diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 951777bfd..88f0125c2 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -25,7 +25,8 @@ The entity fields provide a standardized way to represent and categorize differe
| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.
type: keyword
Multi-fields:
* entity.name.text (type: match_only_text) | core |
| $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.
type: object | extended |
| $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.
type: keyword | extended |
-| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).
type: keyword | core |
+| $$$field-entity-relationship$$$ [entity.relationship](#field-entity-relationship) | _This field is beta and subject to change._ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
For example, `entity.relationship.owns` can describe that a user owns a device (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).
type: object | extended |
+| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that supplied the data for this entity (similar to event.module). Because an entity can be built from more than one source (e.g., multiple logs or integrations), this field is an array: use one entry per source.
type: keyword
Note: This field should contain an array of values. | core |
| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.
type: keyword
example: `aws_s3_bucket` | extended |
| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.
type: keyword
Note: This field should contain an array of values.
**Important:** The field value must be one of the following:
bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator
To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core |
@@ -47,4 +48,5 @@ Note also that the `entity` fields may be used directly at the root of the event
| Location | Field Set | Description |
| --- | --- | --- |
+| `entity.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. |
| `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 970ae81bf..37f4346b3 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -47,7 +47,7 @@ The following table summarizes the alignment status by namespaces between ECS in
| ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · |
| Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · |
| End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · | |
-| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
+| Entity | [14](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
| Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · |
| Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · |
| Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · | |
diff --git a/docs/reference/ecs-risk.md b/docs/reference/ecs-risk.md
index fdd65ad54..1ba63bbf5 100644
--- a/docs/reference/ecs-risk.md
+++ b/docs/reference/ecs-risk.md
@@ -30,6 +30,7 @@ These fields are in beta and are subject to change.
The `risk` fields are expected to be nested at:
+* `entity.risk`
* `host.risk`
* `user.risk`
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 635bf839c..6c69eeae5 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -600,12 +600,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -765,12 +779,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: origin.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: origin.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: origin.entity.sub_type
level: extended
@@ -1019,12 +1047,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
@@ -2537,12 +2579,72 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
+ - name: risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: sub_type
level: extended
@@ -2645,12 +2747,72 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
+ - name: target.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: target.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: target.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: target.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: target.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: target.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: target.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.sub_type
level: extended
@@ -4510,12 +4672,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -4935,12 +5111,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
@@ -6146,12 +6336,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -10097,12 +10301,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -10330,12 +10548,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: origin.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: origin.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: origin.entity.sub_type
level: extended
@@ -10600,12 +10832,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
@@ -15287,12 +15533,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: changes.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: changes.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: changes.entity.sub_type
level: extended
@@ -15539,12 +15799,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: effective.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: effective.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: effective.entity.sub_type
level: extended
@@ -15775,12 +16049,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -16015,12 +16303,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 1bc042157..de1a13ac6 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -69,7 +69,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,cloud,cloud.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,cloud,cloud.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,cloud,cloud.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
@@ -90,7 +91,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,cloud,cloud.origin.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,cloud,cloud.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,cloud,cloud.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
@@ -121,7 +123,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,cloud,cloud.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,cloud,cloud.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
@@ -302,7 +305,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,entity,entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,entity,entity.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev+exp,true,entity,entity.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev+exp,true,entity,entity.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.4.0-dev+exp,true,entity,entity.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev+exp,true,entity,entity.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev+exp,true,entity,entity.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.4.0-dev+exp,true,entity,entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.4.0-dev+exp,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
@@ -316,7 +326,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,entity,entity.target.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,entity,entity.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev+exp,true,entity,entity.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev+exp,true,entity,entity.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.4.0-dev+exp,true,entity,entity.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev+exp,true,entity,entity.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev+exp,true,entity,entity.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.4.0-dev+exp,true,entity,entity.target.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
@@ -552,7 +569,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,host,host.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,host,host.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
@@ -609,7 +627,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,host,host.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,host,host.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name.
@@ -761,7 +780,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,orchestrator,orchestrator.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,orchestrator,orchestrator.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,orchestrator,orchestrator.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
@@ -1292,7 +1312,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,service,service.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,service,service.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,service,service.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
@@ -1315,7 +1336,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,service,service.origin.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,service,service.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,service,service.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
@@ -1342,7 +1364,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,service,service.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,service,service.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
@@ -1954,7 +1977,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,user,user.changes.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,user,user.changes.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,user,user.changes.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1988,7 +2012,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,user,user.effective.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,user,user.effective.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,user,user.effective.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -2020,7 +2045,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,user,user.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,user,user.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,user,user.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -2053,7 +2079,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev+exp,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev+exp,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev+exp,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev+exp,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev+exp,true,user,user.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev+exp,true,user,user.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev+exp,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev+exp,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev+exp,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index c208cb7bb..e9b66a437 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -847,16 +847,36 @@ cloud.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+cloud.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: cloud.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1180,16 +1200,36 @@ cloud.origin.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+cloud.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: cloud.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1659,16 +1699,36 @@ cloud.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+cloud.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: cloud.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -4075,16 +4135,115 @@ entity.reference:
normalize: []
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+entity.risk.calculated_level:
+ dashed_name: entity-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+entity.risk.calculated_score:
+ dashed_name: entity-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+entity.risk.calculated_score_norm:
+ dashed_name: entity-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: entity.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+entity.risk.static_level:
+ dashed_name: entity-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+entity.risk.static_score:
+ dashed_name: entity-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+entity.risk.static_score_norm:
+ dashed_name: entity-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.source:
beta: This field is beta and subject to change.
dashed_name: entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
short: Source module or integration that provided the entity data.
type: keyword
entity.sub_type:
@@ -4254,16 +4413,116 @@ entity.target.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+entity.target.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.target.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+entity.target.risk.calculated_level:
+ dashed_name: entity-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+entity.target.risk.calculated_score:
+ dashed_name: entity-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+entity.target.risk.calculated_score_norm:
+ dashed_name: entity-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: entity.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+entity.target.risk.static_level:
+ dashed_name: entity-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+entity.target.risk.static_score:
+ dashed_name: entity-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+entity.target.risk.static_score_norm:
+ dashed_name: entity-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.target.source:
beta: This field is beta and subject to change.
dashed_name: entity-target-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: entity.target.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -7959,16 +8218,36 @@ host.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+host.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: host.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -8773,16 +9052,36 @@ host.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+host.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: host.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -10847,16 +11146,36 @@ orchestrator.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+orchestrator.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: orchestrator.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
orchestrator.entity.source:
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: orchestrator.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -17327,16 +17646,36 @@ service.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+service.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: service.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -17747,16 +18086,36 @@ service.origin.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+service.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: service.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -18216,16 +18575,36 @@ service.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+service.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: service.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -26179,16 +26558,36 @@ user.changes.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.changes.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.changes.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.changes.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.changes.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -26662,16 +27061,36 @@ user.effective.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.effective.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.effective.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.effective.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.effective.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -27122,16 +27541,36 @@ user.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -27603,16 +28042,36 @@ user.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f8bed202f..ca2690d3f 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1051,16 +1051,37 @@ cloud:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ cloud.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: cloud.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1390,16 +1411,37 @@ cloud:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ cloud.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: cloud.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1875,16 +1917,37 @@ cloud:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ cloud.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: cloud.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -5106,16 +5169,116 @@ entity:
normalize: []
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+ entity.risk.calculated_level:
+ dashed_name: entity-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ entity.risk.calculated_score:
+ dashed_name: entity-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ entity.risk.calculated_score_norm:
+ dashed_name: entity-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: entity.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ entity.risk.static_level:
+ dashed_name: entity-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ entity.risk.static_score:
+ dashed_name: entity-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ entity.risk.static_score_norm:
+ dashed_name: entity-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.source:
beta: This field is beta and subject to change.
dashed_name: entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
short: Source module or integration that provided the entity data.
type: keyword
entity.sub_type:
@@ -5288,16 +5451,117 @@ entity:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ entity.target.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.target.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+ entity.target.risk.calculated_level:
+ dashed_name: entity-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ entity.target.risk.calculated_score:
+ dashed_name: entity-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ entity.target.risk.calculated_score_norm:
+ dashed_name: entity-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: entity.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ entity.target.risk.static_level:
+ dashed_name: entity-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ entity.target.risk.static_score:
+ dashed_name: entity-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ entity.target.risk.static_score_norm:
+ dashed_name: entity-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.target.source:
beta: This field is beta and subject to change.
dashed_name: entity-target-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: entity.target.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -5488,6 +5752,7 @@ entity:
group: 2
name: entity
nestings:
+ - entity.risk
- entity.target
prefix: entity.
reusable:
@@ -5513,6 +5778,9 @@ entity:
short_override: Targeted entity of action taken.
top_level: true
reused_here:
+ - full: entity.risk
+ schema_name: risk
+ short: Fields for describing risk score and level.
- full: entity.target
schema_name: entity
short: Targeted entity of action taken.
@@ -9530,16 +9798,37 @@ host:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ host.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: host.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -10352,16 +10641,37 @@ host:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ host.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: host.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -12797,16 +13107,37 @@ orchestrator:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ orchestrator.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: orchestrator.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
orchestrator.entity.source:
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: orchestrator.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -19322,6 +19653,9 @@ risk:
- as: risk
at: user
full: user.risk
+ - as: risk
+ at: entity
+ full: entity.risk
top_level: false
short: Fields for describing risk score and level.
title: Risk information
@@ -20145,16 +20479,37 @@ service:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ service.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: service.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -20573,16 +20928,37 @@ service:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ service.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: service.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -21050,16 +21426,37 @@ service:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ service.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: service.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -29252,16 +29649,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.changes.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.changes.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.changes.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.changes.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -29741,16 +30159,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.effective.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.effective.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.effective.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.effective.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -30207,16 +30646,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -30694,16 +31154,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index f2ae9c8ce..f94473d44 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -70,6 +70,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -168,6 +171,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -324,6 +330,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json
index 0d77c8e5d..9a9bbc531 100644
--- a/experimental/generated/elasticsearch/composable/component/entity.json
+++ b/experimental/generated/elasticsearch/composable/component/entity.json
@@ -52,6 +52,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -106,6 +133,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index 39acc1c54..c5b2e61f6 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -96,6 +96,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -361,6 +364,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 490e0a11b..447e5f2f3 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -78,6 +78,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 29b24518a..deed804d2 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -58,6 +58,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -157,6 +160,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -274,6 +280,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index f62c5d37c..f758302e2 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -64,6 +64,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -211,6 +214,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -348,6 +354,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -489,6 +498,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 41aeb6a8b..75ddf819c 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -336,6 +336,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -434,6 +437,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -590,6 +596,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -1472,6 +1481,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -1526,6 +1562,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -2534,6 +2597,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -2799,6 +2865,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -3514,6 +3583,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -5883,6 +5955,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -5982,6 +6057,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -6099,6 +6177,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -8750,6 +8831,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -8897,6 +8981,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -9034,6 +9121,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -9175,6 +9265,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 29eed273a..6f1290668 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -550,12 +550,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -715,12 +729,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: origin.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: origin.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: origin.entity.sub_type
level: extended
@@ -969,12 +997,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
@@ -2487,12 +2529,72 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
+ - name: risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: sub_type
level: extended
@@ -2595,12 +2697,72 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
+ - name: target.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: target.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: target.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: target.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: target.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: target.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: target.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.sub_type
level: extended
@@ -4460,12 +4622,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -4885,12 +5061,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
@@ -6096,12 +6286,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -10047,12 +10251,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -10280,12 +10498,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: origin.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: origin.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: origin.entity.sub_type
level: extended
@@ -10550,12 +10782,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
@@ -15237,12 +15483,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: changes.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: changes.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: changes.entity.sub_type
level: extended
@@ -15489,12 +15749,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: effective.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: effective.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: effective.entity.sub_type
level: extended
@@ -15725,12 +15999,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: entity.sub_type
level: extended
@@ -15965,12 +16253,26 @@
in its source system. This could be an API endpoint, web console URL, or other
addressable location. Format may vary by entity type and source system.
default_field: false
+ - name: target.entity.relationship
+ level: extended
+ type: object
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ default_field: false
- name: target.entity.source
level: core
type: keyword
ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
default_field: false
- name: target.entity.sub_type
level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 7a9f02c2c..bdf18303e 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -62,7 +62,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,cloud,cloud.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,cloud,cloud.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,cloud,cloud.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
@@ -83,7 +84,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,cloud,cloud.origin.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,cloud,cloud.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,cloud,cloud.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
@@ -114,7 +116,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,cloud,cloud.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,cloud,cloud.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,cloud,cloud.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,cloud,cloud.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
@@ -295,7 +298,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,entity,entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,entity,entity.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev,true,entity,entity.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev,true,entity,entity.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.4.0-dev,true,entity,entity.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev,true,entity,entity.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev,true,entity,entity.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.4.0-dev,true,entity,entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
9.4.0-dev,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
@@ -309,7 +319,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,entity,entity.target.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,entity,entity.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev,true,entity,entity.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.4.0-dev,true,entity,entity.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.4.0-dev,true,entity,entity.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev,true,entity,entity.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.4.0-dev,true,entity,entity.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
+9.4.0-dev,true,entity,entity.target.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
@@ -545,7 +562,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,host,host.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,host,host.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,host,host.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,host,host.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name.
@@ -602,7 +620,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,host,host.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,host,host.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,host,host.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,host,host.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,host,host.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,host,host.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,host,host.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,host,host.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,host,host.target.geo.city_name,keyword,core,,Montreal,City name.
@@ -754,7 +773,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,orchestrator,orchestrator.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,orchestrator,orchestrator.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,orchestrator,orchestrator.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
@@ -1285,7 +1305,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,service,service.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,service,service.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,service,service.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,service,service.environment,keyword,extended,,production,Environment of the service.
@@ -1308,7 +1329,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,service,service.origin.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,service,service.origin.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,service,service.origin.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
@@ -1335,7 +1357,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,service,service.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,service,service.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,service,service.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,service,service.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,service,service.target.environment,keyword,extended,,production,Environment of the service.
@@ -1947,7 +1970,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,user,user.changes.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,user,user.changes.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,user,user.changes.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -1981,7 +2005,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,user,user.effective.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,user,user.effective.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,user,user.effective.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -2013,7 +2038,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,user,user.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,user,user.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,user,user.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
@@ -2046,7 +2072,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.4.0-dev,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
9.4.0-dev,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
9.4.0-dev,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.4.0-dev,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.4.0-dev,true,user,user.target.entity.relationship,object,extended,,,A set of relationship attributes that can vary between entity types.
+9.4.0-dev,true,user,user.target.entity.source,keyword,core,array,,Source module or integration that provided the entity data.
9.4.0-dev,true,user,user.target.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
9.4.0-dev,true,user,user.target.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.4.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index e27244196..385a77531 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -778,16 +778,36 @@ cloud.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+cloud.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: cloud.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1111,16 +1131,36 @@ cloud.origin.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+cloud.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: cloud.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1590,16 +1630,36 @@ cloud.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+cloud.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: cloud.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -4006,16 +4066,115 @@ entity.reference:
normalize: []
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+entity.risk.calculated_level:
+ dashed_name: entity-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+entity.risk.calculated_score:
+ dashed_name: entity-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+entity.risk.calculated_score_norm:
+ dashed_name: entity-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: entity.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+entity.risk.static_level:
+ dashed_name: entity-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+entity.risk.static_score:
+ dashed_name: entity-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+entity.risk.static_score_norm:
+ dashed_name: entity-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.source:
beta: This field is beta and subject to change.
dashed_name: entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
short: Source module or integration that provided the entity data.
type: keyword
entity.sub_type:
@@ -4185,16 +4344,116 @@ entity.target.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+entity.target.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.target.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+entity.target.risk.calculated_level:
+ dashed_name: entity-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+entity.target.risk.calculated_score:
+ dashed_name: entity-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+entity.target.risk.calculated_score_norm:
+ dashed_name: entity-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: entity.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+entity.target.risk.static_level:
+ dashed_name: entity-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+entity.target.risk.static_score:
+ dashed_name: entity-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+entity.target.risk.static_score_norm:
+ dashed_name: entity-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.target.source:
beta: This field is beta and subject to change.
dashed_name: entity-target-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: entity.target.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -7890,16 +8149,36 @@ host.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+host.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: host.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -8704,16 +8983,36 @@ host.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+host.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: host.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -10778,16 +11077,36 @@ orchestrator.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+orchestrator.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: orchestrator.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
orchestrator.entity.source:
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: orchestrator.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -17258,16 +17577,36 @@ service.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+service.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: service.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -17678,16 +18017,36 @@ service.origin.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+service.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: service.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -18147,16 +18506,36 @@ service.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+service.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: service.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -26110,16 +26489,36 @@ user.changes.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.changes.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.changes.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.changes.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.changes.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -26593,16 +26992,36 @@ user.effective.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.effective.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.effective.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.effective.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.effective.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -27053,16 +27472,36 @@ user.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -27534,16 +27973,36 @@ user.target.entity.reference:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+user.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending on
+ the entity type. Use this field set when you need to track relationship characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-target-entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
+ description: 'The module or integration that supplied the data for this entity (similar
+ to event.module). Because an entity can be built from more than one source (e.g.,
+ multiple logs or integrations), this field is an array: use one entry per source.'
flat_name: user.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 05f243bb9..c98384460 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -971,16 +971,37 @@ cloud:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ cloud.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: cloud.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1310,16 +1331,37 @@ cloud:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ cloud.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: cloud.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -1795,16 +1837,37 @@ cloud:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ cloud.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: cloud.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
cloud.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: cloud.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -5026,16 +5089,116 @@ entity:
normalize: []
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+ entity.risk.calculated_level:
+ dashed_name: entity-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ entity.risk.calculated_score:
+ dashed_name: entity-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ entity.risk.calculated_score_norm:
+ dashed_name: entity-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: entity.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ entity.risk.static_level:
+ dashed_name: entity-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ entity.risk.static_score:
+ dashed_name: entity-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ entity.risk.static_score_norm:
+ dashed_name: entity-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.source:
beta: This field is beta and subject to change.
dashed_name: entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
short: Source module or integration that provided the entity data.
type: keyword
entity.sub_type:
@@ -5208,16 +5371,117 @@ entity:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ entity.target.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: entity.target.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
+ entity.target.risk.calculated_level:
+ dashed_name: entity-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: entity.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ entity.target.risk.calculated_score:
+ dashed_name: entity-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: entity.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ entity.target.risk.calculated_score_norm:
+ dashed_name: entity-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: entity.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ entity.target.risk.static_level:
+ dashed_name: entity-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: entity.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ entity.target.risk.static_score:
+ dashed_name: entity-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: entity.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ entity.target.risk.static_score_norm:
+ dashed_name: entity-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: entity.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
entity.target.source:
beta: This field is beta and subject to change.
dashed_name: entity-target-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: entity.target.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -5408,6 +5672,7 @@ entity:
group: 2
name: entity
nestings:
+ - entity.risk
- entity.target
prefix: entity.
reusable:
@@ -5433,6 +5698,9 @@ entity:
short_override: Targeted entity of action taken.
top_level: true
reused_here:
+ - full: entity.risk
+ schema_name: risk
+ short: Fields for describing risk score and level.
- full: entity.target
schema_name: entity
short: Targeted entity of action taken.
@@ -9450,16 +9718,37 @@ host:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ host.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: host.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -10272,16 +10561,37 @@ host:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ host.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: host-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: host.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
host.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: host-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: host.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -12717,16 +13027,37 @@ orchestrator:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ orchestrator.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: orchestrator.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
orchestrator.entity.source:
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: orchestrator.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -19242,6 +19573,9 @@ risk:
- as: risk
at: user
full: user.risk
+ - as: risk
+ at: entity
+ full: entity.risk
top_level: false
short: Fields for describing risk score and level.
title: Risk information
@@ -20065,16 +20399,37 @@ service:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ service.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: service.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -20493,16 +20848,37 @@ service:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ service.origin.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.origin.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.origin.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: service.origin.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -20970,16 +21346,37 @@ service:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ service.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: service-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: service.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
service.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: service-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: service.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -29172,16 +29569,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.changes.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.changes.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.changes.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.changes.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -29661,16 +30079,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.effective.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.effective.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.effective.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.effective.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -30127,16 +30566,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
@@ -30614,16 +31074,37 @@ user:
original_fieldset: entity
short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
+ user.target.entity.relationship:
+ beta: This field is beta and subject to change.
+ dashed_name: user-target-entity-relationship
+ description: 'The structure and content of this field set may differ depending
+ on the entity type. Use this field set when you need to track relationship
+ characteristics of an entity for advanced searching and correlation of normalized
+ values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device
+ (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns:
+ "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).'
+ flat_name: user.target.entity.relationship
+ level: extended
+ name: relationship
+ normalize: []
+ original_fieldset: entity
+ short: A set of relationship attributes that can vary between entity types.
+ type: object
user.target.entity.source:
beta: This field is beta and subject to change.
dashed_name: user-target-entity-source
- description: The module or integration that provided this entity data (similar
- to event.module).
+ description: 'The module or integration that supplied the data for this entity
+ (similar to event.module). Because an entity can be built from more than one
+ source (e.g., multiple logs or integrations), this field is an array: use
+ one entry per source.'
flat_name: user.target.entity.source
ignore_above: 1024
level: core
name: source
- normalize: []
+ normalize:
+ - array
original_fieldset: entity
short: Source module or integration that provided the entity data.
type: keyword
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 55294fe4f..d3b9b02cd 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -70,6 +70,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -168,6 +171,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -324,6 +330,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
index 7620b87ca..3f3483f44 100644
--- a/generated/elasticsearch/composable/component/entity.json
+++ b/generated/elasticsearch/composable/component/entity.json
@@ -52,6 +52,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -106,6 +133,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index 0e8543d3c..858da2f5c 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -96,6 +96,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -361,6 +364,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 0d6c36680..b1e8bcd66 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -78,6 +78,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index aa40e8cd0..183813006 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -58,6 +58,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -157,6 +160,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -274,6 +280,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index b30af1dfa..e29f52b31 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -64,6 +64,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -211,6 +214,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -348,6 +354,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -489,6 +498,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 6b7846c9f..d7c0fb8b9 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -294,6 +294,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -392,6 +395,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -548,6 +554,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -1430,6 +1439,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -1484,6 +1520,33 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -2492,6 +2555,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -2757,6 +2823,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -3472,6 +3541,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -5841,6 +5913,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -5940,6 +6015,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -6057,6 +6135,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -8708,6 +8789,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -8855,6 +8939,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -8992,6 +9079,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
@@ -9133,6 +9223,9 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "relationship": {
+ "type": "object"
+ },
"source": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/schemas/entity.yml b/schemas/entity.yml
index de36529f1..3a8c50d48 100644
--- a/schemas/entity.yml
+++ b/schemas/entity.yml
@@ -63,7 +63,11 @@
type: keyword
short: Source module or integration that provided the entity data.
description: >
- The module or integration that provided this entity data (similar to event.module).
+ The module or integration that supplied the data for this entity (similar to event.module).
+ Because an entity can be built from more than one source (e.g., multiple logs or integrations),
+ this field is an array: use one entry per source.
+ normalize:
+ - array
beta: This field is beta and subject to change.
- name: type
@@ -163,6 +167,16 @@
A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
beta: This field is beta and subject to change.
+ - name: relationship
+ level: extended
+ type: object
+ short: A set of relationship attributes that can vary between entity types.
+ description: >
+ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
+
+ For example, `entity.relationship.owns` can describe that a user owns a device (host): a user John Doe owning a MacBook Pro may be captured as `entity.relationship.owns: "macbook-pro-xxxx"` (the value should be the entity.id of the owned entity).
+ beta: This field is beta and subject to change.
+
- name: lifecycle
level: extended
type: object
diff --git a/schemas/risk.yml b/schemas/risk.yml
index 8c54f392b..3ebc2122a 100644
--- a/schemas/risk.yml
+++ b/schemas/risk.yml
@@ -30,6 +30,7 @@
expected:
- host
- user
+ - entity
type: group
fields:
- name: calculated_score