From b00381e00414ed82cac274fb9c5c513c0c2b376a Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 1 Oct 2025 14:19:24 -0700 Subject: [PATCH 1/2] Clean generated doc files --- Makefile | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 171a965611..41532bb296 100644 --- a/Makefile +++ b/Makefile @@ -40,6 +40,15 @@ check_license_headers: .PHONY: clean clean: rm -rf build generated/elasticsearch/composable/component experimental/generated/elasticsearch/composable/component + # Clean generated documentation files + @echo "Removing generated documentation files..." + @rm -f docs/reference/index.md docs/reference/ecs-field-reference.md docs/reference/ecs-otel-alignment-details.md docs/reference/ecs-otel-alignment-overview.md + @for schema in $$(ls schemas/*.yml 2>/dev/null | sed 's/schemas\///' | sed 's/\.yml$$//'); do \ + if [ -f "docs/reference/ecs-$$schema.md" ]; then \ + echo "Removing docs/reference/ecs-$$schema.md"; \ + rm -f "docs/reference/ecs-$$schema.md"; \ + fi; \ + done # Build and serve the docs .PHONY: docs @@ -107,7 +116,7 @@ generate: generator # Run the new generator .PHONY: generator generator: ve - $(PYTHON) scripts/generator.py --strict --include "${INCLUDE}" --subset "${SUBSETS_DIR}" --semconv-version "${SEMCONV_VERSION}" --force-docs + $(PYTHON) scripts/generator.py --strict $(if $(INCLUDE),--include "$(INCLUDE)") --subset "${SUBSETS_DIR}" --semconv-version "${SEMCONV_VERSION}" --force-docs # Check Makefile format. .PHONY: makelint From 09b3c44dc8e2e12d1edfdfbbf0da0827284ec7b3 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 1 Oct 2025 14:35:38 -0700 Subject: [PATCH 2/2] Properly generated entity files. Properly generate entity fields in all generated files. The top-level entity files were previously not being included in the generated files. This problem was partially hidden because the `make clean` command didn't remove generated files in `docs/reference/`, so some older entity files were kept. This updates the command to clean all generated files in `docs/reference`. --- docs/reference/ecs-entity.md | 7 +- docs/reference/ecs-field-reference.md | 1 + docs/reference/ecs-otel-alignment-overview.md | 1 + experimental/generated/beats/fields.ecs.yml | 131 +++++++++ experimental/generated/csv/fields.csv | 15 + experimental/generated/ecs/ecs_flat.yml | 237 +++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 273 ++++++++++++++++++ .../composable/component/entity.json | 74 +++++ .../elasticsearch/composable/template.json | 1 + .../elasticsearch/legacy/template.json | 62 ++++ generated/beats/fields.ecs.yml | 131 +++++++++ generated/csv/fields.csv | 15 + generated/ecs/ecs_flat.yml | 237 +++++++++++++++ generated/ecs/ecs_nested.yml | 273 ++++++++++++++++++ .../elasticsearch/composable/template.json | 1 + generated/elasticsearch/legacy/template.json | 62 ++++ schemas/subsets/main.yml | 2 + 17 files changed, 1520 insertions(+), 3 deletions(-) create mode 100644 experimental/generated/elasticsearch/composable/component/entity.json diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md index 867fbbf47c..1cbe67b082 100644 --- a/docs/reference/ecs-entity.md +++ b/docs/reference/ecs-entity.md @@ -17,16 +17,17 @@ The entity fields provide a standardized way to represent and categorize differe | --- | --- | --- | | $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.

type: object | extended | | $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.

type: object | extended | -| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).

type: keyword

Multi-fields:

* entity.display_name.text (type: text) | extended | +| $$$field-entity-display-name$$$ [entity.display_name](#field-entity-display-name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).

type: keyword

Multi-fields:

* entity.display_name.text (type: text) | extended | | $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.

type: keyword | core | -| $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.

type: date | extended | +| $$$field-entity-last-seen-timestamp$$$ [entity.last_seen_timestamp](#field-entity-last-seen-timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.

type: date | extended | | $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.

type: object | extended | | $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.

type: object | extended | | $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.

type: keyword

Multi-fields:

* entity.name.text (type: text) | core | | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.

type: object | extended | | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.

type: keyword | extended | | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).

type: keyword | core | -| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.

type: keyword

example: `host` | core | +| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`. `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.

type: keyword

example: `aws_s3_bucket` | extended | +| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.

type: keyword

Note: This field should contain an array of values.

**Important:** The field value must be one of the following:

bucket, database, container, function, queue, host, user, application, service, session

To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)
| core | ## Field reuse [_field_reuse] diff --git a/docs/reference/ecs-field-reference.md b/docs/reference/ecs-field-reference.md index af78a1b854..e7422a011a 100644 --- a/docs/reference/ecs-field-reference.md +++ b/docs/reference/ecs-field-reference.md @@ -38,6 +38,7 @@ For a single page representation of all fields, please see the [generated CSV of | [ECS](/reference/ecs-ecs.md) | Meta-information specific to ECS. | | [ELF Header](/reference/ecs-elf.md) | These fields contain Linux Executable Linkable Format (ELF) metadata. | | [Email](/reference/ecs-email.md) | Describes an email transaction. | +| [Entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. | | [Error](/reference/ecs-error.md) | Fields about errors of any kind. | | [Event](/reference/ecs-event.md) | Fields breaking down the event details. | | [FaaS](/reference/ecs-faas.md) | Fields describing functions as a service. | diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md index 886c26b816..0ad7c2c344 100644 --- a/docs/reference/ecs-otel-alignment-overview.md +++ b/docs/reference/ecs-otel-alignment-overview.md @@ -48,6 +48,7 @@ The following table summarizes the alignment status by namespaces between ECS in | ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · | | Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · | | End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · | | +| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · | | Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · | | Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · | | Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · | | diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index fc3f5d1f97..94f43fd2cc 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2188,6 +2188,137 @@ original email message. example: Spambot v2.5 default_field: false + - name: entity + title: Entity + group: 2 + description: The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those that + don't have dedicated field sets in ECS. An entity represents a discrete, identifiable + component that can be described by a set of attributes and maintains its identity + over time. + type: group + default_field: true + fields: + - name: attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, etc.' + example: host + default_field: false - name: error title: Error group: 2 diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 857bedea86..5747663bb6 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -260,6 +260,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.3.0-dev+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. 9.3.0-dev+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient 9.3.0-dev+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.3.0-dev+exp,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev+exp,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev+exp,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,entity,entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev+exp,true,entity,entity.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev+exp,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev+exp,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev+exp,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev+exp,true,entity,entity.name,keyword,core,,,The name of the entity. +9.3.0-dev+exp,true,entity,entity.name.text,text,core,,,The name of the entity. +9.3.0-dev+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.3.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. 9.3.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. 9.3.0-dev+exp,true,error,error.message,match_only_text,core,,,Error message. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 26ec63e227..a729af8bf5 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3403,6 +3403,243 @@ email.x_mailer: normalize: [] short: Application that drafted email. type: keyword +entity.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: entity.attributes + level: extended + name: attributes + normalize: [] + short: A set of static or semi-static attributes of the entity. + type: object +entity.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: entity.behavior + level: extended + name: behavior + normalize: [] + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +entity.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.display_name.text + name: text + norms: false + type: text + name: display_name + normalize: [] + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +entity.id: + dashed_name: entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the entity. + type: keyword +entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + short: Indicates the date/time when this entity was last "seen." + type: date +entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.lifecycle + level: extended + name: lifecycle + normalize: [] + short: A set of temporal characteristics of the entity. + type: object +entity.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: entity.metrics + level: extended + name: metrics + normalize: [] + short: Field set for any fields containing numeric entity metrics. + type: object +entity.name: + beta: This field is beta and subject to change. + dashed_name: entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: The name of the entity. + type: keyword +entity.raw: + beta: This field is beta and subject to change. + dashed_name: entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: entity.raw + level: extended + name: raw + normalize: [] + short: Original, unmodified fields from the source system. + type: object +entity.reference: + beta: This field is beta and subject to change. + dashed_name: entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +entity.source: + beta: This field is beta and subject to change. + dashed_name: entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + short: Source module or integration that provided the entity data. + type: keyword +entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + beta: This field is beta and subject to change. + dashed_name: entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, etc.' + example: host + flat_name: entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Standardized high-level classification of the entity. + type: keyword error.code: dashed_name: error-code description: Error code describing the error. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index d691da32fe..b7b97d733a 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4411,6 +4411,279 @@ email: short: Describes an email transaction. title: Email type: group +entity: + description: The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those that don't + have dedicated field sets in ECS. An entity represents a discrete, identifiable + component that can be described by a set of attributes and maintains its identity + over time. + fields: + entity.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: entity.attributes + level: extended + name: attributes + normalize: [] + short: A set of static or semi-static attributes of the entity. + type: object + entity.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.behavior + level: extended + name: behavior + normalize: [] + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + entity.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.display_name.text + name: text + norms: false + type: text + name: display_name + normalize: [] + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + entity.id: + dashed_name: entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the entity. + type: keyword + entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + short: Indicates the date/time when this entity was last "seen." + type: date + entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.lifecycle + level: extended + name: lifecycle + normalize: [] + short: A set of temporal characteristics of the entity. + type: object + entity.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: entity.metrics + level: extended + name: metrics + normalize: [] + short: Field set for any fields containing numeric entity metrics. + type: object + entity.name: + beta: This field is beta and subject to change. + dashed_name: entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: The name of the entity. + type: keyword + entity.raw: + beta: This field is beta and subject to change. + dashed_name: entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: entity.raw + level: extended + name: raw + normalize: [] + short: Original, unmodified fields from the source system. + type: object + entity.reference: + beta: This field is beta and subject to change. + dashed_name: entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + entity.source: + beta: This field is beta and subject to change. + dashed_name: entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + short: Source module or integration that provided the entity data. + type: keyword + entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + beta: This field is beta and subject to change. + dashed_name: entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, etc.' + example: host + flat_name: entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Standardized high-level classification of the entity. + type: keyword + group: 2 + name: entity + prefix: entity. + reusable: + expected: + - as: entity + at: host + full: host.entity + - as: entity + at: user + full: user.target.entity + short_override: Entity information for the targeted user. + - as: entity + at: cloud + full: cloud.target.entity + short_override: Entity information for the target cloud entity. + - as: entity + at: service + full: service.target.entity + short_override: Entity information for the target service. + top_level: true + short: Fields to describe various types of entities across IT environments. + title: Entity + type: group error: description: 'These fields can represent errors of any kind. diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json new file mode 100644 index 0000000000..58ac9974e0 --- /dev/null +++ b/experimental/generated/elasticsearch/composable/component/entity.json @@ -0,0 +1,74 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html", + "ecs_version": "9.3.0-dev+exp" + }, + "template": { + "mappings": { + "properties": { + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json index 34fbb14151..16133308ad 100644 --- a/experimental/generated/elasticsearch/composable/template.json +++ b/experimental/generated/elasticsearch/composable/template.json @@ -17,6 +17,7 @@ "ecs_9.3.0-dev-exp_dns", "ecs_9.3.0-dev-exp_ecs", "ecs_9.3.0-dev-exp_email", + "ecs_9.3.0-dev-exp_entity", "ecs_9.3.0-dev-exp_error", "ecs_9.3.0-dev-exp_event", "ecs_9.3.0-dev-exp_faas", diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index dc8b55083f..5a87328d2e 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -1308,6 +1308,68 @@ } } }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "error": { "properties": { "code": { diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4826341eee..e711ee0160 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2138,6 +2138,137 @@ original email message. example: Spambot v2.5 default_field: false + - name: entity + title: Entity + group: 2 + description: The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those that + don't have dedicated field sets in ECS. An entity represents a discrete, identifiable + component that can be described by a set of attributes and maintains its identity + over time. + type: group + default_field: true + fields: + - name: attributes + level: extended + type: object + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + default_field: false + - name: behavior + level: extended + type: object + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: display_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + default_field: false + - name: last_seen_timestamp + level: extended + type: date + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + default_field: false + - name: lifecycle + level: extended + type: object + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + default_field: false + - name: metrics + level: extended + type: object + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + default_field: false + - name: raw + level: extended + type: object + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + default_field: false + - name: source + level: core + type: keyword + ignore_above: 1024 + description: The module or integration that provided this entity data (similar + to event.module). + default_field: false + - name: sub_type + level: extended + type: keyword + ignore_above: 1024 + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + default_field: false + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, etc.' + example: host + default_field: false - name: error title: Error group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 3871df200a..efe16e96ef 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -253,6 +253,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 9.3.0-dev,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message. 9.3.0-dev,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient 9.3.0-dev,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +9.3.0-dev,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity. +9.3.0-dev,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period." +9.3.0-dev,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,entity,entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations. +9.3.0-dev,true,entity,entity.id,keyword,core,,,Unique identifier for the entity. +9.3.0-dev,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen.""" +9.3.0-dev,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity. +9.3.0-dev,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics. +9.3.0-dev,true,entity,entity.name,keyword,core,,,The name of the entity. +9.3.0-dev,true,entity,entity.name.text,text,core,,,The name of the entity. +9.3.0-dev,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system." +9.3.0-dev,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity." +9.3.0-dev,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data. +9.3.0-dev,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system. +9.3.0-dev,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity. 9.3.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. 9.3.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. 9.3.0-dev,true,error,error.message,match_only_text,core,,,Error message. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 68c3dd6471..d5c17c5a70 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3334,6 +3334,243 @@ email.x_mailer: normalize: [] short: Application that drafted email. type: keyword +entity.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-attributes + description: A set of static or semi-static attributes of the entity. Usually boolean + or keyword field data types. Use this field set when you need to track static + or semi-static characteristics of an entity for advanced searching and correlation + of normalized values across different providers/sources and entity types. + flat_name: entity.attributes + level: extended + name: attributes + normalize: [] + short: A set of static or semi-static attributes of the entity. + type: object +entity.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-behavior + description: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. Usually boolean field data type. Use + this field set when you need to capture and track ephemeral characteristics of + an entity for advanced searching, correlation of normalized values across different + providers/sources and entity types. + flat_name: entity.behavior + level: extended + name: behavior + normalize: [] + short: A set of ephemeral characteristics of the entity, derived from observed behaviors + during a specific time period. + type: object +entity.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.display_name.text + name: text + norms: false + type: text + name: display_name + normalize: [] + short: An optional field used when a pretty name is desired for entity-centric operations. + type: keyword +entity.id: + dashed_name: entity-id + description: 'A unique identifier for the entity. When multiple identifiers exist, + this should be the most stable and commonly used identifier that: 1) persists + across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is + commonly used for queries and correlation, and 4) is readily available in most + observations (logs/events). For entities with dedicated field sets (e.g., host, + user), this value should match the corresponding *.id field. Alternative identifiers + (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.' + flat_name: entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the entity. + type: keyword +entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually based + upon the last event/log that is initiated by this entity. + flat_name: entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + short: Indicates the date/time when this entity was last "seen." + type: date +entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.lifecycle + level: extended + name: lifecycle + normalize: [] + short: A set of temporal characteristics of the entity. + type: object +entity.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-metrics + description: Field set for any fields containing numeric entity metrics. These use + dynamic field data type mapping. + flat_name: entity.metrics + level: extended + name: metrics + normalize: [] + short: Field set for any fields containing numeric entity metrics. + type: object +entity.name: + beta: This field is beta and subject to change. + dashed_name: entity-name + description: The name of the entity. The keyword field enables exact matches for + filtering and aggregations, while the text field enables full-text search. For + entities with dedicated field sets (e.g., `host`), this field should mirrors the + corresponding *.name value. + flat_name: entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: The name of the entity. + type: keyword +entity.raw: + beta: This field is beta and subject to change. + dashed_name: entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized fields + requiring advanced queries, this field preserves all source metadata with basic + search capabilities. + flat_name: entity.raw + level: extended + name: raw + normalize: [] + short: Original, unmodified fields from the source system. + type: object +entity.reference: + beta: This field is beta and subject to change. + dashed_name: entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword +entity.source: + beta: This field is beta and subject to change. + dashed_name: entity-source + description: The module or integration that provided this entity data (similar to + event.module). + flat_name: entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + short: Source module or integration that provided the entity data. + type: keyword +entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-sub-type + description: 'The specific type designation for the entity as defined by its provider + or system. This field provides more granular classification than the type field. + Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` , + `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + short: The specific type designation for the entity as defined by its provider or + system. + type: keyword +entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for object + storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets, + Azure Blob containers, and other cloud storage services. Buckets are used to + organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes message + brokers, event queues, and other messaging infrastructure components such as + Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate + asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical servers, + virtual machines, cloud instances, and other computing resources that can run + applications or services. Hosts provide the fundamental computing infrastructure + for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can interact + with systems, applications, or services. Users may have various roles, permissions, + and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web applications, + mobile applications, desktop applications, and other software components that + provide functionality to users or other systems. Applications may run on various + infrastructure components and can span multiple hosts or containers. + name: application + - description: Represents a service or microservice component. This includes web + services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate with + other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes user + login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + beta: This field is beta and subject to change. + dashed_name: entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, etc.' + example: host + flat_name: entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Standardized high-level classification of the entity. + type: keyword error.code: dashed_name: error-code description: Error code describing the error. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 749922c0a1..485218f3d4 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4331,6 +4331,279 @@ email: short: Describes an email transaction. title: Email type: group +entity: + description: The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those that don't + have dedicated field sets in ECS. An entity represents a discrete, identifiable + component that can be described by a set of attributes and maintains its identity + over time. + fields: + entity.attributes: + beta: This field is beta and subject to change. + dashed_name: entity-attributes + description: A set of static or semi-static attributes of the entity. Usually + boolean or keyword field data types. Use this field set when you need to track + static or semi-static characteristics of an entity for advanced searching + and correlation of normalized values across different providers/sources and + entity types. + flat_name: entity.attributes + level: extended + name: attributes + normalize: [] + short: A set of static or semi-static attributes of the entity. + type: object + entity.behavior: + beta: This field is beta and subject to change. + dashed_name: entity-behavior + description: A set of ephemeral characteristics of the entity, derived from + observed behaviors during a specific time period. Usually boolean field data + type. Use this field set when you need to capture and track ephemeral characteristics + of an entity for advanced searching, correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.behavior + level: extended + name: behavior + normalize: [] + short: A set of ephemeral characteristics of the entity, derived from observed + behaviors during a specific time period. + type: object + entity.display_name: + beta: This field is beta and subject to change. + dashed_name: entity-display-name + description: An optional field used when a pretty name is desired for entity-centric + operations. This field should not be used for correlation with `*.name` fields + for entities with dedicated field sets (e.g., `host`). + flat_name: entity.display_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: entity.display_name.text + name: text + norms: false + type: text + name: display_name + normalize: [] + short: An optional field used when a pretty name is desired for entity-centric + operations. + type: keyword + entity.id: + dashed_name: entity-id + description: 'A unique identifier for the entity. When multiple identifiers + exist, this should be the most stable and commonly used identifier that: 1) + persists across the entity''s lifecycle, 2) ensures uniqueness within its + scope, 3) is commonly used for queries and correlation, and 4) is readily + available in most observations (logs/events). For entities with dedicated + field sets (e.g., host, user), this value should match the corresponding *.id + field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved + in the raw field.' + flat_name: entity.id + ignore_above: 1024 + level: core + name: id + normalize: [] + short: Unique identifier for the entity. + type: keyword + entity.last_seen_timestamp: + beta: This field is beta and subject to change. + dashed_name: entity-last-seen-timestamp + description: Indicates the date/time when this entity was last "seen," usually + based upon the last event/log that is initiated by this entity. + flat_name: entity.last_seen_timestamp + level: extended + name: last_seen_timestamp + normalize: [] + short: Indicates the date/time when this entity was last "seen." + type: date + entity.lifecycle: + beta: This field is beta and subject to change. + dashed_name: entity-lifecycle + description: A set of temporal characteristics of the entity. Usually date field + data type. Use this field set when you need to track temporal characteristics + of an entity for advanced searching and correlation of normalized values across + different providers/sources and entity types. + flat_name: entity.lifecycle + level: extended + name: lifecycle + normalize: [] + short: A set of temporal characteristics of the entity. + type: object + entity.metrics: + beta: This field is beta and subject to change. + dashed_name: entity-metrics + description: Field set for any fields containing numeric entity metrics. These + use dynamic field data type mapping. + flat_name: entity.metrics + level: extended + name: metrics + normalize: [] + short: Field set for any fields containing numeric entity metrics. + type: object + entity.name: + beta: This field is beta and subject to change. + dashed_name: entity-name + description: The name of the entity. The keyword field enables exact matches + for filtering and aggregations, while the text field enables full-text search. + For entities with dedicated field sets (e.g., `host`), this field should mirrors + the corresponding *.name value. + flat_name: entity.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: entity.name.text + name: text + norms: false + type: text + name: name + normalize: [] + short: The name of the entity. + type: keyword + entity.raw: + beta: This field is beta and subject to change. + dashed_name: entity-raw + description: Original, unmodified fields from the source system. Usually flattened + field data type. While the attributes field should be used for normalized + fields requiring advanced queries, this field preserves all source metadata + with basic search capabilities. + flat_name: entity.raw + level: extended + name: raw + normalize: [] + short: Original, unmodified fields from the source system. + type: object + entity.reference: + beta: This field is beta and subject to change. + dashed_name: entity-reference + description: A URI, URL, or other direct reference to access or locate the entity + in its source system. This could be an API endpoint, web console URL, or other + addressable location. Format may vary by entity type and source system. + flat_name: entity.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + short: A URI, URL, or other direct reference to access or locate the entity. + type: keyword + entity.source: + beta: This field is beta and subject to change. + dashed_name: entity-source + description: The module or integration that provided this entity data (similar + to event.module). + flat_name: entity.source + ignore_above: 1024 + level: core + name: source + normalize: [] + short: Source module or integration that provided the entity data. + type: keyword + entity.sub_type: + beta: This field is beta and subject to change. + dashed_name: entity-sub-type + description: 'The specific type designation for the entity as defined by its + provider or system. This field provides more granular classification than + the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` + would all map to entity type `bucket`. `hardware` , `virtual` , `container` + , `node` , `cloud_instance` would all map to entity type `host`.' + example: aws_s3_bucket + flat_name: entity.sub_type + ignore_above: 1024 + level: extended + name: sub_type + normalize: [] + short: The specific type designation for the entity as defined by its provider + or system. + type: keyword + entity.type: + allowed_values: + - description: Represents a storage container or bucket, typically used for + object storage. Common examples include AWS S3 buckets, Google Cloud Storage + buckets, Azure Blob containers, and other cloud storage services. Buckets + are used to organize and store files, objects, or data in cloud environments. + name: bucket + - description: Represents a database system or database instance. This includes + relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB, + Cassandra, DynamoDB), time-series databases, and other data storage systems. + The entity may represent the entire database system or a specific database + instance. + name: database + - description: Represents a containerized application or process. This includes + Docker containers, Kubernetes pods, and other containerization technologies. + Containers encapsulate applications and their dependencies, providing isolation + and portability across different environments. + name: container + - description: Represents a serverless function or Function-as-a-Service (FaaS) + component. This includes AWS Lambda functions, Azure Functions, Google Cloud + Functions, and other serverless computing resources. Functions are typically + event-driven and execute code without managing the underlying infrastructure. + name: function + - description: Represents a message queue or messaging system. This includes + message brokers, event queues, and other messaging infrastructure components + such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues + facilitate asynchronous communication between applications and services. + name: queue + - description: Represents a computing host or machine. This includes physical + servers, virtual machines, cloud instances, and other computing resources + that can run applications or services. Hosts provide the fundamental computing + infrastructure for other entity types. + name: host + - description: Represents a user account or identity. This includes human users, + service accounts, system accounts, and other identity entities that can + interact with systems, applications, or services. Users may have various + roles, permissions, and attributes associated with their identity. + name: user + - description: Represents a software application or service. This includes web + applications, mobile applications, desktop applications, and other software + components that provide functionality to users or other systems. Applications + may run on various infrastructure components and can span multiple hosts + or containers. + name: application + - description: Represents a service or microservice component. This includes + web services, APIs, background services, and other service-oriented architecture + components. Services provide specific functionality and may communicate + with other services to fulfill business requirements. + name: service + - description: Represents a user session or connection session. This includes + user login sessions, database connections, network sessions, and other temporary + interactive or persistent connections between users, applications, or systems. + name: session + beta: This field is beta and subject to change. + dashed_name: entity-type + description: 'A standardized high-level classification of the entity. This provides + a normalized way to group similar entities across different providers or systems. + Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, + `user`, `application`, `session`, etc.' + example: host + flat_name: entity.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + short: Standardized high-level classification of the entity. + type: keyword + group: 2 + name: entity + prefix: entity. + reusable: + expected: + - as: entity + at: host + full: host.entity + - as: entity + at: user + full: user.target.entity + short_override: Entity information for the targeted user. + - as: entity + at: cloud + full: cloud.target.entity + short_override: Entity information for the target cloud entity. + - as: entity + at: service + full: service.target.entity + short_override: Entity information for the target service. + top_level: true + short: Fields to describe various types of entities across IT environments. + title: Entity + type: group error: description: 'These fields can represent errors of any kind. diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json index ce90e997d0..b9692c0857 100644 --- a/generated/elasticsearch/composable/template.json +++ b/generated/elasticsearch/composable/template.json @@ -16,6 +16,7 @@ "ecs_9.3.0-dev_dns", "ecs_9.3.0-dev_ecs", "ecs_9.3.0-dev_email", + "ecs_9.3.0-dev_entity", "ecs_9.3.0-dev_error", "ecs_9.3.0-dev_event", "ecs_9.3.0-dev_faas", diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index cb2dbd54ed..9581e19c52 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -1266,6 +1266,68 @@ } } }, + "entity": { + "properties": { + "attributes": { + "type": "object" + }, + "behavior": { + "type": "object" + }, + "display_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_timestamp": { + "type": "date" + }, + "lifecycle": { + "type": "object" + }, + "metrics": { + "type": "object" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "type": "object" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "error": { "properties": { "code": { diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml index b28783c4be..951c896c81 100644 --- a/schemas/subsets/main.yml +++ b/schemas/subsets/main.yml @@ -135,6 +135,8 @@ fields: fields: "*" email: fields: "*" + entity: + fields: "*" error: fields: "*" event: