diff --git a/docs/reference/ecs-allowed-values-entity-type.md b/docs/reference/ecs-allowed-values-entity-type.md
index 8ff592348..30c2ea796 100644
--- a/docs/reference/ecs-allowed-values-entity-type.md
+++ b/docs/reference/ecs-allowed-values-entity-type.md
@@ -27,6 +27,8 @@ This field is an array. This allows proper categorization of entities that may f
* [service](#ecs-entity-type-service)
* [session](#ecs-entity-type-session)
* [user](#ecs-entity-type-user)
+* [cloud](#ecs-entity-type-cloud)
+* [orchestrator](#ecs-entity-type-orchestrator)
## application [ecs-entity-type-application]
@@ -78,3 +80,10 @@ Represents a user session or connection session. This includes user login sessio
Represents a user account or identity. This includes human users, service accounts, system accounts, and other identity entities that can interact with systems, applications, or services. Users may have various roles, permissions, and attributes associated with their identity.
+
+## cloud [ecs-entity-type-cloud]
+Represents a cloud or infrastructure. This includes cloud providers and their services (such as AWS EC2), and is used to identify or correlate resources, entities, and activities across accounts or multi-cloud environments.
+
+
+## orchestrator [ecs-entity-type-orchestrator]
+Represents an orchestration system or orchestrator component. This includes container orchestrators like Kubernetes, Docker Swarm, and other systems responsible for automating the deployment, management, scaling, and networking of containers or workloads.
diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 369e9b88d..951777bfd 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -27,16 +27,24 @@ The entity fields provide a standardized way to represent and categorize differe
| $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.
type: keyword | extended |
| $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).
type: keyword | core |
| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.
type: keyword
example: `aws_s3_bucket` | extended |
-| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.
type: keyword
Note: This field should contain an array of values.
**Important:** The field value must be one of the following:
bucket, database, container, function, queue, host, user, application, service, session
To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core |
+| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.
type: keyword
Note: This field should contain an array of values.
**Important:** The field value must be one of the following:
bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator
To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core |
## Field reuse [_field_reuse]
The `entity` fields are expected to be nested at:
* `cloud.entity`
+* `entity.target`
* `host.entity`
* `orchestrator.entity`
* `service.entity`
* `user.entity`
-Note also that the `entity` fields are not expected to be used directly at the root of the events.
+Note also that the `entity` fields may be used directly at the root of the events.
+
+
+### Field sets that can be nested under Entity [ecs-entity-nestings]
+
+| Location | Field Set | Description |
+| --- | --- | --- |
+| `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 1c45bc371..07ed3200f 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -625,7 +625,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: instance.id
@@ -787,7 +790,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: origin.instance.id
@@ -1038,7 +1044,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: target.instance.id
@@ -2422,6 +2431,264 @@
original email message.
example: Spambot v2.5
default_field: false
+ - name: entity
+ title: Entity
+ group: 2
+ description: The entity fields provide a standardized way to represent and categorize
+ different types of components within an IT environment, including those that
+ don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+ component that can be described by a set of attributes and maintains its identity
+ over time.
+ footnote: The entity fields may be self-nested under entity.target.* to describe
+ the target entity in the context of an action or event. The fieldset entity.target.*
+ must not be confused with the root entity fieldset that is used to describe
+ the primary entity under observation. The fieldset entity.target.* may only
+ be used to describe the targeted entity of an action taken.
+ type: group
+ default_field: true
+ fields:
+ - name: attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: target.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: target.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: target.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: target.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: target.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: target.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: target.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: target.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: target.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: target.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: target.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: target.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: target.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
+ example: host
+ default_field: false
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
+ example: host
+ default_field: false
- name: error
title: Error
group: 2
@@ -4268,7 +4535,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: geo.city_name
@@ -5443,7 +5713,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: namespace
@@ -9391,7 +9664,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: environment
@@ -9621,7 +9897,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: origin.environment
@@ -9888,7 +10167,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: target.environment
@@ -14572,7 +14854,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: changes.full_name
@@ -14821,7 +15106,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: effective.full_name
@@ -15054,7 +15342,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: full_name
@@ -15291,7 +15582,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: target.full_name
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index f34638850..9758f073a 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -290,6 +290,36 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
9.3.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
9.3.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.3.0-dev+exp,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev+exp,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev+exp,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev+exp,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev+exp,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev+exp,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev+exp,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
+9.3.0-dev+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev+exp,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev+exp,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev+exp,true,entity,entity.target.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,entity,entity.target.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev+exp,true,entity,entity.target.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev+exp,true,entity,entity.target.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev+exp,true,entity,entity.target.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev+exp,true,entity,entity.target.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev+exp,true,entity,entity.target.name,keyword,core,,,The name of the entity.
+9.3.0-dev+exp,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity.
+9.3.0-dev+exp,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev+exp,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev+exp,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev+exp,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev+exp,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.3.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error.
9.3.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
9.3.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 3bef32b80..f450e8cd6 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -929,12 +929,23 @@ cloud.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: cloud.entity.type
ignore_above: 1024
@@ -1251,12 +1262,23 @@ cloud.origin.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: cloud.origin.entity.type
ignore_above: 1024
@@ -1719,12 +1741,23 @@ cloud.target.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: cloud.target.entity.type
ignore_above: 1024
@@ -3902,6 +3935,511 @@ email.x_mailer:
normalize: []
short: Application that drafted email.
type: keyword
+entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+entity.id:
+ dashed_name: entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ short: Unique identifier for the entity.
+ type: keyword
+entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ short: A set of temporal characteristics of the entity.
+ type: object
+entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ short: The name of the entity.
+ type: keyword
+entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ short: Original, unmodified fields from the source system.
+ type: object
+entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ short: Source module or integration that provided the entity data.
+ type: keyword
+entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+entity.target.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: entity.target.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+entity.target.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: entity.target.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+entity.target.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.target.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.target.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+entity.target.id:
+ dashed_name: entity-target-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: entity.target.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+entity.target.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: entity.target.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+entity.target.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.target.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+entity.target.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: entity.target.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+entity.target.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: entity.target.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.target.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+entity.target.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: entity.target.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+entity.target.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.target.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+entity.target.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: entity.target.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+entity.target.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.target.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+entity.target.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
+ example: host
+ flat_name: entity.target.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
+ beta: This field is beta and subject to change.
+ dashed_name: entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
+ example: host
+ flat_name: entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ short: Standardized high-level classification of the entity.
+ type: keyword
error.code:
dashed_name: error-code
description: Error code describing the error.
@@ -7503,12 +8041,23 @@ host.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: host-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: host.entity.type
ignore_above: 1024
@@ -9559,12 +10108,23 @@ orchestrator.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: orchestrator.entity.type
ignore_above: 1024
@@ -16028,12 +16588,23 @@ service.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: service.entity.type
ignore_above: 1024
@@ -16437,12 +17008,23 @@ service.origin.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: service.origin.entity.type
ignore_above: 1024
@@ -16895,12 +17477,23 @@ service.target.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: service.target.entity.type
ignore_above: 1024
@@ -24847,12 +25440,23 @@ user.changes.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.changes.entity.type
ignore_above: 1024
@@ -25319,12 +25923,23 @@ user.effective.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.effective.entity.type
ignore_above: 1024
@@ -25768,12 +26383,23 @@ user.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.entity.type
ignore_above: 1024
@@ -26238,12 +26864,23 @@ user.target.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.target.entity.type
ignore_above: 1024
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 52d708e87..86f3a0451 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1135,12 +1135,24 @@ cloud:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: cloud.entity.type
ignore_above: 1024
@@ -1462,12 +1474,24 @@ cloud:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: cloud.origin.entity.type
ignore_above: 1024
@@ -1935,12 +1959,24 @@ cloud:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: cloud.target.entity.type
ignore_above: 1024
@@ -5099,6 +5135,271 @@ entity:
short: The specific type designation for the entity as defined by its provider
or system.
type: keyword
+ entity.target.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: entity.target.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ entity.target.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.target.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ entity.target.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.target.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.target.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ entity.target.id:
+ dashed_name: entity-target-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: entity.target.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ entity.target.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: entity.target.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ entity.target.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.target.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ entity.target.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: entity.target.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ entity.target.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: entity.target.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.target.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ entity.target.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: entity.target.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ entity.target.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.target.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ entity.target.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: entity.target.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ entity.target.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.target.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ entity.target.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
+ example: host
+ flat_name: entity.target.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
entity.type:
allowed_values:
- description: Represents a storage container or bucket, typically used for
@@ -5152,12 +5453,24 @@ entity:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: entity.type
ignore_above: 1024
@@ -5167,8 +5480,15 @@ entity:
- array
short: Standardized high-level classification of the entity.
type: keyword
+ footnote: The entity fields may be self-nested under entity.target.* to describe
+ the target entity in the context of an action or event. The fieldset entity.target.*
+ must not be confused with the root entity fieldset that is used to describe the
+ primary entity under observation. The fieldset entity.target.* may only be used
+ to describe the targeted entity of an action taken.
group: 2
name: entity
+ nestings:
+ - entity.target
prefix: entity.
reusable:
expected:
@@ -5187,7 +5507,15 @@ entity:
- as: entity
at: orchestrator
full: orchestrator.entity
- top_level: false
+ - as: target
+ at: entity
+ full: entity.target
+ short_override: Targeted entity of action taken.
+ top_level: true
+ reused_here:
+ - full: entity.target
+ schema_name: entity
+ short: Targeted entity of action taken.
short: Fields to describe various types of entities across IT environments.
title: Entity
type: group
@@ -9286,12 +9614,24 @@ host:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: host-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: host.entity.type
ignore_above: 1024
@@ -11700,12 +12040,24 @@ orchestrator:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: orchestrator.entity.type
ignore_above: 1024
@@ -19036,12 +19388,24 @@ service:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: service.entity.type
ignore_above: 1024
@@ -19452,12 +19816,24 @@ service:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: service.origin.entity.type
ignore_above: 1024
@@ -19917,12 +20293,24 @@ service:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: service.target.entity.type
ignore_above: 1024
@@ -28107,12 +28495,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.changes.entity.type
ignore_above: 1024
@@ -28584,12 +28984,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.effective.entity.type
ignore_above: 1024
@@ -29038,12 +29450,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.entity.type
ignore_above: 1024
@@ -29513,12 +29937,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.target.entity.type
ignore_above: 1024
diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json
new file mode 100644
index 000000000..2fe474d6b
--- /dev/null
+++ b/experimental/generated/elasticsearch/composable/component/entity.json
@@ -0,0 +1,132 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
+ "ecs_version": "9.3.0-dev+exp"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 34fbb1415..16133308a 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -17,6 +17,7 @@
"ecs_9.3.0-dev-exp_dns",
"ecs_9.3.0-dev-exp_ecs",
"ecs_9.3.0-dev-exp_email",
+ "ecs_9.3.0-dev-exp_entity",
"ecs_9.3.0-dev-exp_error",
"ecs_9.3.0-dev-exp_event",
"ecs_9.3.0-dev-exp_faas",
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 6fb8b88cf..4c8a9f732 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -1426,6 +1426,126 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"error": {
"properties": {
"code": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 4e5347968..3366cfd8e 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -575,7 +575,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: instance.id
@@ -737,7 +740,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: origin.instance.id
@@ -988,7 +994,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: target.instance.id
@@ -2372,6 +2381,264 @@
original email message.
example: Spambot v2.5
default_field: false
+ - name: entity
+ title: Entity
+ group: 2
+ description: The entity fields provide a standardized way to represent and categorize
+ different types of components within an IT environment, including those that
+ don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+ component that can be described by a set of attributes and maintains its identity
+ over time.
+ footnote: The entity fields may be self-nested under entity.target.* to describe
+ the target entity in the context of an action or event. The fieldset entity.target.*
+ must not be confused with the root entity fieldset that is used to describe
+ the primary entity under observation. The fieldset entity.target.* may only
+ be used to describe the targeted entity of an action taken.
+ type: group
+ default_field: true
+ fields:
+ - name: attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: target.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: target.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: target.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: target.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: target.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: target.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: target.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: target.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: target.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: target.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: target.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: target.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: target.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
+ example: host
+ default_field: false
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
+ example: host
+ default_field: false
- name: error
title: Error
group: 2
@@ -4218,7 +4485,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: geo.city_name
@@ -5393,7 +5663,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: namespace
@@ -9341,7 +9614,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: environment
@@ -9571,7 +9847,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: origin.environment
@@ -9838,7 +10117,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: target.environment
@@ -14522,7 +14804,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: changes.full_name
@@ -14771,7 +15056,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: effective.full_name
@@ -15004,7 +15292,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: full_name
@@ -15241,7 +15532,10 @@
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
default_field: false
- name: target.full_name
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index fbc5fb3c3..f460c9390 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -283,6 +283,36 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.3.0-dev,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
+9.3.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,entity,entity.target.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.3.0-dev,true,entity,entity.target.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.3.0-dev,true,entity,entity.target.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,entity,entity.target.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.3.0-dev,true,entity,entity.target.id,keyword,core,,,Unique identifier for the entity.
+9.3.0-dev,true,entity,entity.target.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.3.0-dev,true,entity,entity.target.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.3.0-dev,true,entity,entity.target.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.3.0-dev,true,entity,entity.target.name,keyword,core,,,The name of the entity.
+9.3.0-dev,true,entity,entity.target.name.text,match_only_text,core,,,The name of the entity.
+9.3.0-dev,true,entity,entity.target.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.3.0-dev,true,entity,entity.target.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.3.0-dev,true,entity,entity.target.source,keyword,core,,,Source module or integration that provided the entity data.
+9.3.0-dev,true,entity,entity.target.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.3.0-dev,true,entity,entity.target.type,keyword,core,array,host,Standardized high-level classification of the entity.
+9.3.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error.
9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error.
9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 06378fca8..40f65f7fd 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -860,12 +860,23 @@ cloud.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: cloud.entity.type
ignore_above: 1024
@@ -1182,12 +1193,23 @@ cloud.origin.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: cloud.origin.entity.type
ignore_above: 1024
@@ -1650,12 +1672,23 @@ cloud.target.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: cloud.target.entity.type
ignore_above: 1024
@@ -3833,6 +3866,511 @@ email.x_mailer:
normalize: []
short: Application that drafted email.
type: keyword
+entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+entity.id:
+ dashed_name: entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ short: Unique identifier for the entity.
+ type: keyword
+entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ short: A set of temporal characteristics of the entity.
+ type: object
+entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ short: The name of the entity.
+ type: keyword
+entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ short: Original, unmodified fields from the source system.
+ type: object
+entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ short: Source module or integration that provided the entity data.
+ type: keyword
+entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+entity.target.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: entity.target.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+entity.target.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: entity.target.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+entity.target.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.target.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.target.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+entity.target.id:
+ dashed_name: entity-target-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: entity.target.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+entity.target.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: entity.target.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+entity.target.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.target.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+entity.target.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: entity.target.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+entity.target.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: entity.target.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.target.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+entity.target.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: entity.target.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+entity.target.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.target.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+entity.target.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: entity.target.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+entity.target.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.target.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+entity.target.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
+ example: host
+ flat_name: entity.target.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
+ beta: This field is beta and subject to change.
+ dashed_name: entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
+ example: host
+ flat_name: entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ short: Standardized high-level classification of the entity.
+ type: keyword
error.code:
dashed_name: error-code
description: Error code describing the error.
@@ -7434,12 +7972,23 @@ host.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: host-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: host.entity.type
ignore_above: 1024
@@ -9490,12 +10039,23 @@ orchestrator.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: orchestrator.entity.type
ignore_above: 1024
@@ -15959,12 +16519,23 @@ service.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: service.entity.type
ignore_above: 1024
@@ -16368,12 +16939,23 @@ service.origin.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: service.origin.entity.type
ignore_above: 1024
@@ -16826,12 +17408,23 @@ service.target.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: service.target.entity.type
ignore_above: 1024
@@ -24778,12 +25371,23 @@ user.changes.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.changes.entity.type
ignore_above: 1024
@@ -25250,12 +25854,23 @@ user.effective.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.effective.entity.type
ignore_above: 1024
@@ -25699,12 +26314,23 @@ user.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.entity.type
ignore_above: 1024
@@ -26169,12 +26795,23 @@ user.target.entity.type:
login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate resources,
+ entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component. This
+ includes container orchestrators like Kubernetes, Docker Swarm, and other systems
+ responsible for automating the deployment, management, scaling, and networking
+ of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is
+ nested under a top-level namespace like `host` or `cloud`, or similar, its type
+ array should include the matching value — for example, `host` or `cloud`.'
example: host
flat_name: user.target.entity.type
ignore_above: 1024
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 37abbf431..48d310bdd 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1055,12 +1055,24 @@ cloud:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: cloud.entity.type
ignore_above: 1024
@@ -1382,12 +1394,24 @@ cloud:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: cloud.origin.entity.type
ignore_above: 1024
@@ -1855,12 +1879,24 @@ cloud:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: cloud-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: cloud.target.entity.type
ignore_above: 1024
@@ -5019,6 +5055,271 @@ entity:
short: The specific type designation for the entity as defined by its provider
or system.
type: keyword
+ entity.target.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: entity.target.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ entity.target.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.target.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ entity.target.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: entity.target.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: entity.target.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ entity.target.id:
+ dashed_name: entity-target-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: entity.target.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ entity.target.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: entity.target.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ entity.target.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: entity.target.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ entity.target.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: entity.target.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ entity.target.name:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: entity.target.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: entity.target.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ entity.target.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: entity.target.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ entity.target.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: entity.target.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ entity.target.source:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: entity.target.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ entity.target.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: entity.target.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ entity.target.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
+ beta: This field is beta and subject to change.
+ dashed_name: entity-target-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
+ example: host
+ flat_name: entity.target.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
entity.type:
allowed_values:
- description: Represents a storage container or bucket, typically used for
@@ -5072,12 +5373,24 @@ entity:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: entity.type
ignore_above: 1024
@@ -5087,8 +5400,15 @@ entity:
- array
short: Standardized high-level classification of the entity.
type: keyword
+ footnote: The entity fields may be self-nested under entity.target.* to describe
+ the target entity in the context of an action or event. The fieldset entity.target.*
+ must not be confused with the root entity fieldset that is used to describe the
+ primary entity under observation. The fieldset entity.target.* may only be used
+ to describe the targeted entity of an action taken.
group: 2
name: entity
+ nestings:
+ - entity.target
prefix: entity.
reusable:
expected:
@@ -5107,7 +5427,15 @@ entity:
- as: entity
at: orchestrator
full: orchestrator.entity
- top_level: false
+ - as: target
+ at: entity
+ full: entity.target
+ short_override: Targeted entity of action taken.
+ top_level: true
+ reused_here:
+ - full: entity.target
+ schema_name: entity
+ short: Targeted entity of action taken.
short: Fields to describe various types of entities across IT environments.
title: Entity
type: group
@@ -9206,12 +9534,24 @@ host:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: host-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: host.entity.type
ignore_above: 1024
@@ -11620,12 +11960,24 @@ orchestrator:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: orchestrator-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: orchestrator.entity.type
ignore_above: 1024
@@ -18956,12 +19308,24 @@ service:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: service.entity.type
ignore_above: 1024
@@ -19372,12 +19736,24 @@ service:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-origin-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: service.origin.entity.type
ignore_above: 1024
@@ -19837,12 +20213,24 @@ service:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: service-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: service.target.entity.type
ignore_above: 1024
@@ -28027,12 +28415,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-changes-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.changes.entity.type
ignore_above: 1024
@@ -28504,12 +28904,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-effective-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.effective.entity.type
ignore_above: 1024
@@ -28958,12 +29370,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.entity.type
ignore_above: 1024
@@ -29433,12 +29857,24 @@ user:
user login sessions, database connections, network sessions, and other temporary
interactive or persistent connections between users, applications, or systems.
name: session
+ - description: Represents a cloud or infrastructure. This includes cloud providers
+ and their services (such as AWS EC2), and is used to identify or correlate
+ resources, entities, and activities across accounts or multi-cloud environments.
+ name: cloud
+ - description: Represents an orchestration system or orchestrator component.
+ This includes container orchestrators like Kubernetes, Docker Swarm, and
+ other systems responsible for automating the deployment, management, scaling,
+ and networking of containers or workloads.
+ name: orchestrator
beta: This field is beta and subject to change.
dashed_name: user-target-entity-type
description: 'A standardized high-level classification of the entity. This provides
a normalized way to group similar entities across different providers or systems.
Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
+ `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity
+ is nested under a top-level namespace like `host` or `cloud`, or similar,
+ its type array should include the matching value — for example, `host` or
+ `cloud`.'
example: host
flat_name: user.target.entity.type
ignore_above: 1024
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
new file mode 100644
index 000000000..c18bcf07b
--- /dev/null
+++ b/generated/elasticsearch/composable/component/entity.json
@@ -0,0 +1,132 @@
+{
+ "_meta": {
+ "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
+ "ecs_version": "9.3.0-dev"
+ },
+ "template": {
+ "mappings": {
+ "properties": {
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index ce90e997d..b9692c085 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -16,6 +16,7 @@
"ecs_9.3.0-dev_dns",
"ecs_9.3.0-dev_ecs",
"ecs_9.3.0-dev_email",
+ "ecs_9.3.0-dev_entity",
"ecs_9.3.0-dev_error",
"ecs_9.3.0-dev_event",
"ecs_9.3.0-dev_faas",
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 537e93a27..a0acf841a 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -1384,6 +1384,126 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "target": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"error": {
"properties": {
"code": {
diff --git a/schemas/entity.yml b/schemas/entity.yml
index b4ec7dbed..de36529f1 100644
--- a/schemas/entity.yml
+++ b/schemas/entity.yml
@@ -11,9 +11,16 @@
that don't have dedicated field sets in ECS. An entity represents a discrete,
identifiable component that can be described by a set of attributes and
maintains its identity over time.
+ footnote: >
+ The entity fields may be self-nested under entity.target.* to describe
+ the target entity in the context of an action or event. The fieldset
+ entity.target.* must not be confused with the root entity fieldset that
+ is used to describe the primary entity under observation. The fieldset
+ entity.target.* may only be used to describe the targeted entity of an
+ action taken.
root: false
reusable:
- top_level: false
+ top_level: true
order: 2
expected:
- user
@@ -21,6 +28,9 @@
- host
- service
- orchestrator
+ - at: entity
+ as: target
+ short_override: Targeted entity of action taken.
fields:
- name: name
@@ -62,7 +72,8 @@
short: Standardized high-level classification of the entity.
description: >
A standardized high-level classification of the entity. This provides a normalized way
- to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.
+ to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc.
+ If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.
normalize:
- array
allowed_values:
@@ -96,6 +107,12 @@
- name: session
description: >
Represents a user session or connection session. This includes user login sessions, database connections, network sessions, and other temporary interactive or persistent connections between users, applications, or systems.
+ - name: cloud
+ description: >
+ Represents a cloud or infrastructure. This includes cloud providers and their services (such as AWS EC2), and is used to identify or correlate resources, entities, and activities across accounts or multi-cloud environments.
+ - name: orchestrator
+ description: >
+ Represents an orchestration system or orchestrator component. This includes container orchestrators like Kubernetes, Docker Swarm, and other systems responsible for automating the deployment, management, scaling, and networking of containers or workloads.
example: host
beta: This field is beta and subject to change.