Extend entity schema with relationship and risk#2577
Extend entity schema with relationship and risk#2577uri-weisman wants to merge 6 commits intoelastic:mainfrom
Conversation
- Removed the reusable section from the host schema for clarity. - Added a new 'relationship' field to the entity schema to track varying attributes between entity types. - Updated the risk schema to include 'entity' as an expected type. These changes aim to improve the organization and functionality of the schemas for better data representation.
- Introduced the `entity.relationship` field to track relationship characteristics of entities for advanced searching and correlation. - Enhanced risk fields with new properties: `calculated_level`, `calculated_score`, `calculated_score_norm`, `static_level`, `static_score`, and `static_score_norm` to improve risk assessment capabilities. - Updated documentation to reflect these changes across relevant ECS reference files.
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
|
Documentation changes preview: https://docs-v3-preview.elastic.dev/elastic/ecs/pull/2577/reference/ |
🔍 Preview links for changed docs |
- Restore the reusable section for host.target that enables host.target.* fields - Regenerate all artifacts including documentation, CSV, YAML, and Elasticsearch templates
uri-weisman
changed the title
| short: A set of relationship attributes that can vary between entity types. | ||
| description: > | ||
| The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. | ||
| beta: This field is beta and subject to change. |
There was a problem hiding this comment.
how this field should be used for external user? It’s not clear what is inside. is it any object or there is some structure.
There was a problem hiding this comment.
Hey! I've added an example. let me know if it's clear enough.
There was a problem hiding this comment.
I think we could try to improve it and provide different options inside relationship, there are for sure more than just owns?.
Is it actually relationship or relationships?
Also how we capture multiple devices?
For this kind of changes I propose to follow ECS RFC process and first create a straw project where all these discussions are happening including events/logs examples and after defined names and types next step with implementation should follow
| expected: | ||
| - host | ||
| - user | ||
| - entity |
There was a problem hiding this comment.
how this work if entity is of type of host? Will be there doubled information for risk?
There was a problem hiding this comment.
Even though host and user have risk scores, we decided at the offsite to only update entity.risk and stay agnostic to entity type.
We won’t keep risk data in two places, it’ll live only under entity.*.
|
Hi! We just realized that we haven't looked into this PR in a while. We're We're labeling this PR as If there is no activity on this PR within the next 2 weeks, it will be Thank you for your contribution! |
2 participants
1. What does this PR do?
entity.relationshipfield (beta) to track relationship attributes (already part of entity store schema as of 9.2)entityto risk schema's reusable expected locations)2. Which ECS fields are affected/introduced?
Change type to
entity.sourceto become an array, to be able to hold multiple data sources that construct an entity.New fields:
entity.relationship(extended, object, beta) - A set of relationship attributes that can vary between entity types. Similar toentity.attributes, this field uses object type to allow flexible schema definitions.Field reuse enabled:
entity.risk.*- Risk fields can now be nested under entity (e.g.,entity.risk.calculated_score,entity.risk.calculated_level, etc.)Purpose:
entity.relationshipenables tracking relationship characteristics of entities for advanced searching and correlation across different providers/sources and entity typesentity.risk.*allows risk scoring for any entity type, not just hosts and users3. Why is this change necessary?
Entity relationship field:
Entity risk field reuse:
4. Have you added/updated documentation?
YES
5. Have you built ECS and committed any newly generated files?
YES
6. Have you run the ECS validation tests locally?
YES
7. Anything else for the reviewers?
Commit Message
Add entity.relationship field and enable risk field reuse for entity