elastic · uri-weisman · Nov 13, 2025 · Nov 6, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -27,6 +27,8 @@ This field is an array. This allows proper categorization of entities that may f
 * [service](#ecs-entity-type-service)
 * [session](#ecs-entity-type-session)
 * [user](#ecs-entity-type-user)
+* [cloud](#ecs-entity-type-cloud)
+* [orchestrator](#ecs-entity-type-orchestrator)
 
 
 ## application [ecs-entity-type-application]
@@ -78,3 +80,10 @@ Represents a user session or connection session. This includes user login sessio
 
 Represents a user account or identity. This includes human users, service accounts, system accounts, and other identity entities that can interact with systems, applications, or services. Users may have various roles, permissions, and attributes associated with their identity.
 
+
+## cloud [ecs-entity-type-cloud]
+Represents a cloud or infrastructure. This includes cloud providers and their services (such as AWS EC2), and is used to identify or correlate resources, entities, and activities across accounts or multi-cloud environments.
+
+
+## orchestrator [ecs-entity-type-orchestrator]
+Represents an orchestration system or orchestrator component. This includes container orchestrators like Kubernetes, Docker Swarm, and other systems responsible for automating the deployment, management, scaling, and networking of containers or workloads.
@@ -27,16 +27,24 @@ The entity fields provide a standardized way to represent and categorize differe
 | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.<br><br>type: keyword | extended |
 | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).<br><br>type: keyword | core |
 | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`.  `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.<br><br>type: keyword<br><br>example: `aws_s3_bucket` | extended |
-| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>**Important:** The field value must be one of the following:<br><br>bucket, database, container, function, queue, host, user, application, service, session<br><br>To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)<br> | core |
+| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, its type array should include the matching value — for example, `host` or `cloud`.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>**Important:** The field value must be one of the following:<br><br>bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator<br><br>To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)<br> | core |
 
 ## Field reuse [_field_reuse]
 
 The `entity` fields are expected to be nested at:
 
 * `cloud.entity`
+* `entity.target`
 * `host.entity`
 * `orchestrator.entity`
 * `service.entity`
 * `user.entity`
 
-Note also that the `entity` fields are not expected to be used directly at the root of the events.
+Note also that the `entity` fields may be used directly at the root of the events.
+
+
+### Field sets that can be nested under Entity [ecs-entity-nestings]
+
+| Location | Field Set | Description |
+| --- | --- | --- |
+| `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. |