Description
Support new ECS 1.6 fields
add support for new ECS fields from elastic/ecs#930 1.6.0 Changelog
Describe the enhancement:
elastic/ecs#762 ECS added support for storing common core fields
of X509 certificates. The following data sources should be looked at
to see if they can take advantage of the new fields:
- Filebeat checkpoint/firewall
- Filebeat fortinet/firewall
- Filebeat santa/log
- Filebeat suricata/eve
- Filebeat zeek/kerberos
- Filebeat zeek/ssl
- Filebeat zeek/x509
- Heartbeat (was done)
- Packetbeat (most of the work already done)
- Winlogbeat (CA event logs, Certificate lifecycle, etc.)
- review others to double check we didn't miss anything
Describe the enhancement:
elastic/ecs#763 added architecture & imphash for PE field set
- Winlogbeat sysmon imphash
Describe the enhancement:
elastic/ecs#816 Added more account and project cloud metadata.
- AWS
- GCP
- Azure
Describe the enhancement:
elastic/ecs#907 Added event.reason for the reason why an event's
outcome or action was taken.
Describe the enhancement:
elastic/ecs#913 Added related.hosts to capture all hostnames and
host identifiers on an event.
- rsa2elk modules
- Filebeat panw
- Filebeat osquery
- Filebeat system
- Filebeat microsoft/defender_atp
- Filebeat suricat
- Filebeat cisco
Describe the enhancement:
elastic/ecs#917 Added user.roles to capture a list of role names
that apply to the user.
Activity