ECS 8.11.0

Schema Changes

Bugfixes

• Remove expected_values from threat.*.indicator.name fields. #2281

Tooling and Artifact Changes

Bugfixes

• Respect reusable.top_level in Beats generator #2278

ECS 8.10.0

ECS 8.10.0

Schema Changes

Added

• Added container.security_context.privileged to indicated whether a container was started in privileged mode. #2219, #2225, #2246
• Added process.thread.capabilities.permitted to contain the current thread's possible capabilities. #2245
• Added process.thread.capabilities.effective to contain the current thread's effective capabilities. #2245

Improvements

• Permit ignore_above if explicitly set on a flattened field. #2248

Tooling and Artifact Changes

Improvements

• Improved documentation formatting to better follow the contributing guide. #2226
• Bump gitpython dependency from 3.1.30 to 3.1.35 for security fixes. #2251, #2264, #2265

ECS 8.9.0

8.9.0

Schema Changes

Bugfixes

Added

• Added process.vpid for namespaced process ids. #2211

Improvements

Deprecated

• Removed faas.trigger: nested since we only have one trigger. #2194

ECS 8.8.0

ECS 8.8.0

Schema Changes

Added

• Add access as an allowed type for event.type: file. #2174
• Add orchestrator.resource.annotation and orchestrator.resource.label. #2181
• Add event.kind: asset as a beta category. #2191

Tooling and Artifact Changes

Added

• Add parameters property for field definitions, to provide any mapping parameter. #2084

ECS 8.7.0

Schema Changes

Bugfixes

• remove duplicated client.domain definition #2120

Added

• adding name field to threat.indicator #2121
• adding api option to event.category #2147
• adding library option to event.category #2154

Improvements

• description for host.name definition updated to encourage use of FDQN #2122

Tooling and Artifact Changes

Improvements

• Updated usage docs to include threat.indicator.url.domain and changed indicator.marking.tlp and indicator.enrichments.marking.tlp from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
• Bump gitpython from 3.1.27 to 3.1.30 in /scripts. #2139

ECS 8.7.0-rc1

Schema Changes

Bugfixes

• remove duplicated client.domain definition #2120

Added

• adding name field to threat.indicator #2121
• adding api option to event.category #2147
• adding library option to event.category #2154

Improvements

• description for host.name definition updated to encourage use of FDQN #2122

Tooling and Artifact Changes

Improvements

• Updated usage docs to include threat.indicator.url.domain and changed indicator.marking.tlp and indicator.enrichments.marking.tlp from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
• Bump gitpython from 3.1.27 to 3.1.30 in /scripts. #2139

ECS 8.6.1

What's new in ECS 8.5.1

Schema Changes

Bugfixes

• Fixing tlp_version and tlp field for threat. #2156

ECS 8.6.0

8.6.0 RELEASE

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

ECS 8.6.0-rc1

Schema Changes

Added

• Adding vulnerability option for event.category. #2029
• Added device.* field set as beta. #2030
• Added tlp.version to threat #2074
• Added fields for executable object format metadata for ELF, Mach-O and PE #2083

Improvements

• Added CLEAR and AMBER+STRICT as valid values for threat.indicator.marking.tlp and enrichments.indicator.marking.tlp to accept new TLP 2.0 markings #2022, #2074

ECS 8.5.2

What's new in ECS 8.5.2

Schema Changes

Bugfixes

• Fixes invalid number type on 4 process.io subfields. #2105