All notable changes to this project will be documented in this file based on the Keep a Changelog Standard. This project adheres to Semantic Versioning.
- The
protocolallowed value underevent.typeshould not have theexpected_event_typesdefined. #964 - Clarify the definition of
file.extension(no dots). #1016
- Added Mime Type fields to HTTP request and response. #944
- Added network directions ingress and egress. #945
- Added
threat.technique.subtechniqueto capture MITRE ATT&CK® subtechniques. #951 - Added
configurationas an allowedevent.category. #963 - Added a new directory with experimental artifacts, which includes all changes from RFCs that have reached stage 2. #993, #1053, #1115, #1117, #1118
- Expanded field set definitions for
source.*anddestination.*. #967 - Provided better guidance for mapping network events. #969
- Added the field
.subdomainunderclient,destination,server,sourceandurl, to match its presence atdns.question.subdomain. #981 - Clarified ambiguity in guidance on how to use x509 fields for connections with only one certificate. #1114
- Changed the index pattern of the sample Elasticsearch template from
ecs-*totry-ecs-*to avoid conflicting with Logstash'ecs-logstash-*. #1048
- Addressed issue where foreign reuses weren't using the user-supplied
asvalue for their destination. #960 - Experimental artifacts failed to install due to
event.originalindex setting. #1053
- Introduced
--strictflag to perform stricter schema validation when running the generator script. #937 - Added check under
--strictthat ensures composite types in example fields are quoted. #966 - Added
ignore_aboveandnormalizersupport for keyword multi-fields. #971 - Added
--ossflag for users who want to generate ECS templates for use on OSS clusters. #991
- Field details Jinja2 template components have been consolidated into one template #897
- Add
[discrete]marker before each section header in field details. #989 --refnow loadsexperimental/schemasbased on git ref in addition toschemas. #1063
- Field
registry.data.stringsshould have been marked as an array field. #790
- Added
x509.*field set. #762 - Add architecture and imphash for PE field set. #763
- Added
agent.build.*for extended agent version information. #764 - Added
log.file.pathto capture the log file an event came from. #802 - Added more account and project cloud metadata. #816
- Added missing field reuse of
peatprocess.parent.pe#868 - Added
span.idto the tracing fieldset, for additional log correlation #882 - Added
event.reasonfor the reason why an event's outcome or action was taken. #907 - Added
user.rolesto capture a list of role names that apply to the user. #917
- Removed misleading pluralization in the description of
user.id, it should contain one ID, not many. #801 - Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
- Improved verbiage about the MITRE ATT&CK® framework. #866
- Removed the default
object_type=keywordthat was being applied toobjectfields. This attribute is Beats-specific. It's still supported, but needs to be set explicitly on a case by case basis now. This default being removed affectsdns.answers,log.syslog,network.inner,observer.egress, andobserver.ingress. #871 - Improved attribute
dashed_nameingenerated/ecs/*.ymlto also replace@with-. #871 - Updated several URLs in the documentation with "example.com" domain. #910
- Deprecate guidance to lowercase
http.request.method#840
- Removed field definitions at the root of documents for fieldsets that
had
reusable.top_level:false. This PR affectsecs_flat.yml, the csv file and the sample Elasticsearch templates. #495, #813 - Removed the
orderattribute from theecs_nested.ymlandecs_flat.ymlfiles. #811 - In
ecs_nested.yml, the array of strings that used to be inreusable.expectedhas been replaced by an array of objects with 3 keys: 'as', 'at' and 'full'. #864 - The subset format now requires
nameandfieldskeys at the top level. #873
- Subsets are created after duplicating reusable fields now so subsets can be applied to each reused instance independently. #753
- Quoted the example for
labelsto avoid YAML interpreting it, and having slightly different results in different situations. #782 - Fix incorrect listing of where field sets are nested in asciidoc, when they are nested deep. #784
- Allow beats output to be generated when using
--includeor--subsetflags. #814 - Field parameter
indexis now correctly populated in the Beats field definition file. #824
- Add support for reusing official fieldsets in custom schemas. #751
- Add full path names to reused fieldsets in
nestingsarray inecs_nested.yml. #803 - Allow shorthand notation for including all subfields in subsets. #805
- Add support for Elasticsearch
enabledfield parameter. #824 - Add
refoption to generator allowing schemas to be built for a specific ECS version. #851 - Add
template-settingsandmapping-settingsoptions to allow override of defaults in generated ES templates. #856 - When overriding ECS field sets via the
--includeflag, it's no longer necessary to duplicate the field set's mandatory attributes. The customizations are merged before validation. #864 - Add ability to nest field sets as another name. #864
- Add ability to nest field sets within themselves (e.g.
process=>process.parent). #864 - New attribute
reused_hereis added inecs_nested.yml. It obsoletes the previous attributenestings, and is able to fully capture details of other field sets reused under this one. #864 - When chained reuses are needed (e.g.
group=>user, thenuser=> many places), it's now necessary to force the order with new attributereusable.order. This attribute is otherwise optional. It's currently only needed forgroup. #864 - There's a new representation of ECS at
generated/ecs/ecs.yml, which is a deeply nested representation of the fields. This file is not in git, as it's only meant for developers working on the ECS tools. #864 - Jinja2 templates now define the doc structure for the AsciiDoc generator. #865
- Intermediate
ecs_flat.ymlandecs_nested.ymlfiles are now generated for each individual subset, in addition to the intermediate files generated for the combined subset. #873
- In
ecs_nested.yml, we're deprecating the attributenestings. It will be removed in a future release. The deprecatednestingsattribute was an array of flat field names describing where fields are nested within the field set. This is replaced with the attributereused_here, which is an array of objects. The new format still lists where the fields are nested via the same flat field name, but also specifies additional information about each field reuse. #864
- Added
dll.*fields #679 - Added
related.hashto keep track of all hashes seen on an event. #711 - Added fieldset for PE metadata. #731
- Added
code_signaturefieldset. #733 - Added missing
hashfields atprocess.parent.hash.*. #739 - Added globally unique identifier
entity_idtoprocessandprocess.parent. #747 - Added interface, vlan, observer zone fields #752
- Added
rule.author,rule.licensefields #754 - Added iam value for
event.categoryand three related values forevent.type. #756 - Added fields
event.referenceandevent.urlto hold link to additional event info/actions. #757 - Added
file.mime_typeto include MIME type information on file structures #760 - Added
event.categoryvalue of network and associatedevent.typevalues. #761
- Temporary workaround for Beats templates'
default_fieldgrowing too big. #687 - Identify which fields should contain arrays of values, rather than scalar values. #727, #661
- Clarified examples and definitions regarding vulnerabilities. #758
- Updated definition of
event.outcomebased on community feedback. #759
- ECS scripts now use Python 3.6+. #674
- schema_reader.py now reliably supports chaining reusable fieldsets together. #722
- Allow the artifact generator to consider and output only a subset of fields. #737
- Add support for reusing fields in places other than the top level of the destination fieldset. #739
- Add support for specifying the directory to write the generated files. #748
- Added default
textanalyzer as a multi-field touser_agent.original. #575 - Added
file.attributes. #611 - Added
file.drive_letter. #620 - Added
rulefields. #665 - Added default
textanalyzer as a multi-field to around 25 more fields. #680 - Added
registry.*fieldset for the Windows registry. #673 - Publish initial list of allowed values for the categorization fields (previously reserved)
event.kind,event.category,event.typeandevent.outcome. #684, #691, #692 - Added
related.user#694
- Fix support for multi-fields. #575
- Removed unnecessary field
tls.server.supported_ciphers. #662
- Added
vulnerability.*fields to represent vulnerability information. #581 - Added
event.ingestedas the ingest timestamp. #582 - Added
package.reference. #585 - Added
package.build_version. #586 - Added
package.type. #587 - Added
host.domainfield. #591 - Added
process.command_line. #599 - Added
process.exit_code. #600 - Added fields in
tls.*to support analysis of TLS protocol events. #606 - Added
process.parent.*. #612 - Added
process.args_count. #615
- Changed the order and column names in the csv. #621
- Removed the file
schema.jsonand the code generating it. #627 - Removed the legacy Elasticsearch template. #629
- Note: The good Elasticsearch templates are available in directory
generated/elasticsearch, this PR only removes an obsolete file.
- Note: The good Elasticsearch templates are available in directory
- Added the "Indexed", "Field_Set" and "Description" columns to the csv. #621
- Added
threat.*fields to apply a taxonomy to events and alerts. #505 - Added fields in
log.*to allow for full Syslog mapping. #525 - Added
package.*to installed software packages. #532 - Added
registered_domaintourl,source,destination,client, andserver. #533 - Added
top_level_domainfield tourl,dns.question,source,destination,client, andserver. #542, #572 - Added
group.domainfield. #547 - Added
url.extension. #551, #573 - Added
observer.nameandobserver.product. #557, #571 - Added
dns.question.subdomainfield. #561, #574 - Added
error.stack_tracefield. #562 - Added
log.origin.file.name,log.origin.functionandlog.origin.file.linefields. #563, #568 - Added
service.node.nameto allow distinction between different nodes of the same service running on the same host. #565 - Added
error.typefield. #566
- Added
asfields for Autonomous System information (i.e. ASN). #341 - Added field formats to all
.bytesfields andevent.duration. #385, #425 - Added
hash.*field set. #426 - Added
dns.*field set, to describe DNS traffic. #438 - Added
event.code,event.sequenceandevent.provider. #439 - Added
file.nameandfile.directory. #441 - Added
file.created, andfile.accessed. #445 - Added
process.uptimeandhost.uptimefields. #477 - Added
domainfield to user. #486 - Added
.nat.ipand.nat.porttosource,destination,clientandserver. #491 - Added
process.thread.namefield. #517 - Added
trace.idandtransaction.idfields for tracing across different services. #519 - Added
log.loggerfield. #521
- Added examples and improved definitions of many
filefields. #441 - Changed the
service.iddescription so it works better for clustered services. #502
- Add generated source code for Go. #249
- Translate the documentation from README.md, to the main website. #266, #334, #400, #430, #437
- New generator that supports reusable fields, for files based on ECS. It generates schema.csv, Elasticsearch 6 and 7 templates, and field documentation for the main website. #336
- Generator for the asciidoc rendering of field definitions. #347
- Generator for the Beats fields.ecs.yml file. #379
- Remove many legacy generated files. #399
- Specify static output format for event.duration. #425
- Format port numbers and numeric IDs as strings. #454
- Add example for
process.pidandprocess.ppid. #464, #470
- Remove the
user.groupkeywordfield, introduced in #204. Instead, thegroupfield set can be nested atuser.group. #308
- Field set name "group" was being used as a leaf field at
user.group, instead of being a nesting of the field set. This goes against a driving principle of ECS, and has been corrected. #308 - Replaced incorrect examples in
cloud.provider. #330, #348 - Changed the
url.porttype tolong. #339
- Added pointer in description of
httpfield set tourlfield set. #330 - Added an optional short field description. #330
- Clarified the definition of the host fields #325
- Clarified the difference between
@timestampandevent.created. #329 - Make phrasing of lowercasing directive more relevant, no matter where it's shown. #332
- Specify the
object_typefor fieldlabels. #331 - Loosen up definition of
geofield set. Not necessarily geo-ip based, sincegeo.name. #333 - Clarified guidelines on ID fields. #349
- Changed
device.*fields toobserver.*fields to eliminate user confusion. #238 - Rename
network.total.bytestonetwork.bytesandnetwork.total.packetstonetwork.packets. #179 - Remove
network.inbound.bytes,network.inbound.packets,network.outbound.bytesandnetwork.outbound.packets. #179 - Changed the
event.typedefinition to be only reserved. #242
- Fix obvious mistake in the definition of "source", where it said "destination" instead of "source". #211
- Add
host.namefield and clarify usage ofhost.hostname. #187 - Add
event.startandevent.enddate fields. #185 - Add
process.thread.idfield. #200 - Add
host.namefield and clarify usage ofhost.hostname. - Add
event.startandevent.enddate fields. - Create new
relatedfield set withrelated.ip. #206 - Add
user.groupfield. #204 - Create new
groupfield set withgroup.idandgroup.name. #203 - Add
url.fullfield. #207 - Add
process.executablefield. #209 - Add
process.working_directoryandprocess.start. #215 - Reintroduce
http. #237- Move
http.response.bodytohttp.response.body.content. #239 - Add
http.request.body.content. #239 - Add HTTP size metric fields. #239
- Move
- Add
user.full_namefield. #201 - Add
network.community_idfield. #208 - Add fields
geo.country_nameandgeo.region_iso_code. #214 - Add
event.kindandevent.outcome. #242 - Add
clientandserverobjects and fields. #236 - Reintroduce a streamlined
user_agentfield set. #240, #262 - Add
geo.namefor ad hoc location names. #248 - Add
event.timezoneto allow for proper interpretation of incomplete timestamps. #258 - Add fields
source.address,destination.address,client.address, andserver.address. #247 - Add
os.fullto capture full OS name, including version. #259 - Add generated source code for Go. #249
- Improved the definition of the file fields #196
- Improved the definition of the agent fields #192
- Improve definition of events, logs, and metrics in event section #194
- Improved the definition of network fields in intro section #197
- Improved the definition of host fields #195
- Improved the definitions for
event.categoryandevent.action. #242 - Clarify the semantics of
network.direction. #212 - Add
source.bytes,source.packets,destination.bytesanddestination.packets. #179 - Add a readme section to declare some top level field sets are reserved for future use. #257
- Clarify that
network.transport,network.type,network.application, andnetwork.protocolmust be lowercase. #251 - Clarify that
http.request.methodmust be lowercase. #251 - Clarify that source/destination should be filled, even if client/server is being used. #265
- Change structure of URL. #7
- Rename
url.hrefmulti_field. #18 - Rename
geoip.*togeo. #58 - Rename log.message to log.original. #106
- Rename
event.rawtoevent.original. #107 - Rename
user_agent.rawtouser_agent.originaland make it a keyword. #107 - Rename
file.path.rawtofile.path.keyword,file.target_path.rawtofile.target_path.keyword,url.href.rawtourl.href.keyword,url.path.rawtourl.path.keyword,url.query.rawtourl.query.keyword, andnetwork.name.rawtonetwork.name.keyword. #103 - Remove
log.offsetandlog.lineas too specific for ECS. #131 - Remove top level objects
kubernetesandtls. #132 - Remove
*.timezone.offset.secfields as too specific for ECS at the moment. #134 - Make the following fields keyword: device.vendor, file.path, file.target_path, http.response.body, network.name, organization.name, url.href, url.path, url.query, user_agent.original
- Rename
url.host.nametourl.hostnameto better align with industry convention. #147 - Make the following fields keyword: device.vendor, file.path, file.target_path, http.response.body, network.name, organization.name, url.href, url.path, url.query, user_agent.original. #137
- Only two fields using
textindexing at this time aremessageanderror.message.
- Only two fields using
- Rename
host.nametohost.hostnameto better align with industry convention. #144 - Update definition of
service.typeandservice.name. - Redefine purpose of
agent.namefield to be user defined field. - Rename
url.hreftourl.original. - Remove
source.subdomainanddestination.subdomainfields. - Rename
event.versiontoecs.version. #169 - Remove the
httpfield set temporarily. #171 - Remove the
user_agentfield set temporarily. #172 - Rename
url.hostnametourl.domain. #175 - Remove
source.hostnameanddestination.hostname. #175
- Add
network.total.packetsandnetwork.total.bytesfield. PR#2 - Add
event.actionfield. #21 - Add
network.name, to track network names in the monitoring pipeline. #25 - Adds cloud.account.id for top level organizational level. #11
- Add
http.response.status_codeandhttp.response.bodyfields. #4 - Add fields for Operating System data. #5
- Add
log.message. #3 - Add http.request.method and http.version
- Add
host.os.kernelcontaining the OS kernel version. #60 - Add
agent.typefield. - Add
http.request.referrerfield. #164 - Add
network.type,network.iana_number,network.transportandnetwork.application. #81 and #170
- Remove duplicate definitions of the reuseable
osfield set fromhost.osanduser_agent.os. #168
Initial draft release