Extend entity schema with relationship and risk

[uri-weisman]

1. What does this PR do?

• Adds a new entity.relationship field (beta) to track relationship attributes (already part of entity store schema as of 9.2)
• Enables risk fields to be nested under entity schema (adds entity to risk schema's reusable expected locations)

2. Which ECS fields are affected/introduced?

Change type to entity.source to become an array, to be able to hold multiple data sources that construct an entity.

New fields:

• entity.relationship (extended, object, beta) - A set of relationship attributes that can vary between entity types. Similar to entity.attributes, this field uses object type to allow flexible schema definitions.

Field reuse enabled:

• entity.risk.* - Risk fields can now be nested under entity (e.g., entity.risk.calculated_score, entity.risk.calculated_level, etc.)

Purpose:

• entity.relationship enables tracking relationship characteristics of entities for advanced searching and correlation across different providers/sources and entity types
• entity.risk.* allows risk scoring for any entity type, not just hosts and users

3. Why is this change necessary?

Entity relationship field:

• Enables better entity correlation and relationship tracking in security and observability use cases
• Already part of the entity store schema.
• We plan to extract relationship data from relevant integration logs, some might be inferred by entity analytics.

Entity risk field reuse:

• Already part of the schema.

4. Have you added/updated documentation?

YES

5. Have you built ECS and committed any newly generated files?

YES

6. Have you run the ECS validation tests locally?

YES

7. Anything else for the reviewers?

• https://github.com/elastic/security-team/issues/15021

Commit Message

Add entity.relationship field and enable risk field reuse for entity

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[github-actions]

Documentation changes preview: https://docs-v3-preview.elastic.dev/elastic/ecs/pull/2577/reference/

[github-actions]

🔍 Preview links for changed docs

• docs/reference/ecs-entity.md
• docs/reference/ecs-otel-alignment-overview.md
• docs/reference/ecs-risk.md

[trisch-me]

can you add examples?

[trisch-me]

how this field should be used for external user? It’s not clear what is inside. is it any object or there is some structure.

[uri-weisman]

Hey! I've added an example. let me know if it's clear enough.

[trisch-me]

I think we could try to improve it and provide different options inside relationship, there are for sure more than just owns?.

Is it actually relationship or relationships?

Also how we capture multiple devices?

For this kind of changes I propose to follow ECS RFC process and first create a straw project where all these discussions are happening including events/logs examples and after defined names and types next step with implementation should follow

[trisch-me]

how this work if entity is of type of host? Will be there doubled information for risk?

[uri-weisman]

Even though host and user have risk scores, we decided at the offsite to only update entity.risk and stay agnostic to entity type.
We won’t keep risk data in two places, it’ll live only under entity.*.

[github-actions]

Hi!

We just realized that we haven't looked into this PR in a while. We're
sorry!

We're labeling this PR as Stale to make it hit our filters and
make sure we get back to it as soon as possible. In the meantime, it'd
be extremely helpful if you could take a look at it as well and confirm its
relevance. A simple comment with a nice emoji will be enough :+1.

If there is no activity on this PR within the next 2 weeks, it will be
automatically closed.

Thank you for your contribution!