligning, it's clear what version of ECS maps to which Elastic platform version.

Power in simplicity. 😃

Removed fields

The following fields are removed in ECS 8.0:

Field Migrate to* Reference
log.original event.original RFC 0017
process.ppid process.parent.pid RFC 0022
host.user.* reuse user.* reuses user.* field set usage

*Field aliases can help transition existing searches or visualizations depending on these removed fields.

New field data types

ECS 1.x introduced wildcard and match_only_text as beta field types. As of ECS 8.0, these data types are now GA.

The field types selected for ECS provide the best default experience for most users. However, some users may see interoperable data types better fitting for their use cases, and they can read more about options here.

Tooling changes

Elasticsearch generated artifacts

In 1.x, the project maintained sample index templates for two versions of Elasticsearch (6.x, 7.x). In 8.0, ECS now produces two sample template types: composable and legacy.

In composable, each ECS field set has a component template. An example component template, template.json, references each field set component template. These artifacts work with the new index templates introduced in Elasticsearch 7.8.

The legacy template will continue working with the legacy index template API.

Removed features

  • Removed the already deprecated --oss flag
  • Removed Go code generator to simplify the project's tooling and CI/CD pipeline.

Changelog

Schema Changes

Breaking changes

  • Remove host.user.* field reuse. #1439
  • Remove deprecation notice on http.request.method. #1443
  • Migrate log.origin.file.line from integer to long. #1533
  • Remove log.original field. #1580
  • Remove process.ppid field. #1596

Added

Improvements

  • Wildcard type field migration GA. #1582
  • match_only_text type field migration GA. #1584
  • Threat indicator fields GA from RFC 0008. #1586

Tooling and Artifact Changes

Breaking Changes

  • Removing deprecated --oss from generator #1404
  • Removing use-cases directory #1405
  • Remove Go code generator. #1567
  • Remove template generation for ES6. #1680
  • Update folder structure for generated ES artifacts. #1700, #1762
  • Updated support for overridable composable settings template. #1737

Improvements

  • Align input options for --include and --subset arguments #1519
  • Remove remaining Go deps after removing Go code generator. #1585
  • Add explicit default_field: true for Beats artifacts. #1633
  • Reorganize docs directory structure. #1679
  • Added support for analyzer definitions for text fields. #1737

Bugfixes

  • Fixed the default_field flag for root fields in Beats generator. #1711
Loading