- Added
log.file.pathto capture the log file an event came from. #802
- Field
registry.data.stringsshould have been marked as an array field. #790
- Add architecture and imphash for PE field set. (#763)
- Added
agent.build.*for extended agent version information. (#764) - Added
x509.*field set. (#762) - Added more account and project cloud metadata. (#816)
- Added missing field reuse of
peatprocess.parent.pe#868
- Remove misleading pluralization in the description of
user.id, it should contain one ID, not many. #801 - Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
- Improved verbiage about the MITRE ATT&CK® framework. #866
- Deprecate guidance to lowercase
http.request.method#840
- Removed field definitions at the root of documents for fieldsets that
had
reusable.top_level:false. This PR affectsecs_flat.yml, the csv file and the sample Elasticsearch templates. #495, #813 - Removed the
orderattribute from theecs_nested.ymlandecs_flat.ymlfiles. #811 - In
ecs_nested.yml, the array of strings that used to be inreusable.expectedhas been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864
- Subsets are created after duplicating reusable fields now so subsets can be applied to each reused instance independently. #753
- Quoted the example for
labelsto avoid YAML interpreting it, and having slightly different results in different situations. #782 - Fix incorrect listing of where field sets are nested in asciidoc, when they are nested deep. #784
- Allow beats output to be generated when using
--includeor--subsetflags. #814
- Add support for reusing offical fieldsets in custom schemas. #751
- Add full path names to reused fieldsets in
nestingsarray inecs_nested.yml. #803 - Allow shorthand notation for including all subfields in subsets. #805
- Add
refoption to generator allowing schemas to be built for a specific ECS version. #851 - Add
template-settingsandmapping-settingsoptions to allow override of defaults in generated ES templates. #856 - When overriding ECS field sets via the
--includeflag, it's no longer necessary to duplicate the field set's mandatory attributes. The customizations are merged before validation. #864 - Add ability to nest field sets as another name. #864
- Add ability to nest field sets within themselves (e.g.
process=>process.parent). #864 - New attribute
reused_hereis added inecs_nested.yml. It obsoletes the previous attributenestings, and is able to fully capture details of other field sets reused under this one. #864 - When chained reuses are needed (e.g.
group=>user, thenuser=> many places), it's now necessary to force the order with new attributereusable.order. This attribute is otherwise optional. It's currently only needed forgroup. #864 - There's a new representation of ECS at
generated/ecs/ecs.yml, which is a deeply nested representation of the fields. This file is not in git, as it's only meant for developers working on the ECS tools. #864