diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0e4a5703f9..f5aad7d831 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: '^1.13.1'
+          go-version: '1.15.x'
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
diff --git a/rfcs/text/0012-orchestrator-field-set.md b/rfcs/text/0012-orchestrator-field-set.md
index 207af5c763..5b624a9faa 100644
--- a/rfcs/text/0012-orchestrator-field-set.md
+++ b/rfcs/text/0012-orchestrator-field-set.md
@@ -1,6 +1,6 @@
 # 0012: Orchestrator field set creation
 
-- Stage: **0 (strawperson)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
+- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
 - Date: **2021-01-11** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
 
 There is currently no ECS field set for container orchestration engines. There is an example of an ECS
@@ -19,9 +19,79 @@ add a new schema rather than change existing material.
 
 ## Fields
 
-<!--
-Stage 1: Describe at a high level how this change affects fields. Which fieldsets will be impacted? How many fields overall? Are we primarily adding fields, removing fields, or changing existing fields? The goal here is to understand the fundamental technical implications and likely extent of these changes. ~2-5 sentences.
--->
+The proposed change adds six fields, as described below:
+
+```
+---
+- name: orchestrator
+  title: Orchestrator
+  group: 2
+  short: Fields relevant to container orchestrators.
+  description: >
+    Fields that describe the resources which container orchestrators manage or
+    act upon.
+  type: group
+  fields:
+    - name: cluster
+      level: extended
+      type: object
+      description: >
+        Orchestrator cluster details.
+
+    - name: cluster.name
+      level: extended
+      type: keyword
+      description: >
+        Name of the cluster.
+
+    - name: cluster.url
+      level: extended
+      type: keyword
+      description: >
+        URL of the cluster.
+
+    - name: type
+      level: extended
+      type: keyword
+      example: kubernetes
+      description: >
+        Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+
+    - name: organization
+      level: extended
+      type: keyword
+      example: elastic
+      description: >
+        Organization affected by the event (for multi-tenant orchestrator setups).
+
+    - name: namespace
+      level: extended
+      type: keyword
+      example: kube-system
+      description: >
+        Namespace in which the action is taking place.
+
+    - name: resource.name
+      level: extended
+      type: keyword
+      example: test-pod-cdcws
+      description: >
+        Name of the resource being acted upon.
+
+    - name: resource.type
+      level: extended
+      type: keyword
+      example: service
+      description: >
+        Type of resource being acted upon.
+
+    - name: api_version
+      level: extended
+      example: v1beta1
+      type: keyword
+      description: >
+        API version being used to carry out the action
+```
 
 <!--
 Stage 2: Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting.
@@ -33,15 +103,99 @@ Stage 3: Add or update all remaining field definitions. The list should now be e
 
 ## Usage
 
-<!--
-Stage 1: Describe at a high-level how these field changes will be used in practice. Real world examples are encouraged. The goal here is to understand how people would leverage these fields to gain insights or solve problems. ~1-3 paragraphs.
--->
+The `orchestrator` field set will be used to capture typical concepts employed
+by container orchestrators to manage resources. The key intent of this is to create
+a consistent method by which audit logs from container orchestrators can
+be compared. For example, this would allow the creation of open source detection
+rulesets for suspicious Kubernetes events based on audit logs, which can be easily
+transferred from one cluster to another without depending on the specifics of
+parsing implementations.
+
+This might also have use in performance and monitoring tooling which exists around
+container orchestrators, allowing for the definition of shareable dashboards and
+alert definitions.
 
 ## Source data
 
-<!--
-Stage 1: Provide a high-level description of example sources of data. This does not yet need to be a concrete example of a source document, but instead can simply describe a potential source (e.g. nginx access log). This will ultimately be fleshed out to include literal source examples in a future stage. The goal here is to identify practical sources for these fields in the real world. ~1-3 sentences or unordered list.
--->
+Examples of source data include:
+
+- [Kubernetes audit logs][1]
+- [Kubernetes node logs][2]
+- [HashiCorp Nomad audit logs][3]
+- [Falco alert logs][4]
+
+### Kubernetes audit log
+
+```json
+{
+  "_index": "filebeat-7.7.0-2020.12.31-000001",
+  "_type": "_doc",
+  "_id": "KbmPuXYBaTdcl42uyGfl",
+  "_version": 1,
+  "_score": null,
+  "_source": {
+    "@timestamp": "2020-12-31T16:09:35.735Z",
+    "log": {
+      "offset": 7248566,
+      "file": {
+        "path": "/tmp/host-logs/kube-apiserver-audit.log"
+      }
+    },
+    "cloud.provider": "gcp",
+    "event.action": "create",
+    "orchestrator.cluster": {
+        "name": "test-dev",
+    },
+    "orchestrator.type": "kubernetes",
+    "orchestrator.subresource": "attach",
+    "orchestrator.resource.type": "pod",
+    "orchestrator.namespace": "default",
+    "orchestrator.resource.name": "test",
+    "orchestrator.api_version": "v1",
+    "user.name": "system:serviceaccount:test"
+  }
+}
+```
+
+### Hashicorp Nomad audit log
+
+```json
+{
+  "created_at": "2020-03-24T13:09:35.704224536-04:00",
+  "event_type": "audit",
+  "orchestrator.api_version": "v1",
+  "orchestrator.namespace": "default",
+  "orchestrator.resource.type": "nodes",
+  "orchestrator.type": "nomad",
+  "payload": {
+    "id": "8b826146-b264-af15-6526-29cb905145aa",
+    "stage": "OperationComplete",
+    "type": "audit",
+    "timestamp": "2020-03-24T13:09:35.703865005-04:00",
+    "version": 1,
+    "auth": {
+      "accessor_id": "a162f017-bcf7-900c-e22a-a2a8cbbcef53",
+      "name": "Bootstrap Token",
+      "global": true,
+      "create_time": "2020-03-24T17:08:35.086591881Z"
+    },
+    "request": {
+      "id": "02f0ac35-c7e8-0871-5a58-ee9dbc0a70ea",
+      "event.action": "GET",
+      "request_meta": {
+        "remote_address": "127.0.0.1:33648",
+        "user_agent": "Go-http-client/1.1"
+      },
+      "node_meta": {
+        "ip": "127.0.0.1:4646"
+      }
+    },
+    "response": {
+      "status_code": 200
+    }
+  }
+}
+```
 
 <!--
 Stage 2: Included a real world example source document. Ideally this example comes from the source(s) identified in stage 1. If not, it should replace them. The goal here is to validate the utility of these field changes in the context of a real world example. Format with the source name as a ### header and the example document in a GitHub code block with json formatting.
@@ -63,9 +217,18 @@ The goal here is to research and understand the impact of these changes on users
 
 ## Concerns
 
-<!--
-Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake.
--->
+### Kubernetes-specific logic
+
+The key concern here is the dominance of one particular container orchestration
+system - Kubernetes - over the rest of the ecosystem. Other orchestrators include
+options like HashiCorp Nomad, Docker Swarm, and Apache Mesos, but it is unclear to
+what extent the alternatives share the same logical primitives as Kubernetes. An
+attempt has been made to ensure that the proposed field set is as generic and flexible 
+as possible, however it would be useful to consider in some detail whether the
+preference is to keep the field set as generic as possible, or large enough to 
+cover all the logical primitives of popular orchestrators. Input from contributors
+who have experience with the various alternative orchestration providers would be
+particularly valuable.
 
 <!--
 Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns.
@@ -101,6 +264,7 @@ The following are the people that consulted on the contents of this RFC.
 <!-- An RFC should link to the PRs for each of it stage advancements. -->
 
 * Stage 0: https://github.com/elastic/ecs/pull/1209
+* Stage 1: https://github.com/elastic/ecs/pull/1230
 
 <!--
 * Stage 1: https://github.com/elastic/ecs/pull/NNN
@@ -109,3 +273,6 @@ The following are the people that consulted on the contents of this RFC.
 
 [0]: https://github.com/elastic/ecs/blob/master/use-cases/kubernetes.yml
 [1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
+[2]: https://kubernetes.io/docs/concepts/cluster-administration/logging/#logging-at-the-node-level
+[3]: https://www.hashicorp.com/blog/hashicorp-nomad-enterprise-audit-logging
+[4]: https://falco.org/docs/alerts/#file-output