diff --git a/docs/reference/ecs-cloud.md b/docs/reference/ecs-cloud.md
index fcd5448d1d..95c2dab056 100644
--- a/docs/reference/ecs-cloud.md
+++ b/docs/reference/ecs-cloud.md
@@ -41,9 +41,9 @@ Note also that the `cloud` fields may be used directly at the root of the events
| Location | Field Set | Description |
| --- | --- | --- |
+| `cloud.entity.*` | [entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
| `cloud.origin.*` | [cloud](/reference/ecs-cloud.md) | Provides the cloud information of the origin entity in case of an incoming request or event. |
| `cloud.target.*` | [cloud](/reference/ecs-cloud.md) | Provides the cloud information of the target entity in case of an outgoing request or event. |
-| `cloud.target.entity.*` | [entity](/reference/ecs-entity.md) | Entity information for the target cloud entity. |
### Cloud field usage [_cloud_field_usage]
diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 4782b6b6a3..369e9b88d0 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -33,9 +33,10 @@ The entity fields provide a standardized way to represent and categorize differe
The `entity` fields are expected to be nested at:
-* `cloud.target.entity`
+* `cloud.entity`
* `host.entity`
-* `service.target.entity`
-* `user.target.entity`
+* `orchestrator.entity`
+* `service.entity`
+* `user.entity`
Note also that the `entity` fields are not expected to be used directly at the root of the events.
diff --git a/docs/reference/ecs-orchestrator.md b/docs/reference/ecs-orchestrator.md
index b0fd976826..3796e7dbe4 100644
--- a/docs/reference/ecs-orchestrator.md
+++ b/docs/reference/ecs-orchestrator.md
@@ -32,3 +32,8 @@ Fields that describe the resources which container orchestrators manage or act u
| $$$field-orchestrator-type$$$ [orchestrator.type](#field-orchestrator-type) | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
type: keyword
example: `kubernetes` | extended |
+### Field sets that can be nested under Orchestrator [ecs-orchestrator-nestings]
+
+| Location | Field Set | Description |
+| --- | --- | --- |
+| `orchestrator.entity.*` | [entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
diff --git a/docs/reference/ecs-service.md b/docs/reference/ecs-service.md
index 5e8de6b3b3..55ce299f17 100644
--- a/docs/reference/ecs-service.md
+++ b/docs/reference/ecs-service.md
@@ -43,9 +43,9 @@ Note also that the `service` fields may be used directly at the root of the even
| Location | Field Set | Description |
| --- | --- | --- |
+| `service.entity.*` | [entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
| `service.origin.*` | [service](/reference/ecs-service.md) | _Reusing the `service` fields in this location is currently considered beta._ Describes the origin service in case of an incoming request or event. |
| `service.target.*` | [service](/reference/ecs-service.md) | _Reusing the `service` fields in this location is currently considered beta._ Describes the target service in case of an outgoing request or event. |
-| `service.target.entity.*` | [entity](/reference/ecs-entity.md) | Entity information for the target service. |
### Service field usage [_service_field_usage]
diff --git a/docs/reference/ecs-user.md b/docs/reference/ecs-user.md
index a41536bc58..acd48d348e 100644
--- a/docs/reference/ecs-user.md
+++ b/docs/reference/ecs-user.md
@@ -50,10 +50,10 @@ Note also that the `user` fields may be used directly at the root of the events.
| --- | --- | --- |
| `user.changes.*` | [user](/reference/ecs-user.md) | Captures changes made to a user. |
| `user.effective.*` | [user](/reference/ecs-user.md) | User whose privileges were assumed. |
+| `user.entity.*` | [entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
| `user.group.*` | [group](/reference/ecs-group.md) | User's group relevant to the event. |
| `user.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. |
| `user.target.*` | [user](/reference/ecs-user.md) | Targeted user of action taken. |
-| `user.target.entity.*` | [entity](/reference/ecs-entity.md) | Entity information for the targeted user. |
### User field usage [_user_field_usage]
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 1e68f9585a..33eca12f35 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -510,6 +510,124 @@
ignore_above: 1024
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
+ - name: entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: instance.id
level: extended
type: keyword
@@ -554,6 +672,124 @@
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
default_field: false
+ - name: origin.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: origin.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: origin.entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: origin.entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: origin.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: origin.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: origin.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: origin.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: origin.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: origin.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: origin.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: origin.instance.id
level: extended
type: keyword
@@ -2186,147 +2422,18 @@
original email message.
example: Spambot v2.5
default_field: false
- - name: entity
- title: Entity
+ - name: error
+ title: Error
group: 2
- description: The entity fields provide a standardized way to represent and categorize
- different types of components within an IT environment, including those that
- don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
- component that can be described by a set of attributes and maintains its identity
- over time.
+ description: 'These fields can represent errors of any kind.
+
+ Use them for errors that happen while fetching events or in cases where the
+ event itself contains an error.'
type: group
default_field: true
fields:
- - name: attributes
- level: extended
- type: object
- description: A set of static or semi-static attributes of the entity. Usually
- boolean or keyword field data types. Use this field set when you need to track
- static or semi-static characteristics of an entity for advanced searching
- and correlation of normalized values across different providers/sources and
- entity types.
- default_field: false
- - name: behavior
- level: extended
- type: object
- description: A set of ephemeral characteristics of the entity, derived from
- observed behaviors during a specific time period. Usually boolean field data
- type. Use this field set when you need to capture and track ephemeral characteristics
- of an entity for advanced searching, correlation of normalized values across
- different providers/sources and entity types.
- default_field: false
- - name: display_name
- level: extended
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: match_only_text
- description: An optional field used when a pretty name is desired for entity-centric
- operations. This field should not be used for correlation with `*.name` fields
- for entities with dedicated field sets (e.g., `host`).
- default_field: false
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: 'A unique identifier for the entity. When multiple identifiers
- exist, this should be the most stable and commonly used identifier that: 1)
- persists across the entity''s lifecycle, 2) ensures uniqueness within its
- scope, 3) is commonly used for queries and correlation, and 4) is readily
- available in most observations (logs/events). For entities with dedicated
- field sets (e.g., host, user), this value should match the corresponding *.id
- field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
- in the raw field.'
- default_field: false
- - name: last_seen_timestamp
- level: extended
- type: date
- description: Indicates the date/time when this entity was last "seen," usually
- based upon the last event/log that is initiated by this entity.
- default_field: false
- - name: lifecycle
- level: extended
- type: object
- description: A set of temporal characteristics of the entity. Usually date field
- data type. Use this field set when you need to track temporal characteristics
- of an entity for advanced searching and correlation of normalized values across
- different providers/sources and entity types.
- default_field: false
- - name: metrics
- level: extended
- type: object
- description: Field set for any fields containing numeric entity metrics. These
- use dynamic field data type mapping.
- default_field: false
- - name: name
- level: core
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: match_only_text
- description: The name of the entity. The keyword field enables exact matches
- for filtering and aggregations, while the text field enables full-text search.
- For entities with dedicated field sets (e.g., `host`), this field should mirrors
- the corresponding *.name value.
- default_field: false
- - name: raw
- level: extended
- type: object
- description: Original, unmodified fields from the source system. Usually flattened
- field data type. While the attributes field should be used for normalized
- fields requiring advanced queries, this field preserves all source metadata
- with basic search capabilities.
- default_field: false
- - name: reference
- level: extended
- type: keyword
- ignore_above: 1024
- description: A URI, URL, or other direct reference to access or locate the entity
- in its source system. This could be an API endpoint, web console URL, or other
- addressable location. Format may vary by entity type and source system.
- default_field: false
- - name: source
- level: core
- type: keyword
- ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
- default_field: false
- - name: sub_type
- level: extended
- type: keyword
- ignore_above: 1024
- description: 'The specific type designation for the entity as defined by its
- provider or system. This field provides more granular classification than
- the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
- would all map to entity type `bucket`. `hardware` , `virtual` , `container`
- , `node` , `cloud_instance` would all map to entity type `host`.'
- example: aws_s3_bucket
- default_field: false
- - name: type
- level: core
- type: keyword
- ignore_above: 1024
- description: 'A standardized high-level classification of the entity. This provides
- a normalized way to group similar entities across different providers or systems.
- Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
- example: host
- default_field: false
- - name: error
- title: Error
- group: 2
- description: 'These fields can represent errors of any kind.
-
- Use them for errors that happen while fetching events or in cases where the
- event itself contains an error.'
- type: group
- default_field: true
- fields:
- - name: code
- level: core
+ - name: code
+ level: core
type: keyword
ignore_above: 1024
description: Error code describing the error.
@@ -5221,6 +5328,124 @@
ignore_above: 1024
description: The version of the cluster.
default_field: false
+ - name: entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: namespace
level: extended
type: keyword
@@ -9051,30 +9276,148 @@
path (sockets).'
example: 172.26.0.2:5432
default_field: false
- - name: environment
+ - name: entity.attributes
level: extended
- type: keyword
- ignore_above: 1024
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA,
- development, etc.), the environment can identify other instances of the same
- service. Can also group services and applications from the same environment.'
- example: production
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
default_field: false
- - name: ephemeral_id
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
level: extended
type: keyword
ignore_above: 1024
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- - name: id
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
level: core
type: keyword
ignore_above: 1024
- description: 'Unique identifier of the running service. If the service is comprised
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
+ - name: environment
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA,
+ development, etc.), the environment can identify other instances of the same
+ service. Can also group services and applications from the same environment.'
+ example: production
+ default_field: false
+ - name: ephemeral_id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify the service. This makes it possible to correlate
@@ -9163,6 +9506,124 @@
path (sockets).'
example: 172.26.0.2:5432
default_field: false
+ - name: origin.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: origin.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: origin.entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: origin.entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: origin.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: origin.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: origin.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: origin.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: origin.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: origin.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: origin.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: origin.environment
level: extended
type: keyword
@@ -13996,31 +14457,149 @@
ignore_above: 1024
description: User email address.
default_field: false
- - name: changes.full_name
+ - name: changes.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: changes.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: changes.entity.display_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
- description: User's full name, if available.
- example: Albert Einstein
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
default_field: false
- - name: changes.group.domain
- level: extended
+ - name: changes.entity.id
+ level: core
type: keyword
ignore_above: 1024
- description: 'Name of the directory the group is a member of.
-
- For example, an LDAP or Active Directory domain name.'
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
default_field: false
- - name: changes.group.id
+ - name: changes.entity.last_seen_timestamp
level: extended
- type: keyword
- ignore_above: 1024
- description: Unique identifier for the group on the system/platform.
- default_field: false
- - name: changes.group.name
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: changes.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: changes.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: changes.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: changes.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: changes.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: changes.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: changes.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: changes.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
+ - name: changes.full_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: User's full name, if available.
+ example: Albert Einstein
+ default_field: false
+ - name: changes.group.domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the directory the group is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ default_field: false
+ - name: changes.group.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Unique identifier for the group on the system/platform.
+ default_field: false
+ - name: changes.group.name
level: extended
type: keyword
ignore_above: 1024
@@ -14053,6 +14632,52 @@
description: Short name or login of the user.
example: a.einstein
default_field: false
+ - name: changes.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: changes.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: changes.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: changes.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: changes.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: changes.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: changes.roles
level: extended
type: keyword
@@ -14081,6 +14706,124 @@
ignore_above: 1024
description: User email address.
default_field: false
+ - name: effective.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: effective.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: effective.entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: effective.entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: effective.entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: effective.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: effective.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: effective.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: effective.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: effective.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: effective.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: effective.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: effective.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: effective.full_name
level: extended
type: keyword
@@ -14138,6 +14881,52 @@
description: Short name or login of the user.
example: a.einstein
default_field: false
+ - name: effective.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: effective.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: effective.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: effective.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: effective.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: effective.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: effective.roles
level: extended
type: keyword
@@ -14150,6 +14939,124 @@
type: keyword
ignore_above: 1024
description: User email address.
+ - name: entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: full_name
level: extended
type: keyword
@@ -14444,6 +15351,52 @@
description: Short name or login of the user.
example: a.einstein
default_field: false
+ - name: target.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: target.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: target.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: target.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: target.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: target.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: target.roles
level: extended
type: keyword
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 078c592f4b..86ccc71278 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -57,12 +57,42 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
9.2.0+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
9.2.0+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0+exp,true,cloud,cloud.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,cloud,cloud.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,cloud,cloud.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,cloud,cloud.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,cloud,cloud.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,cloud,cloud.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,cloud,cloud.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,cloud,cloud.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,cloud,cloud.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,cloud,cloud.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
9.2.0+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
9.2.0+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
9.2.0+exp,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
9.2.0+exp,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
9.2.0+exp,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0+exp,true,cloud,cloud.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,cloud,cloud.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,cloud,cloud.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,cloud,cloud.origin.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,cloud,cloud.origin.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,cloud,cloud.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,cloud,cloud.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,cloud,cloud.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,cloud,cloud.origin.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,cloud,cloud.origin.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
9.2.0+exp,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
9.2.0+exp,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
@@ -260,21 +290,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
9.2.0+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
9.2.0+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-9.2.0+exp,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.2.0+exp,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.2.0+exp,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
-9.2.0+exp,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.2.0+exp,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.2.0+exp,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.2.0+exp,true,entity,entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
-9.2.0+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.2.0+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.2.0+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.2.0+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.2.0+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,error,error.code,keyword,core,,,Error code describing the error.
9.2.0+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
9.2.0+exp,true,error,error.message,match_only_text,core,,,Error message.
@@ -645,6 +660,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
9.2.0+exp,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
9.2.0+exp,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+9.2.0+exp,true,orchestrator,orchestrator.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,orchestrator,orchestrator.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,orchestrator,orchestrator.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,orchestrator,orchestrator.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,orchestrator,orchestrator.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,orchestrator,orchestrator.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,orchestrator,orchestrator.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,orchestrator,orchestrator.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,orchestrator,orchestrator.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,orchestrator,orchestrator.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
9.2.0+exp,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
9.2.0+exp,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
@@ -1161,6 +1191,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
9.2.0+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0+exp,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0+exp,true,service,service.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,service,service.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,service,service.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,service,service.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,service,service.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,service,service.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,service,service.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,service,service.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,service,service.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,service,service.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,service,service.environment,keyword,extended,,production,Environment of the service.
9.2.0+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
9.2.0+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -1169,6 +1214,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
9.2.0+exp,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
9.2.0+exp,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0+exp,true,service,service.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,service,service.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,service,service.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,service,service.origin.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,service,service.origin.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,service,service.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,service,service.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,service,service.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,service,service.origin.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,service,service.origin.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
9.2.0+exp,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
9.2.0+exp,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -1793,6 +1853,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,url,url.username,keyword,extended,,,Username of the request.
9.2.0+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
9.2.0+exp,true,user,user.changes.email,keyword,extended,,,User email address.
+9.2.0+exp,true,user,user.changes.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,user,user.changes.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,user,user.changes.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.changes.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.changes.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,user,user.changes.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,user,user.changes.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,user,user.changes.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,user,user.changes.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,user,user.changes.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
9.2.0+exp,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
9.2.0+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1802,10 +1877,31 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.2.0+exp,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
9.2.0+exp,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0+exp,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0+exp,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0+exp,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0+exp,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0+exp,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0+exp,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
9.2.0+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
9.2.0+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
9.2.0+exp,true,user,user.effective.email,keyword,extended,,,User email address.
+9.2.0+exp,true,user,user.effective.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,user,user.effective.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,user,user.effective.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.effective.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.effective.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,user,user.effective.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,user,user.effective.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,user,user.effective.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,user,user.effective.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,user,user.effective.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
9.2.0+exp,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
9.2.0+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1815,8 +1911,29 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.2.0+exp,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
9.2.0+exp,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0+exp,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0+exp,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0+exp,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0+exp,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0+exp,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0+exp,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
9.2.0+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0+exp,true,user,user.email,keyword,extended,,,User email address.
+9.2.0+exp,true,user,user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,user,user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,user,user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,user,user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,user,user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,user,user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,user,user.entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,user,user.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0+exp,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
9.2.0+exp,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
9.2.0+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1859,6 +1976,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.2.0+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
9.2.0+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0+exp,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0+exp,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0+exp,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0+exp,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0+exp,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
9.2.0+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
9.2.0+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 82935b7df5..3bef32b802 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -697,6 +697,254 @@ cloud.availability_zone:
stability: development
short: Availability zone in which this host, resource, or service is located.
type: keyword
+cloud.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: cloud.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+cloud.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: cloud.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+cloud.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: cloud.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+cloud.entity.id:
+ dashed_name: cloud-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: cloud.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+cloud.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: cloud.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+cloud.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+cloud.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: cloud.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+cloud.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: cloud.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+cloud.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: cloud.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+cloud.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+cloud.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: cloud.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+cloud.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+cloud.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
cloud.instance.id:
dashed_name: cloud-instance-id
description: Instance ID of the host machine.
@@ -771,37 +1019,285 @@ cloud.origin.availability_zone:
original_fieldset: cloud
short: Availability zone in which this host, resource, or service is located.
type: keyword
-cloud.origin.instance.id:
- dashed_name: cloud-origin-instance-id
- description: Instance ID of the host machine.
- example: i-1234567890abcdef0
- flat_name: cloud.origin.instance.id
- ignore_above: 1024
+cloud.origin.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: cloud.origin.entity.attributes
level: extended
- name: instance.id
+ name: attributes
normalize: []
- original_fieldset: cloud
- short: Instance ID of the host machine.
- type: keyword
-cloud.origin.instance.name:
- dashed_name: cloud-origin-instance-name
- description: Instance name of the host machine.
- flat_name: cloud.origin.instance.name
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+cloud.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: cloud.origin.entity.behavior
level: extended
- name: instance.name
+ name: behavior
normalize: []
- original_fieldset: cloud
- short: Instance name of the host machine.
- type: keyword
-cloud.origin.machine.type:
- dashed_name: cloud-origin-machine-type
- description: Machine type of the host machine.
- example: t2.medium
- flat_name: cloud.origin.machine.type
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+cloud.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.origin.entity.display_name
ignore_above: 1024
level: extended
- name: machine.type
+ multi_fields:
+ - flat_name: cloud.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+cloud.origin.entity.id:
+ dashed_name: cloud-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: cloud.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+cloud.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: cloud.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+cloud.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+cloud.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: cloud.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+cloud.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: cloud.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+cloud.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: cloud.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+cloud.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+cloud.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: cloud.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+cloud.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+cloud.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+cloud.origin.instance.id:
+ dashed_name: cloud-origin-instance-id
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ flat_name: cloud.origin.instance.id
+ ignore_above: 1024
+ level: extended
+ name: instance.id
+ normalize: []
+ original_fieldset: cloud
+ short: Instance ID of the host machine.
+ type: keyword
+cloud.origin.instance.name:
+ dashed_name: cloud-origin-instance-name
+ description: Instance name of the host machine.
+ flat_name: cloud.origin.instance.name
+ ignore_above: 1024
+ level: extended
+ name: instance.name
+ normalize: []
+ original_fieldset: cloud
+ short: Instance name of the host machine.
+ type: keyword
+cloud.origin.machine.type:
+ dashed_name: cloud-origin-machine-type
+ description: Machine type of the host machine.
+ example: t2.medium
+ flat_name: cloud.origin.machine.type
+ ignore_above: 1024
+ level: extended
+ name: machine.type
normalize: []
original_fieldset: cloud
short: Machine type of the host machine.
@@ -3406,260 +3902,25 @@ email.x_mailer:
normalize: []
short: Application that drafted email.
type: keyword
-entity.attributes:
- beta: This field is beta and subject to change.
- dashed_name: entity-attributes
- description: A set of static or semi-static attributes of the entity. Usually boolean
- or keyword field data types. Use this field set when you need to track static
- or semi-static characteristics of an entity for advanced searching and correlation
- of normalized values across different providers/sources and entity types.
- flat_name: entity.attributes
- level: extended
- name: attributes
- normalize: []
- short: A set of static or semi-static attributes of the entity.
- type: object
-entity.behavior:
- beta: This field is beta and subject to change.
- dashed_name: entity-behavior
- description: A set of ephemeral characteristics of the entity, derived from observed
- behaviors during a specific time period. Usually boolean field data type. Use
- this field set when you need to capture and track ephemeral characteristics of
- an entity for advanced searching, correlation of normalized values across different
- providers/sources and entity types.
- flat_name: entity.behavior
- level: extended
- name: behavior
+error.code:
+ dashed_name: error-code
+ description: Error code describing the error.
+ flat_name: error.code
+ ignore_above: 1024
+ level: core
+ name: code
normalize: []
- short: A set of ephemeral characteristics of the entity, derived from observed behaviors
- during a specific time period.
- type: object
-entity.display_name:
- beta: This field is beta and subject to change.
- dashed_name: entity-display-name
- description: An optional field used when a pretty name is desired for entity-centric
- operations. This field should not be used for correlation with `*.name` fields
- for entities with dedicated field sets (e.g., `host`).
- flat_name: entity.display_name
+ short: Error code describing the error.
+ type: keyword
+error.id:
+ dashed_name: error-id
+ description: Unique identifier for the error.
+ flat_name: error.id
ignore_above: 1024
- level: extended
- multi_fields:
- - flat_name: entity.display_name.text
- name: text
- type: match_only_text
- name: display_name
+ level: core
+ name: id
normalize: []
- short: An optional field used when a pretty name is desired for entity-centric operations.
- type: keyword
-entity.id:
- dashed_name: entity-id
- description: 'A unique identifier for the entity. When multiple identifiers exist,
- this should be the most stable and commonly used identifier that: 1) persists
- across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
- commonly used for queries and correlation, and 4) is readily available in most
- observations (logs/events). For entities with dedicated field sets (e.g., host,
- user), this value should match the corresponding *.id field. Alternative identifiers
- (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
- flat_name: entity.id
- ignore_above: 1024
- level: core
- name: id
- normalize: []
- short: Unique identifier for the entity.
- type: keyword
-entity.last_seen_timestamp:
- beta: This field is beta and subject to change.
- dashed_name: entity-last-seen-timestamp
- description: Indicates the date/time when this entity was last "seen," usually based
- upon the last event/log that is initiated by this entity.
- flat_name: entity.last_seen_timestamp
- level: extended
- name: last_seen_timestamp
- normalize: []
- short: Indicates the date/time when this entity was last "seen."
- type: date
-entity.lifecycle:
- beta: This field is beta and subject to change.
- dashed_name: entity-lifecycle
- description: A set of temporal characteristics of the entity. Usually date field
- data type. Use this field set when you need to track temporal characteristics
- of an entity for advanced searching and correlation of normalized values across
- different providers/sources and entity types.
- flat_name: entity.lifecycle
- level: extended
- name: lifecycle
- normalize: []
- short: A set of temporal characteristics of the entity.
- type: object
-entity.metrics:
- beta: This field is beta and subject to change.
- dashed_name: entity-metrics
- description: Field set for any fields containing numeric entity metrics. These use
- dynamic field data type mapping.
- flat_name: entity.metrics
- level: extended
- name: metrics
- normalize: []
- short: Field set for any fields containing numeric entity metrics.
- type: object
-entity.name:
- beta: This field is beta and subject to change.
- dashed_name: entity-name
- description: The name of the entity. The keyword field enables exact matches for
- filtering and aggregations, while the text field enables full-text search. For
- entities with dedicated field sets (e.g., `host`), this field should mirrors the
- corresponding *.name value.
- flat_name: entity.name
- ignore_above: 1024
- level: core
- multi_fields:
- - flat_name: entity.name.text
- name: text
- type: match_only_text
- name: name
- normalize: []
- short: The name of the entity.
- type: keyword
-entity.raw:
- beta: This field is beta and subject to change.
- dashed_name: entity-raw
- description: Original, unmodified fields from the source system. Usually flattened
- field data type. While the attributes field should be used for normalized fields
- requiring advanced queries, this field preserves all source metadata with basic
- search capabilities.
- flat_name: entity.raw
- level: extended
- name: raw
- normalize: []
- short: Original, unmodified fields from the source system.
- type: object
-entity.reference:
- beta: This field is beta and subject to change.
- dashed_name: entity-reference
- description: A URI, URL, or other direct reference to access or locate the entity
- in its source system. This could be an API endpoint, web console URL, or other
- addressable location. Format may vary by entity type and source system.
- flat_name: entity.reference
- ignore_above: 1024
- level: extended
- name: reference
- normalize: []
- short: A URI, URL, or other direct reference to access or locate the entity.
- type: keyword
-entity.source:
- beta: This field is beta and subject to change.
- dashed_name: entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
- flat_name: entity.source
- ignore_above: 1024
- level: core
- name: source
- normalize: []
- short: Source module or integration that provided the entity data.
- type: keyword
-entity.sub_type:
- beta: This field is beta and subject to change.
- dashed_name: entity-sub-type
- description: 'The specific type designation for the entity as defined by its provider
- or system. This field provides more granular classification than the type field.
- Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
- would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
- `node` , `cloud_instance` would all map to entity type `host`.'
- example: aws_s3_bucket
- flat_name: entity.sub_type
- ignore_above: 1024
- level: extended
- name: sub_type
- normalize: []
- short: The specific type designation for the entity as defined by its provider or
- system.
- type: keyword
-entity.type:
- allowed_values:
- - description: Represents a storage container or bucket, typically used for object
- storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
- Azure Blob containers, and other cloud storage services. Buckets are used to
- organize and store files, objects, or data in cloud environments.
- name: bucket
- - description: Represents a database system or database instance. This includes
- relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
- Cassandra, DynamoDB), time-series databases, and other data storage systems.
- The entity may represent the entire database system or a specific database instance.
- name: database
- - description: Represents a containerized application or process. This includes
- Docker containers, Kubernetes pods, and other containerization technologies.
- Containers encapsulate applications and their dependencies, providing isolation
- and portability across different environments.
- name: container
- - description: Represents a serverless function or Function-as-a-Service (FaaS)
- component. This includes AWS Lambda functions, Azure Functions, Google Cloud
- Functions, and other serverless computing resources. Functions are typically
- event-driven and execute code without managing the underlying infrastructure.
- name: function
- - description: Represents a message queue or messaging system. This includes message
- brokers, event queues, and other messaging infrastructure components such as
- Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
- asynchronous communication between applications and services.
- name: queue
- - description: Represents a computing host or machine. This includes physical servers,
- virtual machines, cloud instances, and other computing resources that can run
- applications or services. Hosts provide the fundamental computing infrastructure
- for other entity types.
- name: host
- - description: Represents a user account or identity. This includes human users,
- service accounts, system accounts, and other identity entities that can interact
- with systems, applications, or services. Users may have various roles, permissions,
- and attributes associated with their identity.
- name: user
- - description: Represents a software application or service. This includes web applications,
- mobile applications, desktop applications, and other software components that
- provide functionality to users or other systems. Applications may run on various
- infrastructure components and can span multiple hosts or containers.
- name: application
- - description: Represents a service or microservice component. This includes web
- services, APIs, background services, and other service-oriented architecture
- components. Services provide specific functionality and may communicate with
- other services to fulfill business requirements.
- name: service
- - description: Represents a user session or connection session. This includes user
- login sessions, database connections, network sessions, and other temporary
- interactive or persistent connections between users, applications, or systems.
- name: session
- beta: This field is beta and subject to change.
- dashed_name: entity-type
- description: 'A standardized high-level classification of the entity. This provides
- a normalized way to group similar entities across different providers or systems.
- Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
- example: host
- flat_name: entity.type
- ignore_above: 1024
- level: core
- name: type
- normalize:
- - array
- short: Standardized high-level classification of the entity.
- type: keyword
-error.code:
- dashed_name: error-code
- description: Error code describing the error.
- flat_name: error.code
- ignore_above: 1024
- level: core
- name: code
- normalize: []
- short: Error code describing the error.
- type: keyword
-error.id:
- dashed_name: error-id
- description: Unique identifier for the error.
- flat_name: error.id
- ignore_above: 1024
- level: core
- name: id
- normalize: []
- short: Unique identifier for the error.
+ short: Unique identifier for the error.
type: keyword
error.message:
dashed_name: error-message
@@ -9066,52 +9327,300 @@ orchestrator.cluster.version:
normalize: []
short: The version of the cluster.
type: keyword
-orchestrator.namespace:
- dashed_name: orchestrator-namespace
- description: Namespace in which the action is taking place.
- example: kube-system
- flat_name: orchestrator.namespace
- ignore_above: 1024
+orchestrator.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: orchestrator.entity.attributes
level: extended
- name: namespace
+ name: attributes
normalize: []
- short: Namespace in which the action is taking place.
- type: keyword
-orchestrator.organization:
- dashed_name: orchestrator-organization
- description: Organization affected by the event (for multi-tenant orchestrator setups).
- example: elastic
- flat_name: orchestrator.organization
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+orchestrator.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: orchestrator.entity.behavior
level: extended
- name: organization
+ name: behavior
normalize: []
- short: Organization affected by the event (for multi-tenant orchestrator setups).
- type: keyword
-orchestrator.resource.annotation:
- dashed_name: orchestrator-resource-annotation
- description: The list of annotations added to the resource.
- example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
- flat_name: orchestrator.resource.annotation
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+orchestrator.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: orchestrator.entity.display_name
ignore_above: 1024
level: extended
- name: resource.annotation
- normalize:
- - array
- short: The list of annotations added to the resource.
- synthetic_source_keep: none
+ multi_fields:
+ - flat_name: orchestrator.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
type: keyword
-orchestrator.resource.id:
- dashed_name: orchestrator-resource-id
- description: Unique ID of the resource being acted upon.
- flat_name: orchestrator.resource.id
+orchestrator.entity.id:
+ dashed_name: orchestrator-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: orchestrator.entity.id
ignore_above: 1024
- level: extended
- name: resource.id
+ level: core
+ name: id
normalize: []
- short: Unique ID of the resource being acted upon.
+ original_fieldset: entity
+ short: Unique identifier for the entity.
type: keyword
-orchestrator.resource.ip:
+orchestrator.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: orchestrator.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+orchestrator.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: orchestrator.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+orchestrator.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: orchestrator.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+orchestrator.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: orchestrator.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: orchestrator.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+orchestrator.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: orchestrator.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+orchestrator.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: orchestrator.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+orchestrator.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: orchestrator.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+orchestrator.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: orchestrator.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+orchestrator.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: orchestrator.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+orchestrator.namespace:
+ dashed_name: orchestrator-namespace
+ description: Namespace in which the action is taking place.
+ example: kube-system
+ flat_name: orchestrator.namespace
+ ignore_above: 1024
+ level: extended
+ name: namespace
+ normalize: []
+ short: Namespace in which the action is taking place.
+ type: keyword
+orchestrator.organization:
+ dashed_name: orchestrator-organization
+ description: Organization affected by the event (for multi-tenant orchestrator setups).
+ example: elastic
+ flat_name: orchestrator.organization
+ ignore_above: 1024
+ level: extended
+ name: organization
+ normalize: []
+ short: Organization affected by the event (for multi-tenant orchestrator setups).
+ type: keyword
+orchestrator.resource.annotation:
+ dashed_name: orchestrator-resource-annotation
+ description: The list of annotations added to the resource.
+ example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+ flat_name: orchestrator.resource.annotation
+ ignore_above: 1024
+ level: extended
+ name: resource.annotation
+ normalize:
+ - array
+ short: The list of annotations added to the resource.
+ synthetic_source_keep: none
+ type: keyword
+orchestrator.resource.id:
+ dashed_name: orchestrator-resource-id
+ description: Unique ID of the resource being acted upon.
+ flat_name: orchestrator.resource.id
+ ignore_above: 1024
+ level: extended
+ name: resource.id
+ normalize: []
+ short: Unique ID of the resource being acted upon.
+ type: keyword
+orchestrator.resource.ip:
dashed_name: orchestrator-resource-ip
description: 'IP address assigned to the resource associated with the event being
observed. In the case of a Kubernetes Pod, this array would contain only one element:
@@ -15287,38 +15796,286 @@ service.address:
normalize: []
short: Address of this service.
type: keyword
-service.environment:
+service.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA, development,
- etc.), the environment can identify other instances of the same service. Can also
- group services and applications from the same environment.'
- example: production
- flat_name: service.environment
- ignore_above: 1024
+ dashed_name: service-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: service.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- otel:
- - attribute: deployment.environment.name
- relation: equivalent
- stability: development
- short: Environment of the service.
- type: keyword
-service.ephemeral_id:
- dashed_name: service-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- flat_name: service.ephemeral_id
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+service.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: service.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+service.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.entity.display_name
ignore_above: 1024
level: extended
- name: ephemeral_id
+ multi_fields:
+ - flat_name: service.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- short: Ephemeral identifier of this service.
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+service.entity.id:
+ dashed_name: service-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: service.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+service.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: service.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+service.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+service.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: service.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+service.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: service.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+service.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: service.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+service.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+service.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: service.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+service.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+service.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+service.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA, development,
+ etc.), the environment can identify other instances of the same service. Can also
+ group services and applications from the same environment.'
+ example: production
+ flat_name: service.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ otel:
+ - attribute: deployment.environment.name
+ relation: equivalent
+ stability: development
+ short: Environment of the service.
+ type: keyword
+service.ephemeral_id:
+ dashed_name: service-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ flat_name: service.ephemeral_id
+ ignore_above: 1024
+ level: extended
+ name: ephemeral_id
+ normalize: []
+ short: Ephemeral identifier of this service.
type: keyword
service.id:
dashed_name: service-id
@@ -15448,35 +16205,283 @@ service.origin.address:
original_fieldset: service
short: Address of this service.
type: keyword
-service.origin.environment:
+service.origin.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-origin-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA, development,
- etc.), the environment can identify other instances of the same service. Can also
- group services and applications from the same environment.'
- example: production
- flat_name: service.origin.environment
- ignore_above: 1024
+ dashed_name: service-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: service.origin.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- original_fieldset: service
- short: Environment of the service.
- type: keyword
-service.origin.ephemeral_id:
- dashed_name: service-origin-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- flat_name: service.origin.ephemeral_id
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+service.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: service.origin.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+service.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.origin.entity.display_name
ignore_above: 1024
level: extended
- name: ephemeral_id
+ multi_fields:
+ - flat_name: service.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- original_fieldset: service
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+service.origin.entity.id:
+ dashed_name: service-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: service.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+service.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: service.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+service.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+service.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: service.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+service.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: service.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+service.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: service.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+service.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+service.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: service.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+service.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+service.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+service.origin.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA, development,
+ etc.), the environment can identify other instances of the same service. Can also
+ group services and applications from the same environment.'
+ example: production
+ flat_name: service.origin.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ original_fieldset: service
+ short: Environment of the service.
+ type: keyword
+service.origin.ephemeral_id:
+ dashed_name: service-origin-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ flat_name: service.origin.ephemeral_id
+ ignore_above: 1024
+ level: extended
+ name: ephemeral_id
+ normalize: []
+ original_fieldset: service
short: Ephemeral identifier of this service.
type: keyword
service.origin.id:
@@ -23604,21 +24609,741 @@ user.changes.email:
description: User email address.
flat_name: user.changes.email
ignore_above: 1024
- level: extended
- name: email
- normalize: []
- original_fieldset: user
- short: User email address.
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+user.changes.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: user.changes.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+user.changes.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: user.changes.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+user.changes.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.changes.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+user.changes.entity.id:
+ dashed_name: user-changes-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: user.changes.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+user.changes.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: user.changes.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+user.changes.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.changes.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+user.changes.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: user.changes.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+user.changes.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: user.changes.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+user.changes.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: user.changes.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+user.changes.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.changes.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+user.changes.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: user.changes.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+user.changes.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.changes.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+user.changes.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.changes.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+user.changes.full_name:
+ dashed_name: user-changes-full-name
+ description: User's full name, if available.
+ example: Albert Einstein
+ flat_name: user.changes.full_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.full_name.text
+ name: text
+ type: match_only_text
+ name: full_name
+ normalize: []
+ original_fieldset: user
+ short: User's full name, if available.
+ type: keyword
+user.changes.group.domain:
+ dashed_name: user-changes-group-domain
+ description: 'Name of the directory the group is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.changes.group.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: group
+ short: Name of the directory the group is a member of.
+ type: keyword
+user.changes.group.id:
+ dashed_name: user-changes-group-id
+ description: Unique identifier for the group on the system/platform.
+ flat_name: user.changes.group.id
+ ignore_above: 1024
+ level: extended
+ name: id
+ normalize: []
+ original_fieldset: group
+ short: Unique identifier for the group on the system/platform.
+ type: keyword
+user.changes.group.name:
+ dashed_name: user-changes-group-name
+ description: Name of the group.
+ flat_name: user.changes.group.name
+ ignore_above: 1024
+ level: extended
+ name: name
+ normalize: []
+ original_fieldset: group
+ short: Name of the group.
+ type: keyword
+user.changes.hash:
+ dashed_name: user-changes-hash
+ description: 'Unique user hash to correlate information for a user in anonymized
+ form.
+
+ Useful if `user.id` or `user.name` contain confidential information and cannot
+ be used.'
+ flat_name: user.changes.hash
+ ignore_above: 1024
+ level: extended
+ name: hash
+ normalize: []
+ original_fieldset: user
+ short: Unique user hash to correlate information for a user in anonymized form.
+ type: keyword
+user.changes.id:
+ dashed_name: user-changes-id
+ description: Unique identifier of the user.
+ example: S-1-5-21-202424912787-2692429404-2351956786-1000
+ flat_name: user.changes.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: user
+ short: Unique identifier of the user.
+ type: keyword
+user.changes.name:
+ dashed_name: user-changes-name
+ description: Short name or login of the user.
+ example: a.einstein
+ flat_name: user.changes.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: user
+ short: Short name or login of the user.
+ type: keyword
+user.changes.risk.calculated_level:
+ dashed_name: user-changes-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.changes.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+user.changes.risk.calculated_score:
+ dashed_name: user-changes-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.changes.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+user.changes.risk.calculated_score_norm:
+ dashed_name: user-changes-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: user.changes.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+user.changes.risk.static_level:
+ dashed_name: user-changes-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.changes.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+user.changes.risk.static_score:
+ dashed_name: user-changes-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.changes.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+user.changes.risk.static_score_norm:
+ dashed_name: user-changes-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.changes.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+user.changes.roles:
+ dashed_name: user-changes-roles
+ description: Array of user roles at the time of the event.
+ example: '["kibana_admin", "reporting_user"]'
+ flat_name: user.changes.roles
+ ignore_above: 1024
+ level: extended
+ name: roles
+ normalize:
+ - array
+ original_fieldset: user
+ short: Array of user roles at the time of the event.
+ synthetic_source_keep: none
+ type: keyword
+user.domain:
+ dashed_name: user-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ short: Name of the directory the user is a member of.
+ type: keyword
+user.effective.domain:
+ dashed_name: user-effective-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.effective.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: user
+ short: Name of the directory the user is a member of.
+ type: keyword
+user.effective.email:
+ dashed_name: user-effective-email
+ description: User email address.
+ flat_name: user.effective.email
+ ignore_above: 1024
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+user.effective.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: user.effective.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+user.effective.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: user.effective.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+user.effective.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.effective.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.effective.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+user.effective.entity.id:
+ dashed_name: user-effective-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: user.effective.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+user.effective.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: user.effective.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+user.effective.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.effective.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+user.effective.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: user.effective.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+user.effective.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: user.effective.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.effective.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+user.effective.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: user.effective.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+user.effective.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.effective.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+user.effective.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: user.effective.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+user.effective.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.effective.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+user.effective.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.effective.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
-user.changes.full_name:
- dashed_name: user-changes-full-name
+user.effective.full_name:
+ dashed_name: user-effective-full-name
description: User's full name, if available.
example: Albert Einstein
- flat_name: user.changes.full_name
+ flat_name: user.effective.full_name
ignore_above: 1024
level: extended
multi_fields:
- - flat_name: user.changes.full_name.text
+ - flat_name: user.effective.full_name.text
name: text
type: match_only_text
name: full_name
@@ -23626,12 +25351,12 @@ user.changes.full_name:
original_fieldset: user
short: User's full name, if available.
type: keyword
-user.changes.group.domain:
- dashed_name: user-changes-group-domain
+user.effective.group.domain:
+ dashed_name: user-effective-group-domain
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- flat_name: user.changes.group.domain
+ flat_name: user.effective.group.domain
ignore_above: 1024
level: extended
name: domain
@@ -23639,10 +25364,10 @@ user.changes.group.domain:
original_fieldset: group
short: Name of the directory the group is a member of.
type: keyword
-user.changes.group.id:
- dashed_name: user-changes-group-id
+user.effective.group.id:
+ dashed_name: user-effective-group-id
description: Unique identifier for the group on the system/platform.
- flat_name: user.changes.group.id
+ flat_name: user.effective.group.id
ignore_above: 1024
level: extended
name: id
@@ -23650,10 +25375,10 @@ user.changes.group.id:
original_fieldset: group
short: Unique identifier for the group on the system/platform.
type: keyword
-user.changes.group.name:
- dashed_name: user-changes-group-name
+user.effective.group.name:
+ dashed_name: user-effective-group-name
description: Name of the group.
- flat_name: user.changes.group.name
+ flat_name: user.effective.group.name
ignore_above: 1024
level: extended
name: name
@@ -23661,14 +25386,14 @@ user.changes.group.name:
original_fieldset: group
short: Name of the group.
type: keyword
-user.changes.hash:
- dashed_name: user-changes-hash
+user.effective.hash:
+ dashed_name: user-effective-hash
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- flat_name: user.changes.hash
+ flat_name: user.effective.hash
ignore_above: 1024
level: extended
name: hash
@@ -23676,11 +25401,11 @@ user.changes.hash:
original_fieldset: user
short: Unique user hash to correlate information for a user in anonymized form.
type: keyword
-user.changes.id:
- dashed_name: user-changes-id
+user.effective.id:
+ dashed_name: user-effective-id
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.changes.id
+ flat_name: user.effective.id
ignore_above: 1024
level: core
name: id
@@ -23688,15 +25413,15 @@ user.changes.id:
original_fieldset: user
short: Unique identifier of the user.
type: keyword
-user.changes.name:
- dashed_name: user-changes-name
+user.effective.name:
+ dashed_name: user-effective-name
description: Short name or login of the user.
example: a.einstein
- flat_name: user.changes.name
+ flat_name: user.effective.name
ignore_above: 1024
level: core
multi_fields:
- - flat_name: user.changes.name.text
+ - flat_name: user.effective.name.text
name: text
type: match_only_text
name: name
@@ -23704,176 +25429,360 @@ user.changes.name:
original_fieldset: user
short: Short name or login of the user.
type: keyword
-user.changes.roles:
- dashed_name: user-changes-roles
- description: Array of user roles at the time of the event.
- example: '["kibana_admin", "reporting_user"]'
- flat_name: user.changes.roles
+user.effective.risk.calculated_level:
+ dashed_name: user-effective-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.effective.risk.calculated_level
ignore_above: 1024
level: extended
- name: roles
- normalize:
- - array
- original_fieldset: user
- short: Array of user roles at the time of the event.
- synthetic_source_keep: none
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
type: keyword
-user.domain:
- dashed_name: user-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.domain
- ignore_above: 1024
+user.effective.risk.calculated_score:
+ dashed_name: user-effective-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.effective.risk.calculated_score
level: extended
- name: domain
+ name: calculated_score
normalize: []
- short: Name of the directory the user is a member of.
- type: keyword
-user.effective.domain:
- dashed_name: user-effective-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.domain
- ignore_above: 1024
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+user.effective.risk.calculated_score_norm:
+ dashed_name: user-effective-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: user.effective.risk.calculated_score_norm
level: extended
- name: domain
+ name: calculated_score_norm
normalize: []
- original_fieldset: user
- short: Name of the directory the user is a member of.
- type: keyword
-user.effective.email:
- dashed_name: user-effective-email
- description: User email address.
- flat_name: user.effective.email
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+user.effective.risk.static_level:
+ dashed_name: user-effective-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.effective.risk.static_level
ignore_above: 1024
level: extended
- name: email
+ name: static_level
normalize: []
- original_fieldset: user
- short: User email address.
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
type: keyword
-user.effective.full_name:
- dashed_name: user-effective-full-name
- description: User's full name, if available.
- example: Albert Einstein
- flat_name: user.effective.full_name
- ignore_above: 1024
+user.effective.risk.static_score:
+ dashed_name: user-effective-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.effective.risk.static_score
level: extended
- multi_fields:
- - flat_name: user.effective.full_name.text
- name: text
- type: match_only_text
- name: full_name
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+user.effective.risk.static_score_norm:
+ dashed_name: user-effective-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.effective.risk.static_score_norm
+ level: extended
+ name: static_score_norm
normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+user.effective.roles:
+ dashed_name: user-effective-roles
+ description: Array of user roles at the time of the event.
+ example: '["kibana_admin", "reporting_user"]'
+ flat_name: user.effective.roles
+ ignore_above: 1024
+ level: extended
+ name: roles
+ normalize:
+ - array
original_fieldset: user
- short: User's full name, if available.
+ short: Array of user roles at the time of the event.
+ synthetic_source_keep: none
type: keyword
-user.effective.group.domain:
- dashed_name: user-effective-group-domain
- description: 'Name of the directory the group is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.group.domain
+user.email:
+ dashed_name: user-email
+ description: User email address.
+ flat_name: user.email
ignore_above: 1024
level: extended
- name: domain
+ name: email
normalize: []
- original_fieldset: group
- short: Name of the directory the group is a member of.
+ otel:
+ - relation: match
+ stability: development
+ short: User email address.
type: keyword
-user.effective.group.id:
- dashed_name: user-effective-group-id
- description: Unique identifier for the group on the system/platform.
- flat_name: user.effective.group.id
- ignore_above: 1024
+user.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: user.entity.attributes
level: extended
- name: id
+ name: attributes
normalize: []
- original_fieldset: group
- short: Unique identifier for the group on the system/platform.
- type: keyword
-user.effective.group.name:
- dashed_name: user-effective-group-name
- description: Name of the group.
- flat_name: user.effective.group.name
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+user.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: user.entity.behavior
level: extended
- name: name
+ name: behavior
normalize: []
- original_fieldset: group
- short: Name of the group.
- type: keyword
-user.effective.hash:
- dashed_name: user-effective-hash
- description: 'Unique user hash to correlate information for a user in anonymized
- form.
-
- Useful if `user.id` or `user.name` contain confidential information and cannot
- be used.'
- flat_name: user.effective.hash
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+user.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.entity.display_name
ignore_above: 1024
level: extended
- name: hash
+ multi_fields:
+ - flat_name: user.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- original_fieldset: user
- short: Unique user hash to correlate information for a user in anonymized form.
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
type: keyword
-user.effective.id:
- dashed_name: user-effective-id
- description: Unique identifier of the user.
- example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.effective.id
+user.entity.id:
+ dashed_name: user-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: user.entity.id
ignore_above: 1024
level: core
name: id
normalize: []
- original_fieldset: user
- short: Unique identifier of the user.
+ original_fieldset: entity
+ short: Unique identifier for the entity.
type: keyword
-user.effective.name:
- dashed_name: user-effective-name
- description: Short name or login of the user.
- example: a.einstein
- flat_name: user.effective.name
+user.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: user.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+user.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+user.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: user.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+user.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: user.entity.name
ignore_above: 1024
level: core
multi_fields:
- - flat_name: user.effective.name.text
+ - flat_name: user.entity.name.text
name: text
type: match_only_text
name: name
normalize: []
- original_fieldset: user
- short: Short name or login of the user.
+ original_fieldset: entity
+ short: The name of the entity.
type: keyword
-user.effective.roles:
- dashed_name: user-effective-roles
- description: Array of user roles at the time of the event.
- example: '["kibana_admin", "reporting_user"]'
- flat_name: user.effective.roles
+user.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: user.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+user.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.entity.reference
ignore_above: 1024
level: extended
- name: roles
- normalize:
- - array
- original_fieldset: user
- short: Array of user roles at the time of the event.
- synthetic_source_keep: none
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
-user.email:
- dashed_name: user-email
- description: User email address.
- flat_name: user.email
+user.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: user.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+user.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.entity.sub_type
ignore_above: 1024
level: extended
- name: email
+ name: sub_type
normalize: []
- otel:
- - relation: match
- stability: development
- short: User email address.
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+user.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
user.full_name:
dashed_name: user-full-name
@@ -24439,6 +26348,86 @@ user.target.name:
original_fieldset: user
short: Short name or login of the user.
type: keyword
+user.target.risk.calculated_level:
+ dashed_name: user-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+user.target.risk.calculated_score:
+ dashed_name: user-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+user.target.risk.calculated_score_norm:
+ dashed_name: user-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: user.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+user.target.risk.static_level:
+ dashed_name: user-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+user.target.risk.static_score:
+ dashed_name: user-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+user.target.risk.static_score_norm:
+ dashed_name: user-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
user.target.roles:
dashed_name: user-target-roles
description: Array of user roles at the time of the event.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index e9f9f1a261..52d708e873 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -898,6 +898,259 @@ cloud:
stability: development
short: Availability zone in which this host, resource, or service is located.
type: keyword
+ cloud.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: cloud.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ cloud.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ cloud.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: cloud.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ cloud.entity.id:
+ dashed_name: cloud-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: cloud.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ cloud.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: cloud.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ cloud.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ cloud.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: cloud.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ cloud.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: cloud.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ cloud.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: cloud.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ cloud.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ cloud.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: cloud.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ cloud.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ cloud.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
cloud.instance.id:
dashed_name: cloud-instance-id
description: Instance ID of the host machine.
@@ -972,37 +1225,290 @@ cloud:
original_fieldset: cloud
short: Availability zone in which this host, resource, or service is located.
type: keyword
- cloud.origin.instance.id:
- dashed_name: cloud-origin-instance-id
- description: Instance ID of the host machine.
- example: i-1234567890abcdef0
- flat_name: cloud.origin.instance.id
- ignore_above: 1024
+ cloud.origin.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: cloud.origin.entity.attributes
level: extended
- name: instance.id
+ name: attributes
normalize: []
- original_fieldset: cloud
- short: Instance ID of the host machine.
- type: keyword
- cloud.origin.instance.name:
- dashed_name: cloud-origin-instance-name
- description: Instance name of the host machine.
- flat_name: cloud.origin.instance.name
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ cloud.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.origin.entity.behavior
level: extended
- name: instance.name
+ name: behavior
normalize: []
- original_fieldset: cloud
- short: Instance name of the host machine.
- type: keyword
- cloud.origin.machine.type:
- dashed_name: cloud-origin-machine-type
- description: Machine type of the host machine.
- example: t2.medium
- flat_name: cloud.origin.machine.type
- ignore_above: 1024
- level: extended
- name: machine.type
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ cloud.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.origin.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: cloud.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ cloud.origin.entity.id:
+ dashed_name: cloud-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: cloud.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ cloud.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: cloud.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ cloud.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ cloud.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: cloud.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ cloud.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: cloud.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ cloud.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: cloud.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ cloud.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ cloud.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: cloud.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ cloud.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ cloud.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ cloud.origin.instance.id:
+ dashed_name: cloud-origin-instance-id
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ flat_name: cloud.origin.instance.id
+ ignore_above: 1024
+ level: extended
+ name: instance.id
+ normalize: []
+ original_fieldset: cloud
+ short: Instance ID of the host machine.
+ type: keyword
+ cloud.origin.instance.name:
+ dashed_name: cloud-origin-instance-name
+ description: Instance name of the host machine.
+ flat_name: cloud.origin.instance.name
+ ignore_above: 1024
+ level: extended
+ name: instance.name
+ normalize: []
+ original_fieldset: cloud
+ short: Instance name of the host machine.
+ type: keyword
+ cloud.origin.machine.type:
+ dashed_name: cloud-origin-machine-type
+ description: Machine type of the host machine.
+ example: t2.medium
+ flat_name: cloud.origin.machine.type
+ ignore_above: 1024
+ level: extended
+ name: machine.type
normalize: []
original_fieldset: cloud
short: Machine type of the host machine.
@@ -1567,9 +2073,9 @@ cloud:
group: 2
name: cloud
nestings:
+ - cloud.entity
- cloud.origin
- cloud.target
- - cloud.target.entity
prefix: cloud.
reusable:
expected:
@@ -1585,9 +2091,9 @@ cloud:
of an outgoing request or event.
top_level: true
reused_here:
- - full: cloud.target.entity
+ - full: cloud.entity
schema_name: entity
- short: Entity information for the target cloud entity.
+ short: Fields to describe various types of entities across IT environments.
- full: cloud.origin
schema_name: cloud
short: Provides the cloud information of the origin entity in case of an incoming
@@ -4666,22 +5172,22 @@ entity:
prefix: entity.
reusable:
expected:
- - as: entity
- at: host
- full: host.entity
- as: entity
at: user
- full: user.target.entity
- short_override: Entity information for the targeted user.
+ full: user.entity
- as: entity
at: cloud
- full: cloud.target.entity
- short_override: Entity information for the target cloud entity.
+ full: cloud.entity
+ - as: entity
+ at: host
+ full: host.entity
- as: entity
at: service
- full: service.target.entity
- short_override: Entity information for the target service.
- top_level: true
+ full: service.entity
+ - as: entity
+ at: orchestrator
+ full: orchestrator.entity
+ top_level: false
short: Fields to describe various types of entities across IT environments.
title: Entity
type: group
@@ -10957,25 +11463,278 @@ orchestrator:
normalize: []
short: The version of the cluster.
type: keyword
- orchestrator.namespace:
- dashed_name: orchestrator-namespace
- description: Namespace in which the action is taking place.
- example: kube-system
- flat_name: orchestrator.namespace
- ignore_above: 1024
+ orchestrator.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: orchestrator.entity.attributes
level: extended
- name: namespace
+ name: attributes
normalize: []
- short: Namespace in which the action is taking place.
- type: keyword
- orchestrator.organization:
- dashed_name: orchestrator-organization
- description: Organization affected by the event (for multi-tenant orchestrator
- setups).
- example: elastic
- flat_name: orchestrator.organization
- ignore_above: 1024
- level: extended
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ orchestrator.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: orchestrator.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ orchestrator.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: orchestrator.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: orchestrator.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ orchestrator.entity.id:
+ dashed_name: orchestrator-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: orchestrator.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ orchestrator.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: orchestrator.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ orchestrator.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: orchestrator.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ orchestrator.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: orchestrator.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ orchestrator.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: orchestrator.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: orchestrator.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ orchestrator.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: orchestrator.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ orchestrator.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: orchestrator.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ orchestrator.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: orchestrator.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ orchestrator.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: orchestrator.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ orchestrator.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: orchestrator.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ orchestrator.namespace:
+ dashed_name: orchestrator-namespace
+ description: Namespace in which the action is taking place.
+ example: kube-system
+ flat_name: orchestrator.namespace
+ ignore_above: 1024
+ level: extended
+ name: namespace
+ normalize: []
+ short: Namespace in which the action is taking place.
+ type: keyword
+ orchestrator.organization:
+ dashed_name: orchestrator-organization
+ description: Organization affected by the event (for multi-tenant orchestrator
+ setups).
+ example: elastic
+ flat_name: orchestrator.organization
+ ignore_above: 1024
+ level: extended
name: organization
normalize: []
short: Organization affected by the event (for multi-tenant orchestrator setups).
@@ -11078,7 +11837,13 @@ orchestrator:
type: keyword
group: 2
name: orchestrator
+ nestings:
+ - orchestrator.entity
prefix: orchestrator.
+ reused_here:
+ - full: orchestrator.entity
+ schema_name: entity
+ short: Fields to describe various types of entities across IT environments.
short: Fields relevant to container orchestrators.
title: Orchestrator
type: group
@@ -18034,33 +18799,286 @@ service:
normalize: []
short: Address of this service.
type: keyword
- service.environment:
+ service.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA,
- development, etc.), the environment can identify other instances of the same
- service. Can also group services and applications from the same environment.'
- example: production
- flat_name: service.environment
- ignore_above: 1024
+ dashed_name: service-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: service.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- otel:
- - attribute: deployment.environment.name
- relation: equivalent
- stability: development
- short: Environment of the service.
- type: keyword
- service.ephemeral_id:
- dashed_name: service-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- flat_name: service.ephemeral_id
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ service.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ service.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: service.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ service.entity.id:
+ dashed_name: service-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: service.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ service.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: service.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ service.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ service.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: service.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ service.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: service.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ service.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: service.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ service.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ service.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: service.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ service.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ service.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ service.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA,
+ development, etc.), the environment can identify other instances of the same
+ service. Can also group services and applications from the same environment.'
+ example: production
+ flat_name: service.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ otel:
+ - attribute: deployment.environment.name
+ relation: equivalent
+ stability: development
+ short: Environment of the service.
+ type: keyword
+ service.ephemeral_id:
+ dashed_name: service-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ flat_name: service.ephemeral_id
ignore_above: 1024
level: extended
name: ephemeral_id
@@ -18197,29 +19215,282 @@ service:
original_fieldset: service
short: Address of this service.
type: keyword
- service.origin.environment:
+ service.origin.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-origin-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA,
- development, etc.), the environment can identify other instances of the same
- service. Can also group services and applications from the same environment.'
- example: production
- flat_name: service.origin.environment
- ignore_above: 1024
+ dashed_name: service-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: service.origin.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- original_fieldset: service
- short: Environment of the service.
- type: keyword
- service.origin.ephemeral_id:
- dashed_name: service-origin-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ service.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.origin.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ service.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.origin.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: service.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ service.origin.entity.id:
+ dashed_name: service-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: service.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ service.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: service.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ service.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ service.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: service.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ service.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: service.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ service.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: service.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ service.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ service.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: service.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ service.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ service.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ service.origin.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA,
+ development, etc.), the environment can identify other instances of the same
+ service. Can also group services and applications from the same environment.'
+ example: production
+ flat_name: service.origin.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ original_fieldset: service
+ short: Environment of the service.
+ type: keyword
+ service.origin.ephemeral_id:
+ dashed_name: service-origin-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
flat_name: service.origin.ephemeral_id
ignore_above: 1024
level: extended
@@ -18893,9 +20164,9 @@ service:
group: 2
name: service
nestings:
+ - service.entity
- service.origin
- service.target
- - service.target.entity
prefix: service.
reusable:
expected:
@@ -18915,9 +20186,9 @@ service:
or event.
top_level: true
reused_here:
- - full: service.target.entity
+ - full: service.entity
schema_name: entity
- short: Entity information for the target service.
+ short: Fields to describe various types of entities across IT environments.
- beta: Reusing the `service` fields in this location is currently considered beta.
full: service.origin
schema_name: service
@@ -26593,21 +27864,751 @@ user:
description: User email address.
flat_name: user.changes.email
ignore_above: 1024
- level: extended
- name: email
- normalize: []
- original_fieldset: user
- short: User email address.
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+ user.changes.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: user.changes.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ user.changes.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.changes.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ user.changes.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.changes.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ user.changes.entity.id:
+ dashed_name: user-changes-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: user.changes.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ user.changes.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: user.changes.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ user.changes.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.changes.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ user.changes.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: user.changes.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ user.changes.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: user.changes.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ user.changes.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: user.changes.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ user.changes.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.changes.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ user.changes.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: user.changes.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ user.changes.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.changes.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ user.changes.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.changes.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ user.changes.full_name:
+ dashed_name: user-changes-full-name
+ description: User's full name, if available.
+ example: Albert Einstein
+ flat_name: user.changes.full_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.full_name.text
+ name: text
+ type: match_only_text
+ name: full_name
+ normalize: []
+ original_fieldset: user
+ short: User's full name, if available.
+ type: keyword
+ user.changes.group.domain:
+ dashed_name: user-changes-group-domain
+ description: 'Name of the directory the group is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.changes.group.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: group
+ short: Name of the directory the group is a member of.
+ type: keyword
+ user.changes.group.id:
+ dashed_name: user-changes-group-id
+ description: Unique identifier for the group on the system/platform.
+ flat_name: user.changes.group.id
+ ignore_above: 1024
+ level: extended
+ name: id
+ normalize: []
+ original_fieldset: group
+ short: Unique identifier for the group on the system/platform.
+ type: keyword
+ user.changes.group.name:
+ dashed_name: user-changes-group-name
+ description: Name of the group.
+ flat_name: user.changes.group.name
+ ignore_above: 1024
+ level: extended
+ name: name
+ normalize: []
+ original_fieldset: group
+ short: Name of the group.
+ type: keyword
+ user.changes.hash:
+ dashed_name: user-changes-hash
+ description: 'Unique user hash to correlate information for a user in anonymized
+ form.
+
+ Useful if `user.id` or `user.name` contain confidential information and cannot
+ be used.'
+ flat_name: user.changes.hash
+ ignore_above: 1024
+ level: extended
+ name: hash
+ normalize: []
+ original_fieldset: user
+ short: Unique user hash to correlate information for a user in anonymized form.
+ type: keyword
+ user.changes.id:
+ dashed_name: user-changes-id
+ description: Unique identifier of the user.
+ example: S-1-5-21-202424912787-2692429404-2351956786-1000
+ flat_name: user.changes.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: user
+ short: Unique identifier of the user.
+ type: keyword
+ user.changes.name:
+ dashed_name: user-changes-name
+ description: Short name or login of the user.
+ example: a.einstein
+ flat_name: user.changes.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: user
+ short: Short name or login of the user.
+ type: keyword
+ user.changes.risk.calculated_level:
+ dashed_name: user-changes-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.changes.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ user.changes.risk.calculated_score:
+ dashed_name: user-changes-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.changes.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ user.changes.risk.calculated_score_norm:
+ dashed_name: user-changes-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: user.changes.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ user.changes.risk.static_level:
+ dashed_name: user-changes-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.changes.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ user.changes.risk.static_score:
+ dashed_name: user-changes-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.changes.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ user.changes.risk.static_score_norm:
+ dashed_name: user-changes-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.changes.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+ user.changes.roles:
+ dashed_name: user-changes-roles
+ description: Array of user roles at the time of the event.
+ example: '["kibana_admin", "reporting_user"]'
+ flat_name: user.changes.roles
+ ignore_above: 1024
+ level: extended
+ name: roles
+ normalize:
+ - array
+ original_fieldset: user
+ short: Array of user roles at the time of the event.
+ synthetic_source_keep: none
+ type: keyword
+ user.domain:
+ dashed_name: user-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ short: Name of the directory the user is a member of.
+ type: keyword
+ user.effective.domain:
+ dashed_name: user-effective-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.effective.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: user
+ short: Name of the directory the user is a member of.
+ type: keyword
+ user.effective.email:
+ dashed_name: user-effective-email
+ description: User email address.
+ flat_name: user.effective.email
+ ignore_above: 1024
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+ user.effective.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: user.effective.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ user.effective.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.effective.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ user.effective.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.effective.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.effective.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ user.effective.entity.id:
+ dashed_name: user-effective-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: user.effective.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ user.effective.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: user.effective.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ user.effective.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.effective.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ user.effective.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: user.effective.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ user.effective.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: user.effective.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.effective.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ user.effective.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: user.effective.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ user.effective.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.effective.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ user.effective.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: user.effective.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ user.effective.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.effective.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ user.effective.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.effective.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
- user.changes.full_name:
- dashed_name: user-changes-full-name
+ user.effective.full_name:
+ dashed_name: user-effective-full-name
description: User's full name, if available.
example: Albert Einstein
- flat_name: user.changes.full_name
+ flat_name: user.effective.full_name
ignore_above: 1024
level: extended
multi_fields:
- - flat_name: user.changes.full_name.text
+ - flat_name: user.effective.full_name.text
name: text
type: match_only_text
name: full_name
@@ -26615,12 +28616,12 @@ user:
original_fieldset: user
short: User's full name, if available.
type: keyword
- user.changes.group.domain:
- dashed_name: user-changes-group-domain
+ user.effective.group.domain:
+ dashed_name: user-effective-group-domain
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- flat_name: user.changes.group.domain
+ flat_name: user.effective.group.domain
ignore_above: 1024
level: extended
name: domain
@@ -26628,10 +28629,10 @@ user:
original_fieldset: group
short: Name of the directory the group is a member of.
type: keyword
- user.changes.group.id:
- dashed_name: user-changes-group-id
+ user.effective.group.id:
+ dashed_name: user-effective-group-id
description: Unique identifier for the group on the system/platform.
- flat_name: user.changes.group.id
+ flat_name: user.effective.group.id
ignore_above: 1024
level: extended
name: id
@@ -26639,10 +28640,10 @@ user:
original_fieldset: group
short: Unique identifier for the group on the system/platform.
type: keyword
- user.changes.group.name:
- dashed_name: user-changes-group-name
+ user.effective.group.name:
+ dashed_name: user-effective-group-name
description: Name of the group.
- flat_name: user.changes.group.name
+ flat_name: user.effective.group.name
ignore_above: 1024
level: extended
name: name
@@ -26650,14 +28651,14 @@ user:
original_fieldset: group
short: Name of the group.
type: keyword
- user.changes.hash:
- dashed_name: user-changes-hash
+ user.effective.hash:
+ dashed_name: user-effective-hash
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- flat_name: user.changes.hash
+ flat_name: user.effective.hash
ignore_above: 1024
level: extended
name: hash
@@ -26665,11 +28666,11 @@ user:
original_fieldset: user
short: Unique user hash to correlate information for a user in anonymized form.
type: keyword
- user.changes.id:
- dashed_name: user-changes-id
+ user.effective.id:
+ dashed_name: user-effective-id
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.changes.id
+ flat_name: user.effective.id
ignore_above: 1024
level: core
name: id
@@ -26677,15 +28678,15 @@ user:
original_fieldset: user
short: Unique identifier of the user.
type: keyword
- user.changes.name:
- dashed_name: user-changes-name
+ user.effective.name:
+ dashed_name: user-effective-name
description: Short name or login of the user.
example: a.einstein
- flat_name: user.changes.name
+ flat_name: user.effective.name
ignore_above: 1024
level: core
multi_fields:
- - flat_name: user.changes.name.text
+ - flat_name: user.effective.name.text
name: text
type: match_only_text
name: name
@@ -26693,11 +28694,91 @@ user:
original_fieldset: user
short: Short name or login of the user.
type: keyword
- user.changes.roles:
- dashed_name: user-changes-roles
+ user.effective.risk.calculated_level:
+ dashed_name: user-effective-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.effective.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ user.effective.risk.calculated_score:
+ dashed_name: user-effective-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.effective.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ user.effective.risk.calculated_score_norm:
+ dashed_name: user-effective-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: user.effective.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ user.effective.risk.static_level:
+ dashed_name: user-effective-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.effective.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ user.effective.risk.static_score:
+ dashed_name: user-effective-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.effective.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ user.effective.risk.static_score_norm:
+ dashed_name: user-effective-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.effective.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+ user.effective.roles:
+ dashed_name: user-effective-roles
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
- flat_name: user.changes.roles
+ flat_name: user.effective.roles
ignore_above: 1024
level: extended
name: roles
@@ -26707,162 +28788,271 @@ user:
short: Array of user roles at the time of the event.
synthetic_source_keep: none
type: keyword
- user.domain:
- dashed_name: user-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.domain
+ user.email:
+ dashed_name: user-email
+ description: User email address.
+ flat_name: user.email
ignore_above: 1024
level: extended
- name: domain
+ name: email
normalize: []
- short: Name of the directory the user is a member of.
+ otel:
+ - relation: match
+ stability: development
+ short: User email address.
type: keyword
- user.effective.domain:
- dashed_name: user-effective-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.domain
+ user.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: user.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ user.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ user.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.entity.display_name
ignore_above: 1024
level: extended
- name: domain
+ multi_fields:
+ - flat_name: user.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- original_fieldset: user
- short: Name of the directory the user is a member of.
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
type: keyword
- user.effective.email:
- dashed_name: user-effective-email
- description: User email address.
- flat_name: user.effective.email
+ user.entity.id:
+ dashed_name: user-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: user.entity.id
ignore_above: 1024
- level: extended
- name: email
+ level: core
+ name: id
normalize: []
- original_fieldset: user
- short: User email address.
+ original_fieldset: entity
+ short: Unique identifier for the entity.
type: keyword
- user.effective.full_name:
- dashed_name: user-effective-full-name
- description: User's full name, if available.
- example: Albert Einstein
- flat_name: user.effective.full_name
+ user.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: user.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ user.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ user.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: user.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ user.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: user.entity.name
ignore_above: 1024
- level: extended
+ level: core
multi_fields:
- - flat_name: user.effective.full_name.text
+ - flat_name: user.entity.name.text
name: text
type: match_only_text
- name: full_name
+ name: name
normalize: []
- original_fieldset: user
- short: User's full name, if available.
+ original_fieldset: entity
+ short: The name of the entity.
type: keyword
- user.effective.group.domain:
- dashed_name: user-effective-group-domain
- description: 'Name of the directory the group is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.group.domain
- ignore_above: 1024
+ user.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: user.entity.raw
level: extended
- name: domain
+ name: raw
normalize: []
- original_fieldset: group
- short: Name of the directory the group is a member of.
- type: keyword
- user.effective.group.id:
- dashed_name: user-effective-group-id
- description: Unique identifier for the group on the system/platform.
- flat_name: user.effective.group.id
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ user.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.entity.reference
ignore_above: 1024
level: extended
- name: id
+ name: reference
normalize: []
- original_fieldset: group
- short: Unique identifier for the group on the system/platform.
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
- user.effective.group.name:
- dashed_name: user-effective-group-name
- description: Name of the group.
- flat_name: user.effective.group.name
+ user.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: user.entity.source
ignore_above: 1024
- level: extended
- name: name
+ level: core
+ name: source
normalize: []
- original_fieldset: group
- short: Name of the group.
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
type: keyword
- user.effective.hash:
- dashed_name: user-effective-hash
- description: 'Unique user hash to correlate information for a user in anonymized
- form.
-
- Useful if `user.id` or `user.name` contain confidential information and cannot
- be used.'
- flat_name: user.effective.hash
+ user.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.entity.sub_type
ignore_above: 1024
level: extended
- name: hash
- normalize: []
- original_fieldset: user
- short: Unique user hash to correlate information for a user in anonymized form.
- type: keyword
- user.effective.id:
- dashed_name: user-effective-id
- description: Unique identifier of the user.
- example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.effective.id
- ignore_above: 1024
- level: core
- name: id
+ name: sub_type
normalize: []
- original_fieldset: user
- short: Unique identifier of the user.
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
type: keyword
- user.effective.name:
- dashed_name: user-effective-name
- description: Short name or login of the user.
- example: a.einstein
- flat_name: user.effective.name
+ user.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.entity.type
ignore_above: 1024
level: core
- multi_fields:
- - flat_name: user.effective.name.text
- name: text
- type: match_only_text
- name: name
- normalize: []
- original_fieldset: user
- short: Short name or login of the user.
- type: keyword
- user.effective.roles:
- dashed_name: user-effective-roles
- description: Array of user roles at the time of the event.
- example: '["kibana_admin", "reporting_user"]'
- flat_name: user.effective.roles
- ignore_above: 1024
- level: extended
- name: roles
+ name: type
normalize:
- array
- original_fieldset: user
- short: Array of user roles at the time of the event.
- synthetic_source_keep: none
- type: keyword
- user.email:
- dashed_name: user-email
- description: User email address.
- flat_name: user.email
- ignore_above: 1024
- level: extended
- name: email
- normalize: []
- otel:
- - relation: match
- stability: development
- short: User email address.
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
user.full_name:
dashed_name: user-full-name
@@ -27433,6 +29623,86 @@ user:
original_fieldset: user
short: Short name or login of the user.
type: keyword
+ user.target.risk.calculated_level:
+ dashed_name: user-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ user.target.risk.calculated_score:
+ dashed_name: user-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ user.target.risk.calculated_score_norm:
+ dashed_name: user-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: user.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ user.target.risk.static_level:
+ dashed_name: user-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ user.target.risk.static_score:
+ dashed_name: user-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ user.target.risk.static_score_norm:
+ dashed_name: user-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
user.target.roles:
dashed_name: user-target-roles
description: Array of user roles at the time of the event.
@@ -27452,10 +29722,10 @@ user:
nestings:
- user.changes
- user.effective
+ - user.entity
- user.group
- user.risk
- user.target
- - user.target.entity
prefix: user.
reusable:
expected:
@@ -27506,9 +29776,9 @@ user:
- full: user.group
schema_name: group
short: User's group relevant to the event.
- - full: user.target.entity
+ - full: user.entity
schema_name: entity
- short: Entity information for the targeted user.
+ short: Fields to describe various types of entities across IT environments.
- full: user.risk
schema_name: risk
short: Fields for describing risk score and level.
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index e4aa87ecda..b8230f27f3 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -24,6 +24,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
@@ -62,6 +122,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json
deleted file mode 100644
index 3b164f8d05..0000000000
--- a/experimental/generated/elasticsearch/composable/component/entity.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "_meta": {
- "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
- "ecs_version": "9.2.0+exp"
- },
- "template": {
- "mappings": {
- "properties": {
- "entity": {
- "properties": {
- "attributes": {
- "type": "object"
- },
- "behavior": {
- "type": "object"
- },
- "display_name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_seen_timestamp": {
- "type": "date"
- },
- "lifecycle": {
- "type": "object"
- },
- "metrics": {
- "type": "object"
- },
- "name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "raw": {
- "type": "object"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
-}
diff --git a/experimental/generated/elasticsearch/composable/component/orchestrator.json b/experimental/generated/elasticsearch/composable/component/orchestrator.json
index 7812e01076..cefa6a0ec0 100644
--- a/experimental/generated/elasticsearch/composable/component/orchestrator.json
+++ b/experimental/generated/elasticsearch/composable/component/orchestrator.json
@@ -32,6 +32,66 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"namespace": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index d8e0981798..4ed94467e1 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -12,6 +12,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"environment": {
"ignore_above": 1024,
"type": "keyword"
@@ -51,6 +111,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"environment": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index df004c6410..0589614766 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -18,6 +18,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -60,6 +120,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -81,6 +165,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -123,6 +267,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -134,6 +302,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -317,6 +545,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index f52b6efecf..391cdac37f 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -17,7 +17,6 @@
"ecs_9.2.0-exp_dns",
"ecs_9.2.0-exp_ecs",
"ecs_9.2.0-exp_email",
- "ecs_9.2.0-exp_entity",
"ecs_9.2.0-exp_error",
"ecs_9.2.0-exp_event",
"ecs_9.2.0-exp_faas",
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index aef0ebd12d..cec00d6909 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -290,6 +290,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
@@ -328,6 +388,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
@@ -1306,66 +1426,6 @@
}
}
},
- "entity": {
- "properties": {
- "attributes": {
- "type": "object"
- },
- "behavior": {
- "type": "object"
- },
- "display_name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_seen_timestamp": {
- "type": "date"
- },
- "lifecycle": {
- "type": "object"
- },
- "metrics": {
- "type": "object"
- },
- "name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "raw": {
- "type": "object"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
"error": {
"properties": {
"code": {
@@ -3014,6 +3074,66 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"namespace": {
"ignore_above": 1024,
"type": "keyword"
@@ -5323,30 +5443,90 @@
"ignore_above": 1024,
"type": "keyword"
},
- "environment": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
+ "entity": {
"properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
+ "attributes": {
+ "type": "object"
},
- "role": {
- "ignore_above": 1024,
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "environment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ephemeral_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "node": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
"type": "keyword"
},
"roles": {
@@ -5362,6 +5542,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"environment": {
"ignore_above": 1024,
"type": "keyword"
@@ -8070,6 +8310,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -8112,6 +8412,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -8133,6 +8457,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -8175,6 +8559,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -8186,6 +8594,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -8369,6 +8837,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 6f80bcbf8b..a820d8dacc 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -460,6 +460,124 @@
ignore_above: 1024
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
+ - name: entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: instance.id
level: extended
type: keyword
@@ -504,6 +622,124 @@
description: Availability zone in which this host, resource, or service is located.
example: us-east-1c
default_field: false
+ - name: origin.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: origin.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: origin.entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: origin.entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: origin.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: origin.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: origin.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: origin.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: origin.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: origin.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: origin.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: origin.instance.id
level: extended
type: keyword
@@ -2136,147 +2372,18 @@
original email message.
example: Spambot v2.5
default_field: false
- - name: entity
- title: Entity
+ - name: error
+ title: Error
group: 2
- description: The entity fields provide a standardized way to represent and categorize
- different types of components within an IT environment, including those that
- don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
- component that can be described by a set of attributes and maintains its identity
- over time.
+ description: 'These fields can represent errors of any kind.
+
+ Use them for errors that happen while fetching events or in cases where the
+ event itself contains an error.'
type: group
default_field: true
fields:
- - name: attributes
- level: extended
- type: object
- description: A set of static or semi-static attributes of the entity. Usually
- boolean or keyword field data types. Use this field set when you need to track
- static or semi-static characteristics of an entity for advanced searching
- and correlation of normalized values across different providers/sources and
- entity types.
- default_field: false
- - name: behavior
- level: extended
- type: object
- description: A set of ephemeral characteristics of the entity, derived from
- observed behaviors during a specific time period. Usually boolean field data
- type. Use this field set when you need to capture and track ephemeral characteristics
- of an entity for advanced searching, correlation of normalized values across
- different providers/sources and entity types.
- default_field: false
- - name: display_name
- level: extended
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: match_only_text
- description: An optional field used when a pretty name is desired for entity-centric
- operations. This field should not be used for correlation with `*.name` fields
- for entities with dedicated field sets (e.g., `host`).
- default_field: false
- - name: id
- level: core
- type: keyword
- ignore_above: 1024
- description: 'A unique identifier for the entity. When multiple identifiers
- exist, this should be the most stable and commonly used identifier that: 1)
- persists across the entity''s lifecycle, 2) ensures uniqueness within its
- scope, 3) is commonly used for queries and correlation, and 4) is readily
- available in most observations (logs/events). For entities with dedicated
- field sets (e.g., host, user), this value should match the corresponding *.id
- field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
- in the raw field.'
- default_field: false
- - name: last_seen_timestamp
- level: extended
- type: date
- description: Indicates the date/time when this entity was last "seen," usually
- based upon the last event/log that is initiated by this entity.
- default_field: false
- - name: lifecycle
- level: extended
- type: object
- description: A set of temporal characteristics of the entity. Usually date field
- data type. Use this field set when you need to track temporal characteristics
- of an entity for advanced searching and correlation of normalized values across
- different providers/sources and entity types.
- default_field: false
- - name: metrics
- level: extended
- type: object
- description: Field set for any fields containing numeric entity metrics. These
- use dynamic field data type mapping.
- default_field: false
- - name: name
- level: core
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: match_only_text
- description: The name of the entity. The keyword field enables exact matches
- for filtering and aggregations, while the text field enables full-text search.
- For entities with dedicated field sets (e.g., `host`), this field should mirrors
- the corresponding *.name value.
- default_field: false
- - name: raw
- level: extended
- type: object
- description: Original, unmodified fields from the source system. Usually flattened
- field data type. While the attributes field should be used for normalized
- fields requiring advanced queries, this field preserves all source metadata
- with basic search capabilities.
- default_field: false
- - name: reference
- level: extended
- type: keyword
- ignore_above: 1024
- description: A URI, URL, or other direct reference to access or locate the entity
- in its source system. This could be an API endpoint, web console URL, or other
- addressable location. Format may vary by entity type and source system.
- default_field: false
- - name: source
- level: core
- type: keyword
- ignore_above: 1024
- description: The module or integration that provided this entity data (similar
- to event.module).
- default_field: false
- - name: sub_type
- level: extended
- type: keyword
- ignore_above: 1024
- description: 'The specific type designation for the entity as defined by its
- provider or system. This field provides more granular classification than
- the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
- would all map to entity type `bucket`. `hardware` , `virtual` , `container`
- , `node` , `cloud_instance` would all map to entity type `host`.'
- example: aws_s3_bucket
- default_field: false
- - name: type
- level: core
- type: keyword
- ignore_above: 1024
- description: 'A standardized high-level classification of the entity. This provides
- a normalized way to group similar entities across different providers or systems.
- Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
- example: host
- default_field: false
- - name: error
- title: Error
- group: 2
- description: 'These fields can represent errors of any kind.
-
- Use them for errors that happen while fetching events or in cases where the
- event itself contains an error.'
- type: group
- default_field: true
- fields:
- - name: code
- level: core
+ - name: code
+ level: core
type: keyword
ignore_above: 1024
description: Error code describing the error.
@@ -5171,6 +5278,124 @@
ignore_above: 1024
description: The version of the cluster.
default_field: false
+ - name: entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: namespace
level: extended
type: keyword
@@ -9001,30 +9226,148 @@
path (sockets).'
example: 172.26.0.2:5432
default_field: false
- - name: environment
+ - name: entity.attributes
level: extended
- type: keyword
- ignore_above: 1024
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA,
- development, etc.), the environment can identify other instances of the same
- service. Can also group services and applications from the same environment.'
- example: production
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
default_field: false
- - name: ephemeral_id
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
level: extended
type: keyword
ignore_above: 1024
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- - name: id
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
level: core
type: keyword
ignore_above: 1024
- description: 'Unique identifier of the running service. If the service is comprised
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
+ - name: environment
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA,
+ development, etc.), the environment can identify other instances of the same
+ service. Can also group services and applications from the same environment.'
+ example: production
+ default_field: false
+ - name: ephemeral_id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify the service. This makes it possible to correlate
@@ -9113,6 +9456,124 @@
path (sockets).'
example: 172.26.0.2:5432
default_field: false
+ - name: origin.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: origin.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: origin.entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: origin.entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: origin.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: origin.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: origin.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: origin.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: origin.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: origin.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: origin.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: origin.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: origin.environment
level: extended
type: keyword
@@ -13946,31 +14407,149 @@
ignore_above: 1024
description: User email address.
default_field: false
- - name: changes.full_name
+ - name: changes.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: changes.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: changes.entity.display_name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: match_only_text
- description: User's full name, if available.
- example: Albert Einstein
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
default_field: false
- - name: changes.group.domain
- level: extended
+ - name: changes.entity.id
+ level: core
type: keyword
ignore_above: 1024
- description: 'Name of the directory the group is a member of.
-
- For example, an LDAP or Active Directory domain name.'
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
default_field: false
- - name: changes.group.id
+ - name: changes.entity.last_seen_timestamp
level: extended
- type: keyword
- ignore_above: 1024
- description: Unique identifier for the group on the system/platform.
- default_field: false
- - name: changes.group.name
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: changes.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: changes.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: changes.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: changes.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: changes.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: changes.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: changes.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: changes.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
+ - name: changes.full_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: User's full name, if available.
+ example: Albert Einstein
+ default_field: false
+ - name: changes.group.domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the directory the group is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ default_field: false
+ - name: changes.group.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Unique identifier for the group on the system/platform.
+ default_field: false
+ - name: changes.group.name
level: extended
type: keyword
ignore_above: 1024
@@ -14003,6 +14582,52 @@
description: Short name or login of the user.
example: a.einstein
default_field: false
+ - name: changes.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: changes.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: changes.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: changes.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: changes.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: changes.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: changes.roles
level: extended
type: keyword
@@ -14031,6 +14656,124 @@
ignore_above: 1024
description: User email address.
default_field: false
+ - name: effective.entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: effective.entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: effective.entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: effective.entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: effective.entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: effective.entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: effective.entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: effective.entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: effective.entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: effective.entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: effective.entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: effective.entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: effective.entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: effective.full_name
level: extended
type: keyword
@@ -14088,6 +14831,52 @@
description: Short name or login of the user.
example: a.einstein
default_field: false
+ - name: effective.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: effective.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: effective.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: effective.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: effective.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: effective.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: effective.roles
level: extended
type: keyword
@@ -14100,6 +14889,124 @@
type: keyword
ignore_above: 1024
description: User email address.
+ - name: entity.attributes
+ level: extended
+ type: object
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ default_field: false
+ - name: entity.behavior
+ level: extended
+ type: object
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.display_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ default_field: false
+ - name: entity.id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ default_field: false
+ - name: entity.last_seen_timestamp
+ level: extended
+ type: date
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ default_field: false
+ - name: entity.lifecycle
+ level: extended
+ type: object
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ default_field: false
+ - name: entity.metrics
+ level: extended
+ type: object
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ default_field: false
+ - name: entity.name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: match_only_text
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ default_field: false
+ - name: entity.raw
+ level: extended
+ type: object
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ default_field: false
+ - name: entity.reference
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ default_field: false
+ - name: entity.source
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ default_field: false
+ - name: entity.sub_type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ default_field: false
+ - name: entity.type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ default_field: false
- name: full_name
level: extended
type: keyword
@@ -14394,6 +15301,52 @@
description: Short name or login of the user.
example: a.einstein
default_field: false
+ - name: target.risk.calculated_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ default_field: false
+ - name: target.risk.calculated_score
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ default_field: false
+ - name: target.risk.calculated_score_norm
+ level: extended
+ type: float
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ default_field: false
+ - name: target.risk.static_level
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ default_field: false
+ - name: target.risk.static_score
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ default_field: false
+ - name: target.risk.static_score_norm
+ level: extended
+ type: float
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ default_field: false
- name: target.roles
level: extended
type: keyword
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index fe8916f4a8..c07c83878f 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -50,12 +50,42 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
9.2.0,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
9.2.0,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0,true,cloud,cloud.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,cloud,cloud.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,cloud,cloud.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,cloud,cloud.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,cloud,cloud.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,cloud,cloud.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,cloud,cloud.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,cloud,cloud.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,cloud,cloud.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,cloud,cloud.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,cloud,cloud.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,cloud,cloud.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,cloud,cloud.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,cloud,cloud.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,cloud,cloud.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
9.2.0,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine.
9.2.0,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
9.2.0,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id.
9.2.0,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name.
9.2.0,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located."
+9.2.0,true,cloud,cloud.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,cloud,cloud.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,cloud,cloud.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,cloud,cloud.origin.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,cloud,cloud.origin.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,cloud,cloud.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,cloud,cloud.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,cloud,cloud.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,cloud,cloud.origin.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,cloud,cloud.origin.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,cloud,cloud.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,cloud,cloud.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,cloud,cloud.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,cloud,cloud.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,cloud,cloud.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine.
9.2.0,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine.
9.2.0,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
@@ -253,21 +283,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
9.2.0,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
9.2.0,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
-9.2.0,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
-9.2.0,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
-9.2.0,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
-9.2.0,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
-9.2.0,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
-9.2.0,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
-9.2.0,true,entity,entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
-9.2.0,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
-9.2.0,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
-9.2.0,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
-9.2.0,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
-9.2.0,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,error,error.code,keyword,core,,,Error code describing the error.
9.2.0,true,error,error.id,keyword,core,,,Unique identifier for the error.
9.2.0,true,error,error.message,match_only_text,core,,,Error message.
@@ -638,6 +653,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster.
9.2.0,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster.
9.2.0,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster.
+9.2.0,true,orchestrator,orchestrator.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,orchestrator,orchestrator.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,orchestrator,orchestrator.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,orchestrator,orchestrator.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,orchestrator,orchestrator.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,orchestrator,orchestrator.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,orchestrator,orchestrator.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,orchestrator,orchestrator.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,orchestrator,orchestrator.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,orchestrator,orchestrator.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,orchestrator,orchestrator.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,orchestrator,orchestrator.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,orchestrator,orchestrator.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,orchestrator,orchestrator.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,orchestrator,orchestrator.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place.
9.2.0,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups).
9.2.0,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource.
@@ -1154,6 +1184,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,server,server.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
9.2.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0,true,service,service.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,service,service.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,service,service.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,service,service.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,service,service.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,service,service.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,service,service.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,service,service.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,service,service.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,service,service.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,service,service.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,service,service.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,service,service.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,service,service.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,service,service.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,service,service.environment,keyword,extended,,production,Environment of the service.
9.2.0,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
9.2.0,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -1162,6 +1207,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node.
9.2.0,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node.
9.2.0,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service.
+9.2.0,true,service,service.origin.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,service,service.origin.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,service,service.origin.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,service,service.origin.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,service,service.origin.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,service,service.origin.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,service,service.origin.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,service,service.origin.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,service,service.origin.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,service,service.origin.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,service,service.origin.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,service,service.origin.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,service,service.origin.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,service,service.origin.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,service,service.origin.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,service,service.origin.environment,keyword,extended,,production,Environment of the service.
9.2.0,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
9.2.0,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
@@ -1786,6 +1846,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,url,url.username,keyword,extended,,,Username of the request.
9.2.0,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
9.2.0,true,user,user.changes.email,keyword,extended,,,User email address.
+9.2.0,true,user,user.changes.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,user,user.changes.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,user,user.changes.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.changes.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.changes.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,user,user.changes.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,user,user.changes.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,user,user.changes.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,user,user.changes.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,user,user.changes.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,user,user.changes.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,user,user.changes.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,user,user.changes.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,user,user.changes.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,user,user.changes.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
9.2.0,true,user,user.changes.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
9.2.0,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1795,10 +1870,31 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.2.0,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user.
9.2.0,true,user,user.changes.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
9.2.0,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
9.2.0,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
9.2.0,true,user,user.effective.email,keyword,extended,,,User email address.
+9.2.0,true,user,user.effective.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,user,user.effective.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,user,user.effective.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.effective.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.effective.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,user,user.effective.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,user,user.effective.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,user,user.effective.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,user,user.effective.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,user,user.effective.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,user,user.effective.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,user,user.effective.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,user,user.effective.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,user,user.effective.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,user,user.effective.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
9.2.0,true,user,user.effective.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
9.2.0,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1808,8 +1904,29 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.2.0,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user.
9.2.0,true,user,user.effective.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
9.2.0,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0,true,user,user.email,keyword,extended,,,User email address.
+9.2.0,true,user,user.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,user,user.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,user,user.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,user,user.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,user,user.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,user,user.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,user,user.entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,user,user.entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,user,user.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,user,user.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,user,user.entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,user,user.entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,user,user.entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
9.2.0,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
9.2.0,true,user,user.full_name.text,match_only_text,extended,,Albert Einstein,"User's full name, if available."
9.2.0,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of.
@@ -1852,6 +1969,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
9.2.0,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.2.0,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
9.2.0,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
+9.2.0,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0,true,user,user.target.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
+9.2.0,true,user,user.target.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
+9.2.0,true,user,user.target.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0,true,user,user.target.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
+9.2.0,true,user,user.target.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
9.2.0,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.2.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
9.2.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8336eaac97..06378fca8d 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -628,6 +628,254 @@ cloud.availability_zone:
stability: development
short: Availability zone in which this host, resource, or service is located.
type: keyword
+cloud.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: cloud.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+cloud.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: cloud.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+cloud.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: cloud.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+cloud.entity.id:
+ dashed_name: cloud-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: cloud.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+cloud.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: cloud.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+cloud.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+cloud.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: cloud.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+cloud.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: cloud.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+cloud.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: cloud.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+cloud.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+cloud.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: cloud.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+cloud.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+cloud.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
cloud.instance.id:
dashed_name: cloud-instance-id
description: Instance ID of the host machine.
@@ -702,37 +950,285 @@ cloud.origin.availability_zone:
original_fieldset: cloud
short: Availability zone in which this host, resource, or service is located.
type: keyword
-cloud.origin.instance.id:
- dashed_name: cloud-origin-instance-id
- description: Instance ID of the host machine.
- example: i-1234567890abcdef0
- flat_name: cloud.origin.instance.id
- ignore_above: 1024
+cloud.origin.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: cloud.origin.entity.attributes
level: extended
- name: instance.id
+ name: attributes
normalize: []
- original_fieldset: cloud
- short: Instance ID of the host machine.
- type: keyword
-cloud.origin.instance.name:
- dashed_name: cloud-origin-instance-name
- description: Instance name of the host machine.
- flat_name: cloud.origin.instance.name
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+cloud.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: cloud.origin.entity.behavior
level: extended
- name: instance.name
+ name: behavior
normalize: []
- original_fieldset: cloud
- short: Instance name of the host machine.
- type: keyword
-cloud.origin.machine.type:
- dashed_name: cloud-origin-machine-type
- description: Machine type of the host machine.
- example: t2.medium
- flat_name: cloud.origin.machine.type
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+cloud.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.origin.entity.display_name
ignore_above: 1024
level: extended
- name: machine.type
+ multi_fields:
+ - flat_name: cloud.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+cloud.origin.entity.id:
+ dashed_name: cloud-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: cloud.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+cloud.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: cloud.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+cloud.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+cloud.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: cloud.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+cloud.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: cloud.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+cloud.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: cloud.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+cloud.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+cloud.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: cloud.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+cloud.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+cloud.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+cloud.origin.instance.id:
+ dashed_name: cloud-origin-instance-id
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ flat_name: cloud.origin.instance.id
+ ignore_above: 1024
+ level: extended
+ name: instance.id
+ normalize: []
+ original_fieldset: cloud
+ short: Instance ID of the host machine.
+ type: keyword
+cloud.origin.instance.name:
+ dashed_name: cloud-origin-instance-name
+ description: Instance name of the host machine.
+ flat_name: cloud.origin.instance.name
+ ignore_above: 1024
+ level: extended
+ name: instance.name
+ normalize: []
+ original_fieldset: cloud
+ short: Instance name of the host machine.
+ type: keyword
+cloud.origin.machine.type:
+ dashed_name: cloud-origin-machine-type
+ description: Machine type of the host machine.
+ example: t2.medium
+ flat_name: cloud.origin.machine.type
+ ignore_above: 1024
+ level: extended
+ name: machine.type
normalize: []
original_fieldset: cloud
short: Machine type of the host machine.
@@ -3337,260 +3833,25 @@ email.x_mailer:
normalize: []
short: Application that drafted email.
type: keyword
-entity.attributes:
- beta: This field is beta and subject to change.
- dashed_name: entity-attributes
- description: A set of static or semi-static attributes of the entity. Usually boolean
- or keyword field data types. Use this field set when you need to track static
- or semi-static characteristics of an entity for advanced searching and correlation
- of normalized values across different providers/sources and entity types.
- flat_name: entity.attributes
- level: extended
- name: attributes
- normalize: []
- short: A set of static or semi-static attributes of the entity.
- type: object
-entity.behavior:
- beta: This field is beta and subject to change.
- dashed_name: entity-behavior
- description: A set of ephemeral characteristics of the entity, derived from observed
- behaviors during a specific time period. Usually boolean field data type. Use
- this field set when you need to capture and track ephemeral characteristics of
- an entity for advanced searching, correlation of normalized values across different
- providers/sources and entity types.
- flat_name: entity.behavior
- level: extended
- name: behavior
+error.code:
+ dashed_name: error-code
+ description: Error code describing the error.
+ flat_name: error.code
+ ignore_above: 1024
+ level: core
+ name: code
normalize: []
- short: A set of ephemeral characteristics of the entity, derived from observed behaviors
- during a specific time period.
- type: object
-entity.display_name:
- beta: This field is beta and subject to change.
- dashed_name: entity-display-name
- description: An optional field used when a pretty name is desired for entity-centric
- operations. This field should not be used for correlation with `*.name` fields
- for entities with dedicated field sets (e.g., `host`).
- flat_name: entity.display_name
+ short: Error code describing the error.
+ type: keyword
+error.id:
+ dashed_name: error-id
+ description: Unique identifier for the error.
+ flat_name: error.id
ignore_above: 1024
- level: extended
- multi_fields:
- - flat_name: entity.display_name.text
- name: text
- type: match_only_text
- name: display_name
+ level: core
+ name: id
normalize: []
- short: An optional field used when a pretty name is desired for entity-centric operations.
- type: keyword
-entity.id:
- dashed_name: entity-id
- description: 'A unique identifier for the entity. When multiple identifiers exist,
- this should be the most stable and commonly used identifier that: 1) persists
- across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
- commonly used for queries and correlation, and 4) is readily available in most
- observations (logs/events). For entities with dedicated field sets (e.g., host,
- user), this value should match the corresponding *.id field. Alternative identifiers
- (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
- flat_name: entity.id
- ignore_above: 1024
- level: core
- name: id
- normalize: []
- short: Unique identifier for the entity.
- type: keyword
-entity.last_seen_timestamp:
- beta: This field is beta and subject to change.
- dashed_name: entity-last-seen-timestamp
- description: Indicates the date/time when this entity was last "seen," usually based
- upon the last event/log that is initiated by this entity.
- flat_name: entity.last_seen_timestamp
- level: extended
- name: last_seen_timestamp
- normalize: []
- short: Indicates the date/time when this entity was last "seen."
- type: date
-entity.lifecycle:
- beta: This field is beta and subject to change.
- dashed_name: entity-lifecycle
- description: A set of temporal characteristics of the entity. Usually date field
- data type. Use this field set when you need to track temporal characteristics
- of an entity for advanced searching and correlation of normalized values across
- different providers/sources and entity types.
- flat_name: entity.lifecycle
- level: extended
- name: lifecycle
- normalize: []
- short: A set of temporal characteristics of the entity.
- type: object
-entity.metrics:
- beta: This field is beta and subject to change.
- dashed_name: entity-metrics
- description: Field set for any fields containing numeric entity metrics. These use
- dynamic field data type mapping.
- flat_name: entity.metrics
- level: extended
- name: metrics
- normalize: []
- short: Field set for any fields containing numeric entity metrics.
- type: object
-entity.name:
- beta: This field is beta and subject to change.
- dashed_name: entity-name
- description: The name of the entity. The keyword field enables exact matches for
- filtering and aggregations, while the text field enables full-text search. For
- entities with dedicated field sets (e.g., `host`), this field should mirrors the
- corresponding *.name value.
- flat_name: entity.name
- ignore_above: 1024
- level: core
- multi_fields:
- - flat_name: entity.name.text
- name: text
- type: match_only_text
- name: name
- normalize: []
- short: The name of the entity.
- type: keyword
-entity.raw:
- beta: This field is beta and subject to change.
- dashed_name: entity-raw
- description: Original, unmodified fields from the source system. Usually flattened
- field data type. While the attributes field should be used for normalized fields
- requiring advanced queries, this field preserves all source metadata with basic
- search capabilities.
- flat_name: entity.raw
- level: extended
- name: raw
- normalize: []
- short: Original, unmodified fields from the source system.
- type: object
-entity.reference:
- beta: This field is beta and subject to change.
- dashed_name: entity-reference
- description: A URI, URL, or other direct reference to access or locate the entity
- in its source system. This could be an API endpoint, web console URL, or other
- addressable location. Format may vary by entity type and source system.
- flat_name: entity.reference
- ignore_above: 1024
- level: extended
- name: reference
- normalize: []
- short: A URI, URL, or other direct reference to access or locate the entity.
- type: keyword
-entity.source:
- beta: This field is beta and subject to change.
- dashed_name: entity-source
- description: The module or integration that provided this entity data (similar to
- event.module).
- flat_name: entity.source
- ignore_above: 1024
- level: core
- name: source
- normalize: []
- short: Source module or integration that provided the entity data.
- type: keyword
-entity.sub_type:
- beta: This field is beta and subject to change.
- dashed_name: entity-sub-type
- description: 'The specific type designation for the entity as defined by its provider
- or system. This field provides more granular classification than the type field.
- Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
- would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
- `node` , `cloud_instance` would all map to entity type `host`.'
- example: aws_s3_bucket
- flat_name: entity.sub_type
- ignore_above: 1024
- level: extended
- name: sub_type
- normalize: []
- short: The specific type designation for the entity as defined by its provider or
- system.
- type: keyword
-entity.type:
- allowed_values:
- - description: Represents a storage container or bucket, typically used for object
- storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
- Azure Blob containers, and other cloud storage services. Buckets are used to
- organize and store files, objects, or data in cloud environments.
- name: bucket
- - description: Represents a database system or database instance. This includes
- relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
- Cassandra, DynamoDB), time-series databases, and other data storage systems.
- The entity may represent the entire database system or a specific database instance.
- name: database
- - description: Represents a containerized application or process. This includes
- Docker containers, Kubernetes pods, and other containerization technologies.
- Containers encapsulate applications and their dependencies, providing isolation
- and portability across different environments.
- name: container
- - description: Represents a serverless function or Function-as-a-Service (FaaS)
- component. This includes AWS Lambda functions, Azure Functions, Google Cloud
- Functions, and other serverless computing resources. Functions are typically
- event-driven and execute code without managing the underlying infrastructure.
- name: function
- - description: Represents a message queue or messaging system. This includes message
- brokers, event queues, and other messaging infrastructure components such as
- Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
- asynchronous communication between applications and services.
- name: queue
- - description: Represents a computing host or machine. This includes physical servers,
- virtual machines, cloud instances, and other computing resources that can run
- applications or services. Hosts provide the fundamental computing infrastructure
- for other entity types.
- name: host
- - description: Represents a user account or identity. This includes human users,
- service accounts, system accounts, and other identity entities that can interact
- with systems, applications, or services. Users may have various roles, permissions,
- and attributes associated with their identity.
- name: user
- - description: Represents a software application or service. This includes web applications,
- mobile applications, desktop applications, and other software components that
- provide functionality to users or other systems. Applications may run on various
- infrastructure components and can span multiple hosts or containers.
- name: application
- - description: Represents a service or microservice component. This includes web
- services, APIs, background services, and other service-oriented architecture
- components. Services provide specific functionality and may communicate with
- other services to fulfill business requirements.
- name: service
- - description: Represents a user session or connection session. This includes user
- login sessions, database connections, network sessions, and other temporary
- interactive or persistent connections between users, applications, or systems.
- name: session
- beta: This field is beta and subject to change.
- dashed_name: entity-type
- description: 'A standardized high-level classification of the entity. This provides
- a normalized way to group similar entities across different providers or systems.
- Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
- `user`, `application`, `session`, etc.'
- example: host
- flat_name: entity.type
- ignore_above: 1024
- level: core
- name: type
- normalize:
- - array
- short: Standardized high-level classification of the entity.
- type: keyword
-error.code:
- dashed_name: error-code
- description: Error code describing the error.
- flat_name: error.code
- ignore_above: 1024
- level: core
- name: code
- normalize: []
- short: Error code describing the error.
- type: keyword
-error.id:
- dashed_name: error-id
- description: Unique identifier for the error.
- flat_name: error.id
- ignore_above: 1024
- level: core
- name: id
- normalize: []
- short: Unique identifier for the error.
+ short: Unique identifier for the error.
type: keyword
error.message:
dashed_name: error-message
@@ -8997,52 +9258,300 @@ orchestrator.cluster.version:
normalize: []
short: The version of the cluster.
type: keyword
-orchestrator.namespace:
- dashed_name: orchestrator-namespace
- description: Namespace in which the action is taking place.
- example: kube-system
- flat_name: orchestrator.namespace
- ignore_above: 1024
+orchestrator.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: orchestrator.entity.attributes
level: extended
- name: namespace
+ name: attributes
normalize: []
- short: Namespace in which the action is taking place.
- type: keyword
-orchestrator.organization:
- dashed_name: orchestrator-organization
- description: Organization affected by the event (for multi-tenant orchestrator setups).
- example: elastic
- flat_name: orchestrator.organization
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+orchestrator.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: orchestrator.entity.behavior
level: extended
- name: organization
+ name: behavior
normalize: []
- short: Organization affected by the event (for multi-tenant orchestrator setups).
- type: keyword
-orchestrator.resource.annotation:
- dashed_name: orchestrator-resource-annotation
- description: The list of annotations added to the resource.
- example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
- flat_name: orchestrator.resource.annotation
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+orchestrator.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: orchestrator.entity.display_name
ignore_above: 1024
level: extended
- name: resource.annotation
- normalize:
- - array
- short: The list of annotations added to the resource.
- synthetic_source_keep: none
+ multi_fields:
+ - flat_name: orchestrator.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
type: keyword
-orchestrator.resource.id:
- dashed_name: orchestrator-resource-id
- description: Unique ID of the resource being acted upon.
- flat_name: orchestrator.resource.id
+orchestrator.entity.id:
+ dashed_name: orchestrator-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: orchestrator.entity.id
ignore_above: 1024
- level: extended
- name: resource.id
+ level: core
+ name: id
normalize: []
- short: Unique ID of the resource being acted upon.
+ original_fieldset: entity
+ short: Unique identifier for the entity.
type: keyword
-orchestrator.resource.ip:
+orchestrator.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: orchestrator.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+orchestrator.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: orchestrator.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+orchestrator.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: orchestrator.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+orchestrator.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: orchestrator.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: orchestrator.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+orchestrator.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: orchestrator.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+orchestrator.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: orchestrator.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+orchestrator.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: orchestrator.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+orchestrator.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: orchestrator.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+orchestrator.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: orchestrator.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+orchestrator.namespace:
+ dashed_name: orchestrator-namespace
+ description: Namespace in which the action is taking place.
+ example: kube-system
+ flat_name: orchestrator.namespace
+ ignore_above: 1024
+ level: extended
+ name: namespace
+ normalize: []
+ short: Namespace in which the action is taking place.
+ type: keyword
+orchestrator.organization:
+ dashed_name: orchestrator-organization
+ description: Organization affected by the event (for multi-tenant orchestrator setups).
+ example: elastic
+ flat_name: orchestrator.organization
+ ignore_above: 1024
+ level: extended
+ name: organization
+ normalize: []
+ short: Organization affected by the event (for multi-tenant orchestrator setups).
+ type: keyword
+orchestrator.resource.annotation:
+ dashed_name: orchestrator-resource-annotation
+ description: The list of annotations added to the resource.
+ example: '[''key1:value1'', ''key2:value2'', ''key3:value3'']'
+ flat_name: orchestrator.resource.annotation
+ ignore_above: 1024
+ level: extended
+ name: resource.annotation
+ normalize:
+ - array
+ short: The list of annotations added to the resource.
+ synthetic_source_keep: none
+ type: keyword
+orchestrator.resource.id:
+ dashed_name: orchestrator-resource-id
+ description: Unique ID of the resource being acted upon.
+ flat_name: orchestrator.resource.id
+ ignore_above: 1024
+ level: extended
+ name: resource.id
+ normalize: []
+ short: Unique ID of the resource being acted upon.
+ type: keyword
+orchestrator.resource.ip:
dashed_name: orchestrator-resource-ip
description: 'IP address assigned to the resource associated with the event being
observed. In the case of a Kubernetes Pod, this array would contain only one element:
@@ -15218,38 +15727,286 @@ service.address:
normalize: []
short: Address of this service.
type: keyword
-service.environment:
+service.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA, development,
- etc.), the environment can identify other instances of the same service. Can also
- group services and applications from the same environment.'
- example: production
- flat_name: service.environment
- ignore_above: 1024
+ dashed_name: service-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: service.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- otel:
- - attribute: deployment.environment.name
- relation: equivalent
- stability: development
- short: Environment of the service.
- type: keyword
-service.ephemeral_id:
- dashed_name: service-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- flat_name: service.ephemeral_id
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+service.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: service.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+service.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.entity.display_name
ignore_above: 1024
level: extended
- name: ephemeral_id
+ multi_fields:
+ - flat_name: service.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- short: Ephemeral identifier of this service.
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+service.entity.id:
+ dashed_name: service-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: service.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+service.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: service.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+service.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+service.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: service.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+service.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: service.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+service.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: service.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+service.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+service.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: service.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+service.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+service.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+service.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA, development,
+ etc.), the environment can identify other instances of the same service. Can also
+ group services and applications from the same environment.'
+ example: production
+ flat_name: service.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ otel:
+ - attribute: deployment.environment.name
+ relation: equivalent
+ stability: development
+ short: Environment of the service.
+ type: keyword
+service.ephemeral_id:
+ dashed_name: service-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ flat_name: service.ephemeral_id
+ ignore_above: 1024
+ level: extended
+ name: ephemeral_id
+ normalize: []
+ short: Ephemeral identifier of this service.
type: keyword
service.id:
dashed_name: service-id
@@ -15379,35 +16136,283 @@ service.origin.address:
original_fieldset: service
short: Address of this service.
type: keyword
-service.origin.environment:
+service.origin.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-origin-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA, development,
- etc.), the environment can identify other instances of the same service. Can also
- group services and applications from the same environment.'
- example: production
- flat_name: service.origin.environment
- ignore_above: 1024
+ dashed_name: service-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: service.origin.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- original_fieldset: service
- short: Environment of the service.
- type: keyword
-service.origin.ephemeral_id:
- dashed_name: service-origin-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- flat_name: service.origin.ephemeral_id
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+service.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: service.origin.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+service.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.origin.entity.display_name
ignore_above: 1024
level: extended
- name: ephemeral_id
+ multi_fields:
+ - flat_name: service.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- original_fieldset: service
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+service.origin.entity.id:
+ dashed_name: service-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: service.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+service.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: service.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+service.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+service.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: service.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+service.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: service.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+service.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: service.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+service.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+service.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: service.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+service.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+service.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+service.origin.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA, development,
+ etc.), the environment can identify other instances of the same service. Can also
+ group services and applications from the same environment.'
+ example: production
+ flat_name: service.origin.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ original_fieldset: service
+ short: Environment of the service.
+ type: keyword
+service.origin.ephemeral_id:
+ dashed_name: service-origin-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ flat_name: service.origin.ephemeral_id
+ ignore_above: 1024
+ level: extended
+ name: ephemeral_id
+ normalize: []
+ original_fieldset: service
short: Ephemeral identifier of this service.
type: keyword
service.origin.id:
@@ -23535,21 +24540,741 @@ user.changes.email:
description: User email address.
flat_name: user.changes.email
ignore_above: 1024
- level: extended
- name: email
- normalize: []
- original_fieldset: user
- short: User email address.
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+user.changes.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: user.changes.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+user.changes.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: user.changes.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+user.changes.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.changes.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+user.changes.entity.id:
+ dashed_name: user-changes-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: user.changes.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+user.changes.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: user.changes.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+user.changes.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.changes.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+user.changes.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: user.changes.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+user.changes.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: user.changes.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+user.changes.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: user.changes.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+user.changes.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.changes.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+user.changes.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: user.changes.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+user.changes.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.changes.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+user.changes.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.changes.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+user.changes.full_name:
+ dashed_name: user-changes-full-name
+ description: User's full name, if available.
+ example: Albert Einstein
+ flat_name: user.changes.full_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.full_name.text
+ name: text
+ type: match_only_text
+ name: full_name
+ normalize: []
+ original_fieldset: user
+ short: User's full name, if available.
+ type: keyword
+user.changes.group.domain:
+ dashed_name: user-changes-group-domain
+ description: 'Name of the directory the group is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.changes.group.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: group
+ short: Name of the directory the group is a member of.
+ type: keyword
+user.changes.group.id:
+ dashed_name: user-changes-group-id
+ description: Unique identifier for the group on the system/platform.
+ flat_name: user.changes.group.id
+ ignore_above: 1024
+ level: extended
+ name: id
+ normalize: []
+ original_fieldset: group
+ short: Unique identifier for the group on the system/platform.
+ type: keyword
+user.changes.group.name:
+ dashed_name: user-changes-group-name
+ description: Name of the group.
+ flat_name: user.changes.group.name
+ ignore_above: 1024
+ level: extended
+ name: name
+ normalize: []
+ original_fieldset: group
+ short: Name of the group.
+ type: keyword
+user.changes.hash:
+ dashed_name: user-changes-hash
+ description: 'Unique user hash to correlate information for a user in anonymized
+ form.
+
+ Useful if `user.id` or `user.name` contain confidential information and cannot
+ be used.'
+ flat_name: user.changes.hash
+ ignore_above: 1024
+ level: extended
+ name: hash
+ normalize: []
+ original_fieldset: user
+ short: Unique user hash to correlate information for a user in anonymized form.
+ type: keyword
+user.changes.id:
+ dashed_name: user-changes-id
+ description: Unique identifier of the user.
+ example: S-1-5-21-202424912787-2692429404-2351956786-1000
+ flat_name: user.changes.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: user
+ short: Unique identifier of the user.
+ type: keyword
+user.changes.name:
+ dashed_name: user-changes-name
+ description: Short name or login of the user.
+ example: a.einstein
+ flat_name: user.changes.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: user
+ short: Short name or login of the user.
+ type: keyword
+user.changes.risk.calculated_level:
+ dashed_name: user-changes-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.changes.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+user.changes.risk.calculated_score:
+ dashed_name: user-changes-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.changes.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+user.changes.risk.calculated_score_norm:
+ dashed_name: user-changes-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: user.changes.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+user.changes.risk.static_level:
+ dashed_name: user-changes-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.changes.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+user.changes.risk.static_score:
+ dashed_name: user-changes-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.changes.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+user.changes.risk.static_score_norm:
+ dashed_name: user-changes-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.changes.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+user.changes.roles:
+ dashed_name: user-changes-roles
+ description: Array of user roles at the time of the event.
+ example: '["kibana_admin", "reporting_user"]'
+ flat_name: user.changes.roles
+ ignore_above: 1024
+ level: extended
+ name: roles
+ normalize:
+ - array
+ original_fieldset: user
+ short: Array of user roles at the time of the event.
+ synthetic_source_keep: none
+ type: keyword
+user.domain:
+ dashed_name: user-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ short: Name of the directory the user is a member of.
+ type: keyword
+user.effective.domain:
+ dashed_name: user-effective-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.effective.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: user
+ short: Name of the directory the user is a member of.
+ type: keyword
+user.effective.email:
+ dashed_name: user-effective-email
+ description: User email address.
+ flat_name: user.effective.email
+ ignore_above: 1024
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+user.effective.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: user.effective.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+user.effective.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: user.effective.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+user.effective.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.effective.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.effective.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
+ type: keyword
+user.effective.entity.id:
+ dashed_name: user-effective-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: user.effective.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+user.effective.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: user.effective.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+user.effective.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.effective.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+user.effective.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: user.effective.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+user.effective.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: user.effective.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.effective.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+user.effective.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: user.effective.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+user.effective.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.effective.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+user.effective.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: user.effective.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+user.effective.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.effective.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+user.effective.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.effective.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
-user.changes.full_name:
- dashed_name: user-changes-full-name
+user.effective.full_name:
+ dashed_name: user-effective-full-name
description: User's full name, if available.
example: Albert Einstein
- flat_name: user.changes.full_name
+ flat_name: user.effective.full_name
ignore_above: 1024
level: extended
multi_fields:
- - flat_name: user.changes.full_name.text
+ - flat_name: user.effective.full_name.text
name: text
type: match_only_text
name: full_name
@@ -23557,12 +25282,12 @@ user.changes.full_name:
original_fieldset: user
short: User's full name, if available.
type: keyword
-user.changes.group.domain:
- dashed_name: user-changes-group-domain
+user.effective.group.domain:
+ dashed_name: user-effective-group-domain
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- flat_name: user.changes.group.domain
+ flat_name: user.effective.group.domain
ignore_above: 1024
level: extended
name: domain
@@ -23570,10 +25295,10 @@ user.changes.group.domain:
original_fieldset: group
short: Name of the directory the group is a member of.
type: keyword
-user.changes.group.id:
- dashed_name: user-changes-group-id
+user.effective.group.id:
+ dashed_name: user-effective-group-id
description: Unique identifier for the group on the system/platform.
- flat_name: user.changes.group.id
+ flat_name: user.effective.group.id
ignore_above: 1024
level: extended
name: id
@@ -23581,10 +25306,10 @@ user.changes.group.id:
original_fieldset: group
short: Unique identifier for the group on the system/platform.
type: keyword
-user.changes.group.name:
- dashed_name: user-changes-group-name
+user.effective.group.name:
+ dashed_name: user-effective-group-name
description: Name of the group.
- flat_name: user.changes.group.name
+ flat_name: user.effective.group.name
ignore_above: 1024
level: extended
name: name
@@ -23592,14 +25317,14 @@ user.changes.group.name:
original_fieldset: group
short: Name of the group.
type: keyword
-user.changes.hash:
- dashed_name: user-changes-hash
+user.effective.hash:
+ dashed_name: user-effective-hash
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- flat_name: user.changes.hash
+ flat_name: user.effective.hash
ignore_above: 1024
level: extended
name: hash
@@ -23607,11 +25332,11 @@ user.changes.hash:
original_fieldset: user
short: Unique user hash to correlate information for a user in anonymized form.
type: keyword
-user.changes.id:
- dashed_name: user-changes-id
+user.effective.id:
+ dashed_name: user-effective-id
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.changes.id
+ flat_name: user.effective.id
ignore_above: 1024
level: core
name: id
@@ -23619,15 +25344,15 @@ user.changes.id:
original_fieldset: user
short: Unique identifier of the user.
type: keyword
-user.changes.name:
- dashed_name: user-changes-name
+user.effective.name:
+ dashed_name: user-effective-name
description: Short name or login of the user.
example: a.einstein
- flat_name: user.changes.name
+ flat_name: user.effective.name
ignore_above: 1024
level: core
multi_fields:
- - flat_name: user.changes.name.text
+ - flat_name: user.effective.name.text
name: text
type: match_only_text
name: name
@@ -23635,176 +25360,360 @@ user.changes.name:
original_fieldset: user
short: Short name or login of the user.
type: keyword
-user.changes.roles:
- dashed_name: user-changes-roles
- description: Array of user roles at the time of the event.
- example: '["kibana_admin", "reporting_user"]'
- flat_name: user.changes.roles
+user.effective.risk.calculated_level:
+ dashed_name: user-effective-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.effective.risk.calculated_level
ignore_above: 1024
level: extended
- name: roles
- normalize:
- - array
- original_fieldset: user
- short: Array of user roles at the time of the event.
- synthetic_source_keep: none
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
type: keyword
-user.domain:
- dashed_name: user-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.domain
- ignore_above: 1024
+user.effective.risk.calculated_score:
+ dashed_name: user-effective-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.effective.risk.calculated_score
level: extended
- name: domain
+ name: calculated_score
normalize: []
- short: Name of the directory the user is a member of.
- type: keyword
-user.effective.domain:
- dashed_name: user-effective-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.domain
- ignore_above: 1024
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+user.effective.risk.calculated_score_norm:
+ dashed_name: user-effective-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: user.effective.risk.calculated_score_norm
level: extended
- name: domain
+ name: calculated_score_norm
normalize: []
- original_fieldset: user
- short: Name of the directory the user is a member of.
- type: keyword
-user.effective.email:
- dashed_name: user-effective-email
- description: User email address.
- flat_name: user.effective.email
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+user.effective.risk.static_level:
+ dashed_name: user-effective-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.effective.risk.static_level
ignore_above: 1024
level: extended
- name: email
+ name: static_level
normalize: []
- original_fieldset: user
- short: User email address.
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
type: keyword
-user.effective.full_name:
- dashed_name: user-effective-full-name
- description: User's full name, if available.
- example: Albert Einstein
- flat_name: user.effective.full_name
- ignore_above: 1024
+user.effective.risk.static_score:
+ dashed_name: user-effective-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.effective.risk.static_score
level: extended
- multi_fields:
- - flat_name: user.effective.full_name.text
- name: text
- type: match_only_text
- name: full_name
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+user.effective.risk.static_score_norm:
+ dashed_name: user-effective-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.effective.risk.static_score_norm
+ level: extended
+ name: static_score_norm
normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+user.effective.roles:
+ dashed_name: user-effective-roles
+ description: Array of user roles at the time of the event.
+ example: '["kibana_admin", "reporting_user"]'
+ flat_name: user.effective.roles
+ ignore_above: 1024
+ level: extended
+ name: roles
+ normalize:
+ - array
original_fieldset: user
- short: User's full name, if available.
+ short: Array of user roles at the time of the event.
+ synthetic_source_keep: none
type: keyword
-user.effective.group.domain:
- dashed_name: user-effective-group-domain
- description: 'Name of the directory the group is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.group.domain
+user.email:
+ dashed_name: user-email
+ description: User email address.
+ flat_name: user.email
ignore_above: 1024
level: extended
- name: domain
+ name: email
normalize: []
- original_fieldset: group
- short: Name of the directory the group is a member of.
+ otel:
+ - relation: match
+ stability: development
+ short: User email address.
type: keyword
-user.effective.group.id:
- dashed_name: user-effective-group-id
- description: Unique identifier for the group on the system/platform.
- flat_name: user.effective.group.id
- ignore_above: 1024
+user.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually boolean
+ or keyword field data types. Use this field set when you need to track static
+ or semi-static characteristics of an entity for advanced searching and correlation
+ of normalized values across different providers/sources and entity types.
+ flat_name: user.entity.attributes
level: extended
- name: id
+ name: attributes
normalize: []
- original_fieldset: group
- short: Unique identifier for the group on the system/platform.
- type: keyword
-user.effective.group.name:
- dashed_name: user-effective-group-name
- description: Name of the group.
- flat_name: user.effective.group.name
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+user.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period. Usually boolean field data type. Use
+ this field set when you need to capture and track ephemeral characteristics of
+ an entity for advanced searching, correlation of normalized values across different
+ providers/sources and entity types.
+ flat_name: user.entity.behavior
level: extended
- name: name
+ name: behavior
normalize: []
- original_fieldset: group
- short: Name of the group.
- type: keyword
-user.effective.hash:
- dashed_name: user-effective-hash
- description: 'Unique user hash to correlate information for a user in anonymized
- form.
-
- Useful if `user.id` or `user.name` contain confidential information and cannot
- be used.'
- flat_name: user.effective.hash
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+ during a specific time period.
+ type: object
+user.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.entity.display_name
ignore_above: 1024
level: extended
- name: hash
+ multi_fields:
+ - flat_name: user.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- original_fieldset: user
- short: Unique user hash to correlate information for a user in anonymized form.
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric operations.
type: keyword
-user.effective.id:
- dashed_name: user-effective-id
- description: Unique identifier of the user.
- example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.effective.id
+user.entity.id:
+ dashed_name: user-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers exist,
+ this should be the most stable and commonly used identifier that: 1) persists
+ across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+ commonly used for queries and correlation, and 4) is readily available in most
+ observations (logs/events). For entities with dedicated field sets (e.g., host,
+ user), this value should match the corresponding *.id field. Alternative identifiers
+ (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+ flat_name: user.entity.id
ignore_above: 1024
level: core
name: id
normalize: []
- original_fieldset: user
- short: Unique identifier of the user.
+ original_fieldset: entity
+ short: Unique identifier for the entity.
type: keyword
-user.effective.name:
- dashed_name: user-effective-name
- description: Short name or login of the user.
- example: a.einstein
- flat_name: user.effective.name
+user.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually based
+ upon the last event/log that is initiated by this entity.
+ flat_name: user.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+user.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+user.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These use
+ dynamic field data type mapping.
+ flat_name: user.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+user.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-name
+ description: The name of the entity. The keyword field enables exact matches for
+ filtering and aggregations, while the text field enables full-text search. For
+ entities with dedicated field sets (e.g., `host`), this field should mirrors the
+ corresponding *.name value.
+ flat_name: user.entity.name
ignore_above: 1024
level: core
multi_fields:
- - flat_name: user.effective.name.text
+ - flat_name: user.entity.name.text
name: text
type: match_only_text
name: name
normalize: []
- original_fieldset: user
- short: Short name or login of the user.
+ original_fieldset: entity
+ short: The name of the entity.
type: keyword
-user.effective.roles:
- dashed_name: user-effective-roles
- description: Array of user roles at the time of the event.
- example: '["kibana_admin", "reporting_user"]'
- flat_name: user.effective.roles
+user.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized fields
+ requiring advanced queries, this field preserves all source metadata with basic
+ search capabilities.
+ flat_name: user.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+user.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.entity.reference
ignore_above: 1024
level: extended
- name: roles
- normalize:
- - array
- original_fieldset: user
- short: Array of user roles at the time of the event.
- synthetic_source_keep: none
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
-user.email:
- dashed_name: user-email
- description: User email address.
- flat_name: user.email
+user.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-source
+ description: The module or integration that provided this entity data (similar to
+ event.module).
+ flat_name: user.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+user.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its provider
+ or system. This field provides more granular classification than the type field.
+ Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container` ,
+ `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.entity.sub_type
ignore_above: 1024
level: extended
- name: email
+ name: sub_type
normalize: []
- otel:
- - relation: match
- stability: development
- short: User email address.
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider or
+ system.
+ type: keyword
+user.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for object
+ storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+ Azure Blob containers, and other cloud storage services. Buckets are used to
+ organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes message
+ brokers, event queues, and other messaging infrastructure components such as
+ Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+ asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical servers,
+ virtual machines, cloud instances, and other computing resources that can run
+ applications or services. Hosts provide the fundamental computing infrastructure
+ for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can interact
+ with systems, applications, or services. Users may have various roles, permissions,
+ and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web applications,
+ mobile applications, desktop applications, and other software components that
+ provide functionality to users or other systems. Applications may run on various
+ infrastructure components and can span multiple hosts or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes web
+ services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate with
+ other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes user
+ login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
user.full_name:
dashed_name: user-full-name
@@ -24370,6 +26279,86 @@ user.target.name:
original_fieldset: user
short: Short name or login of the user.
type: keyword
+user.target.risk.calculated_level:
+ dashed_name: user-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: keyword
+user.target.risk.calculated_score:
+ dashed_name: user-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part of entity
+ analytics and entity risk scoring.
+ type: float
+user.target.risk.calculated_score_norm:
+ dashed_name: user-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring, and normalized to a range of 0 to
+ 100.
+ example: 88.73
+ flat_name: user.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+user.target.risk.static_level:
+ dashed_name: user-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: keyword
+user.target.risk.static_score:
+ dashed_name: user-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as from
+ some external Threat Intelligence Platform.
+ type: float
+user.target.risk.static_score_norm:
+ dashed_name: user-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
user.target.roles:
dashed_name: user-target-roles
description: Array of user roles at the time of the event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index af8b28777f..37abbf431a 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -818,6 +818,259 @@ cloud:
stability: development
short: Availability zone in which this host, resource, or service is located.
type: keyword
+ cloud.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: cloud.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ cloud.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ cloud.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: cloud.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ cloud.entity.id:
+ dashed_name: cloud-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: cloud.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ cloud.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: cloud.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ cloud.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ cloud.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: cloud.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ cloud.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: cloud.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ cloud.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: cloud.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ cloud.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ cloud.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: cloud.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ cloud.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ cloud.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
cloud.instance.id:
dashed_name: cloud-instance-id
description: Instance ID of the host machine.
@@ -892,37 +1145,290 @@ cloud:
original_fieldset: cloud
short: Availability zone in which this host, resource, or service is located.
type: keyword
- cloud.origin.instance.id:
- dashed_name: cloud-origin-instance-id
- description: Instance ID of the host machine.
- example: i-1234567890abcdef0
- flat_name: cloud.origin.instance.id
- ignore_above: 1024
+ cloud.origin.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: cloud.origin.entity.attributes
level: extended
- name: instance.id
+ name: attributes
normalize: []
- original_fieldset: cloud
- short: Instance ID of the host machine.
- type: keyword
- cloud.origin.instance.name:
- dashed_name: cloud-origin-instance-name
- description: Instance name of the host machine.
- flat_name: cloud.origin.instance.name
- ignore_above: 1024
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ cloud.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.origin.entity.behavior
level: extended
- name: instance.name
+ name: behavior
normalize: []
- original_fieldset: cloud
- short: Instance name of the host machine.
- type: keyword
- cloud.origin.machine.type:
- dashed_name: cloud-origin-machine-type
- description: Machine type of the host machine.
- example: t2.medium
- flat_name: cloud.origin.machine.type
- ignore_above: 1024
- level: extended
- name: machine.type
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ cloud.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: cloud.origin.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: cloud.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ cloud.origin.entity.id:
+ dashed_name: cloud-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: cloud.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ cloud.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: cloud.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ cloud.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: cloud.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ cloud.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: cloud.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ cloud.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: cloud.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: cloud.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ cloud.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: cloud.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ cloud.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: cloud.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ cloud.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: cloud.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ cloud.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: cloud.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ cloud.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: cloud-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: cloud.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ cloud.origin.instance.id:
+ dashed_name: cloud-origin-instance-id
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ flat_name: cloud.origin.instance.id
+ ignore_above: 1024
+ level: extended
+ name: instance.id
+ normalize: []
+ original_fieldset: cloud
+ short: Instance ID of the host machine.
+ type: keyword
+ cloud.origin.instance.name:
+ dashed_name: cloud-origin-instance-name
+ description: Instance name of the host machine.
+ flat_name: cloud.origin.instance.name
+ ignore_above: 1024
+ level: extended
+ name: instance.name
+ normalize: []
+ original_fieldset: cloud
+ short: Instance name of the host machine.
+ type: keyword
+ cloud.origin.machine.type:
+ dashed_name: cloud-origin-machine-type
+ description: Machine type of the host machine.
+ example: t2.medium
+ flat_name: cloud.origin.machine.type
+ ignore_above: 1024
+ level: extended
+ name: machine.type
normalize: []
original_fieldset: cloud
short: Machine type of the host machine.
@@ -1487,9 +1993,9 @@ cloud:
group: 2
name: cloud
nestings:
+ - cloud.entity
- cloud.origin
- cloud.target
- - cloud.target.entity
prefix: cloud.
reusable:
expected:
@@ -1505,9 +2011,9 @@ cloud:
of an outgoing request or event.
top_level: true
reused_here:
- - full: cloud.target.entity
+ - full: cloud.entity
schema_name: entity
- short: Entity information for the target cloud entity.
+ short: Fields to describe various types of entities across IT environments.
- full: cloud.origin
schema_name: cloud
short: Provides the cloud information of the origin entity in case of an incoming
@@ -4586,22 +5092,22 @@ entity:
prefix: entity.
reusable:
expected:
- - as: entity
- at: host
- full: host.entity
- as: entity
at: user
- full: user.target.entity
- short_override: Entity information for the targeted user.
+ full: user.entity
- as: entity
at: cloud
- full: cloud.target.entity
- short_override: Entity information for the target cloud entity.
+ full: cloud.entity
+ - as: entity
+ at: host
+ full: host.entity
- as: entity
at: service
- full: service.target.entity
- short_override: Entity information for the target service.
- top_level: true
+ full: service.entity
+ - as: entity
+ at: orchestrator
+ full: orchestrator.entity
+ top_level: false
short: Fields to describe various types of entities across IT environments.
title: Entity
type: group
@@ -10877,25 +11383,278 @@ orchestrator:
normalize: []
short: The version of the cluster.
type: keyword
- orchestrator.namespace:
- dashed_name: orchestrator-namespace
- description: Namespace in which the action is taking place.
- example: kube-system
- flat_name: orchestrator.namespace
- ignore_above: 1024
+ orchestrator.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: orchestrator.entity.attributes
level: extended
- name: namespace
+ name: attributes
normalize: []
- short: Namespace in which the action is taking place.
- type: keyword
- orchestrator.organization:
- dashed_name: orchestrator-organization
- description: Organization affected by the event (for multi-tenant orchestrator
- setups).
- example: elastic
- flat_name: orchestrator.organization
- ignore_above: 1024
- level: extended
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ orchestrator.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: orchestrator.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ orchestrator.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: orchestrator.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: orchestrator.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ orchestrator.entity.id:
+ dashed_name: orchestrator-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: orchestrator.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ orchestrator.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: orchestrator.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ orchestrator.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: orchestrator.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ orchestrator.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: orchestrator.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ orchestrator.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: orchestrator.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: orchestrator.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ orchestrator.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: orchestrator.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ orchestrator.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: orchestrator.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ orchestrator.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: orchestrator.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ orchestrator.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: orchestrator.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ orchestrator.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: orchestrator-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: orchestrator.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ orchestrator.namespace:
+ dashed_name: orchestrator-namespace
+ description: Namespace in which the action is taking place.
+ example: kube-system
+ flat_name: orchestrator.namespace
+ ignore_above: 1024
+ level: extended
+ name: namespace
+ normalize: []
+ short: Namespace in which the action is taking place.
+ type: keyword
+ orchestrator.organization:
+ dashed_name: orchestrator-organization
+ description: Organization affected by the event (for multi-tenant orchestrator
+ setups).
+ example: elastic
+ flat_name: orchestrator.organization
+ ignore_above: 1024
+ level: extended
name: organization
normalize: []
short: Organization affected by the event (for multi-tenant orchestrator setups).
@@ -10998,7 +11757,13 @@ orchestrator:
type: keyword
group: 2
name: orchestrator
+ nestings:
+ - orchestrator.entity
prefix: orchestrator.
+ reused_here:
+ - full: orchestrator.entity
+ schema_name: entity
+ short: Fields to describe various types of entities across IT environments.
short: Fields relevant to container orchestrators.
title: Orchestrator
type: group
@@ -17954,33 +18719,286 @@ service:
normalize: []
short: Address of this service.
type: keyword
- service.environment:
+ service.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA,
- development, etc.), the environment can identify other instances of the same
- service. Can also group services and applications from the same environment.'
- example: production
- flat_name: service.environment
- ignore_above: 1024
+ dashed_name: service-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: service.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- otel:
- - attribute: deployment.environment.name
- relation: equivalent
- stability: development
- short: Environment of the service.
- type: keyword
- service.ephemeral_id:
- dashed_name: service-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
- flat_name: service.ephemeral_id
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ service.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ service.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: service.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ service.entity.id:
+ dashed_name: service-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: service.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ service.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: service.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ service.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ service.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: service.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ service.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: service.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ service.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: service.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ service.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ service.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: service.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ service.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ service.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ service.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA,
+ development, etc.), the environment can identify other instances of the same
+ service. Can also group services and applications from the same environment.'
+ example: production
+ flat_name: service.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ otel:
+ - attribute: deployment.environment.name
+ relation: equivalent
+ stability: development
+ short: Environment of the service.
+ type: keyword
+ service.ephemeral_id:
+ dashed_name: service-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
+ flat_name: service.ephemeral_id
ignore_above: 1024
level: extended
name: ephemeral_id
@@ -18117,29 +19135,282 @@ service:
original_fieldset: service
short: Address of this service.
type: keyword
- service.origin.environment:
+ service.origin.entity.attributes:
beta: This field is beta and subject to change.
- dashed_name: service-origin-environment
- description: 'Identifies the environment where the service is running.
-
- If the same service runs in different environments (production, staging, QA,
- development, etc.), the environment can identify other instances of the same
- service. Can also group services and applications from the same environment.'
- example: production
- flat_name: service.origin.environment
- ignore_above: 1024
+ dashed_name: service-origin-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: service.origin.entity.attributes
level: extended
- name: environment
+ name: attributes
normalize: []
- original_fieldset: service
- short: Environment of the service.
- type: keyword
- service.origin.ephemeral_id:
- dashed_name: service-origin-ephemeral-id
- description: 'Ephemeral identifier of this service (if one exists).
-
- This id normally changes across restarts, but `service.id` does not.'
- example: 8a4f500f
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ service.origin.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.origin.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ service.origin.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: service.origin.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: service.origin.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ service.origin.entity.id:
+ dashed_name: service-origin-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: service.origin.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ service.origin.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: service.origin.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ service.origin.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: service.origin.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ service.origin.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: service.origin.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ service.origin.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: service.origin.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: service.origin.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ service.origin.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: service.origin.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ service.origin.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: service.origin.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ service.origin.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: service.origin.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ service.origin.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: service.origin.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ service.origin.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: service.origin.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ service.origin.environment:
+ beta: This field is beta and subject to change.
+ dashed_name: service-origin-environment
+ description: 'Identifies the environment where the service is running.
+
+ If the same service runs in different environments (production, staging, QA,
+ development, etc.), the environment can identify other instances of the same
+ service. Can also group services and applications from the same environment.'
+ example: production
+ flat_name: service.origin.environment
+ ignore_above: 1024
+ level: extended
+ name: environment
+ normalize: []
+ original_fieldset: service
+ short: Environment of the service.
+ type: keyword
+ service.origin.ephemeral_id:
+ dashed_name: service-origin-ephemeral-id
+ description: 'Ephemeral identifier of this service (if one exists).
+
+ This id normally changes across restarts, but `service.id` does not.'
+ example: 8a4f500f
flat_name: service.origin.ephemeral_id
ignore_above: 1024
level: extended
@@ -18813,9 +20084,9 @@ service:
group: 2
name: service
nestings:
+ - service.entity
- service.origin
- service.target
- - service.target.entity
prefix: service.
reusable:
expected:
@@ -18835,9 +20106,9 @@ service:
or event.
top_level: true
reused_here:
- - full: service.target.entity
+ - full: service.entity
schema_name: entity
- short: Entity information for the target service.
+ short: Fields to describe various types of entities across IT environments.
- beta: Reusing the `service` fields in this location is currently considered beta.
full: service.origin
schema_name: service
@@ -26513,21 +27784,751 @@ user:
description: User email address.
flat_name: user.changes.email
ignore_above: 1024
- level: extended
- name: email
- normalize: []
- original_fieldset: user
- short: User email address.
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+ user.changes.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: user.changes.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ user.changes.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.changes.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ user.changes.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.changes.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ user.changes.entity.id:
+ dashed_name: user-changes-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: user.changes.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ user.changes.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: user.changes.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ user.changes.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.changes.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ user.changes.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: user.changes.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ user.changes.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: user.changes.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ user.changes.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: user.changes.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ user.changes.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.changes.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ user.changes.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: user.changes.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ user.changes.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.changes.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ user.changes.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-changes-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.changes.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
+ type: keyword
+ user.changes.full_name:
+ dashed_name: user-changes-full-name
+ description: User's full name, if available.
+ example: Albert Einstein
+ flat_name: user.changes.full_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.changes.full_name.text
+ name: text
+ type: match_only_text
+ name: full_name
+ normalize: []
+ original_fieldset: user
+ short: User's full name, if available.
+ type: keyword
+ user.changes.group.domain:
+ dashed_name: user-changes-group-domain
+ description: 'Name of the directory the group is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.changes.group.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: group
+ short: Name of the directory the group is a member of.
+ type: keyword
+ user.changes.group.id:
+ dashed_name: user-changes-group-id
+ description: Unique identifier for the group on the system/platform.
+ flat_name: user.changes.group.id
+ ignore_above: 1024
+ level: extended
+ name: id
+ normalize: []
+ original_fieldset: group
+ short: Unique identifier for the group on the system/platform.
+ type: keyword
+ user.changes.group.name:
+ dashed_name: user-changes-group-name
+ description: Name of the group.
+ flat_name: user.changes.group.name
+ ignore_above: 1024
+ level: extended
+ name: name
+ normalize: []
+ original_fieldset: group
+ short: Name of the group.
+ type: keyword
+ user.changes.hash:
+ dashed_name: user-changes-hash
+ description: 'Unique user hash to correlate information for a user in anonymized
+ form.
+
+ Useful if `user.id` or `user.name` contain confidential information and cannot
+ be used.'
+ flat_name: user.changes.hash
+ ignore_above: 1024
+ level: extended
+ name: hash
+ normalize: []
+ original_fieldset: user
+ short: Unique user hash to correlate information for a user in anonymized form.
+ type: keyword
+ user.changes.id:
+ dashed_name: user-changes-id
+ description: Unique identifier of the user.
+ example: S-1-5-21-202424912787-2692429404-2351956786-1000
+ flat_name: user.changes.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: user
+ short: Unique identifier of the user.
+ type: keyword
+ user.changes.name:
+ dashed_name: user-changes-name
+ description: Short name or login of the user.
+ example: a.einstein
+ flat_name: user.changes.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.changes.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: user
+ short: Short name or login of the user.
+ type: keyword
+ user.changes.risk.calculated_level:
+ dashed_name: user-changes-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.changes.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ user.changes.risk.calculated_score:
+ dashed_name: user-changes-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.changes.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ user.changes.risk.calculated_score_norm:
+ dashed_name: user-changes-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: user.changes.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ user.changes.risk.static_level:
+ dashed_name: user-changes-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.changes.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ user.changes.risk.static_score:
+ dashed_name: user-changes-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.changes.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ user.changes.risk.static_score_norm:
+ dashed_name: user-changes-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.changes.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+ user.changes.roles:
+ dashed_name: user-changes-roles
+ description: Array of user roles at the time of the event.
+ example: '["kibana_admin", "reporting_user"]'
+ flat_name: user.changes.roles
+ ignore_above: 1024
+ level: extended
+ name: roles
+ normalize:
+ - array
+ original_fieldset: user
+ short: Array of user roles at the time of the event.
+ synthetic_source_keep: none
+ type: keyword
+ user.domain:
+ dashed_name: user-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ short: Name of the directory the user is a member of.
+ type: keyword
+ user.effective.domain:
+ dashed_name: user-effective-domain
+ description: 'Name of the directory the user is a member of.
+
+ For example, an LDAP or Active Directory domain name.'
+ flat_name: user.effective.domain
+ ignore_above: 1024
+ level: extended
+ name: domain
+ normalize: []
+ original_fieldset: user
+ short: Name of the directory the user is a member of.
+ type: keyword
+ user.effective.email:
+ dashed_name: user-effective-email
+ description: User email address.
+ flat_name: user.effective.email
+ ignore_above: 1024
+ level: extended
+ name: email
+ normalize: []
+ original_fieldset: user
+ short: User email address.
+ type: keyword
+ user.effective.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: user.effective.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ user.effective.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.effective.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ user.effective.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.effective.entity.display_name
+ ignore_above: 1024
+ level: extended
+ multi_fields:
+ - flat_name: user.effective.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
+ normalize: []
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
+ type: keyword
+ user.effective.entity.id:
+ dashed_name: user-effective-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: user.effective.entity.id
+ ignore_above: 1024
+ level: core
+ name: id
+ normalize: []
+ original_fieldset: entity
+ short: Unique identifier for the entity.
+ type: keyword
+ user.effective.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: user.effective.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ user.effective.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.effective.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ user.effective.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: user.effective.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ user.effective.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: user.effective.entity.name
+ ignore_above: 1024
+ level: core
+ multi_fields:
+ - flat_name: user.effective.entity.name.text
+ name: text
+ type: match_only_text
+ name: name
+ normalize: []
+ original_fieldset: entity
+ short: The name of the entity.
+ type: keyword
+ user.effective.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: user.effective.entity.raw
+ level: extended
+ name: raw
+ normalize: []
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ user.effective.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.effective.entity.reference
+ ignore_above: 1024
+ level: extended
+ name: reference
+ normalize: []
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
+ type: keyword
+ user.effective.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: user.effective.entity.source
+ ignore_above: 1024
+ level: core
+ name: source
+ normalize: []
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
+ type: keyword
+ user.effective.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.effective.entity.sub_type
+ ignore_above: 1024
+ level: extended
+ name: sub_type
+ normalize: []
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
+ type: keyword
+ user.effective.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-effective-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.effective.entity.type
+ ignore_above: 1024
+ level: core
+ name: type
+ normalize:
+ - array
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
- user.changes.full_name:
- dashed_name: user-changes-full-name
+ user.effective.full_name:
+ dashed_name: user-effective-full-name
description: User's full name, if available.
example: Albert Einstein
- flat_name: user.changes.full_name
+ flat_name: user.effective.full_name
ignore_above: 1024
level: extended
multi_fields:
- - flat_name: user.changes.full_name.text
+ - flat_name: user.effective.full_name.text
name: text
type: match_only_text
name: full_name
@@ -26535,12 +28536,12 @@ user:
original_fieldset: user
short: User's full name, if available.
type: keyword
- user.changes.group.domain:
- dashed_name: user-changes-group-domain
+ user.effective.group.domain:
+ dashed_name: user-effective-group-domain
description: 'Name of the directory the group is a member of.
For example, an LDAP or Active Directory domain name.'
- flat_name: user.changes.group.domain
+ flat_name: user.effective.group.domain
ignore_above: 1024
level: extended
name: domain
@@ -26548,10 +28549,10 @@ user:
original_fieldset: group
short: Name of the directory the group is a member of.
type: keyword
- user.changes.group.id:
- dashed_name: user-changes-group-id
+ user.effective.group.id:
+ dashed_name: user-effective-group-id
description: Unique identifier for the group on the system/platform.
- flat_name: user.changes.group.id
+ flat_name: user.effective.group.id
ignore_above: 1024
level: extended
name: id
@@ -26559,10 +28560,10 @@ user:
original_fieldset: group
short: Unique identifier for the group on the system/platform.
type: keyword
- user.changes.group.name:
- dashed_name: user-changes-group-name
+ user.effective.group.name:
+ dashed_name: user-effective-group-name
description: Name of the group.
- flat_name: user.changes.group.name
+ flat_name: user.effective.group.name
ignore_above: 1024
level: extended
name: name
@@ -26570,14 +28571,14 @@ user:
original_fieldset: group
short: Name of the group.
type: keyword
- user.changes.hash:
- dashed_name: user-changes-hash
+ user.effective.hash:
+ dashed_name: user-effective-hash
description: 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- flat_name: user.changes.hash
+ flat_name: user.effective.hash
ignore_above: 1024
level: extended
name: hash
@@ -26585,11 +28586,11 @@ user:
original_fieldset: user
short: Unique user hash to correlate information for a user in anonymized form.
type: keyword
- user.changes.id:
- dashed_name: user-changes-id
+ user.effective.id:
+ dashed_name: user-effective-id
description: Unique identifier of the user.
example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.changes.id
+ flat_name: user.effective.id
ignore_above: 1024
level: core
name: id
@@ -26597,15 +28598,15 @@ user:
original_fieldset: user
short: Unique identifier of the user.
type: keyword
- user.changes.name:
- dashed_name: user-changes-name
+ user.effective.name:
+ dashed_name: user-effective-name
description: Short name or login of the user.
example: a.einstein
- flat_name: user.changes.name
+ flat_name: user.effective.name
ignore_above: 1024
level: core
multi_fields:
- - flat_name: user.changes.name.text
+ - flat_name: user.effective.name.text
name: text
type: match_only_text
name: name
@@ -26613,11 +28614,91 @@ user:
original_fieldset: user
short: Short name or login of the user.
type: keyword
- user.changes.roles:
- dashed_name: user-changes-roles
+ user.effective.risk.calculated_level:
+ dashed_name: user-effective-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.effective.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ user.effective.risk.calculated_score:
+ dashed_name: user-effective-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.effective.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ user.effective.risk.calculated_score_norm:
+ dashed_name: user-effective-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: user.effective.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ user.effective.risk.static_level:
+ dashed_name: user-effective-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.effective.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ user.effective.risk.static_score:
+ dashed_name: user-effective-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.effective.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ user.effective.risk.static_score_norm:
+ dashed_name: user-effective-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.effective.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
+ user.effective.roles:
+ dashed_name: user-effective-roles
description: Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'
- flat_name: user.changes.roles
+ flat_name: user.effective.roles
ignore_above: 1024
level: extended
name: roles
@@ -26627,162 +28708,271 @@ user:
short: Array of user roles at the time of the event.
synthetic_source_keep: none
type: keyword
- user.domain:
- dashed_name: user-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.domain
+ user.email:
+ dashed_name: user-email
+ description: User email address.
+ flat_name: user.email
ignore_above: 1024
level: extended
- name: domain
+ name: email
normalize: []
- short: Name of the directory the user is a member of.
+ otel:
+ - relation: match
+ stability: development
+ short: User email address.
type: keyword
- user.effective.domain:
- dashed_name: user-effective-domain
- description: 'Name of the directory the user is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.domain
+ user.entity.attributes:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-attributes
+ description: A set of static or semi-static attributes of the entity. Usually
+ boolean or keyword field data types. Use this field set when you need to track
+ static or semi-static characteristics of an entity for advanced searching
+ and correlation of normalized values across different providers/sources and
+ entity types.
+ flat_name: user.entity.attributes
+ level: extended
+ name: attributes
+ normalize: []
+ original_fieldset: entity
+ short: A set of static or semi-static attributes of the entity.
+ type: object
+ user.entity.behavior:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-behavior
+ description: A set of ephemeral characteristics of the entity, derived from
+ observed behaviors during a specific time period. Usually boolean field data
+ type. Use this field set when you need to capture and track ephemeral characteristics
+ of an entity for advanced searching, correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.entity.behavior
+ level: extended
+ name: behavior
+ normalize: []
+ original_fieldset: entity
+ short: A set of ephemeral characteristics of the entity, derived from observed
+ behaviors during a specific time period.
+ type: object
+ user.entity.display_name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-display-name
+ description: An optional field used when a pretty name is desired for entity-centric
+ operations. This field should not be used for correlation with `*.name` fields
+ for entities with dedicated field sets (e.g., `host`).
+ flat_name: user.entity.display_name
ignore_above: 1024
level: extended
- name: domain
+ multi_fields:
+ - flat_name: user.entity.display_name.text
+ name: text
+ type: match_only_text
+ name: display_name
normalize: []
- original_fieldset: user
- short: Name of the directory the user is a member of.
+ original_fieldset: entity
+ short: An optional field used when a pretty name is desired for entity-centric
+ operations.
type: keyword
- user.effective.email:
- dashed_name: user-effective-email
- description: User email address.
- flat_name: user.effective.email
+ user.entity.id:
+ dashed_name: user-entity-id
+ description: 'A unique identifier for the entity. When multiple identifiers
+ exist, this should be the most stable and commonly used identifier that: 1)
+ persists across the entity''s lifecycle, 2) ensures uniqueness within its
+ scope, 3) is commonly used for queries and correlation, and 4) is readily
+ available in most observations (logs/events). For entities with dedicated
+ field sets (e.g., host, user), this value should match the corresponding *.id
+ field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+ in the raw field.'
+ flat_name: user.entity.id
ignore_above: 1024
- level: extended
- name: email
+ level: core
+ name: id
normalize: []
- original_fieldset: user
- short: User email address.
+ original_fieldset: entity
+ short: Unique identifier for the entity.
type: keyword
- user.effective.full_name:
- dashed_name: user-effective-full-name
- description: User's full name, if available.
- example: Albert Einstein
- flat_name: user.effective.full_name
+ user.entity.last_seen_timestamp:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-last-seen-timestamp
+ description: Indicates the date/time when this entity was last "seen," usually
+ based upon the last event/log that is initiated by this entity.
+ flat_name: user.entity.last_seen_timestamp
+ level: extended
+ name: last_seen_timestamp
+ normalize: []
+ original_fieldset: entity
+ short: Indicates the date/time when this entity was last "seen."
+ type: date
+ user.entity.lifecycle:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-lifecycle
+ description: A set of temporal characteristics of the entity. Usually date field
+ data type. Use this field set when you need to track temporal characteristics
+ of an entity for advanced searching and correlation of normalized values across
+ different providers/sources and entity types.
+ flat_name: user.entity.lifecycle
+ level: extended
+ name: lifecycle
+ normalize: []
+ original_fieldset: entity
+ short: A set of temporal characteristics of the entity.
+ type: object
+ user.entity.metrics:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-metrics
+ description: Field set for any fields containing numeric entity metrics. These
+ use dynamic field data type mapping.
+ flat_name: user.entity.metrics
+ level: extended
+ name: metrics
+ normalize: []
+ original_fieldset: entity
+ short: Field set for any fields containing numeric entity metrics.
+ type: object
+ user.entity.name:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-name
+ description: The name of the entity. The keyword field enables exact matches
+ for filtering and aggregations, while the text field enables full-text search.
+ For entities with dedicated field sets (e.g., `host`), this field should mirrors
+ the corresponding *.name value.
+ flat_name: user.entity.name
ignore_above: 1024
- level: extended
+ level: core
multi_fields:
- - flat_name: user.effective.full_name.text
+ - flat_name: user.entity.name.text
name: text
type: match_only_text
- name: full_name
+ name: name
normalize: []
- original_fieldset: user
- short: User's full name, if available.
+ original_fieldset: entity
+ short: The name of the entity.
type: keyword
- user.effective.group.domain:
- dashed_name: user-effective-group-domain
- description: 'Name of the directory the group is a member of.
-
- For example, an LDAP or Active Directory domain name.'
- flat_name: user.effective.group.domain
- ignore_above: 1024
+ user.entity.raw:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-raw
+ description: Original, unmodified fields from the source system. Usually flattened
+ field data type. While the attributes field should be used for normalized
+ fields requiring advanced queries, this field preserves all source metadata
+ with basic search capabilities.
+ flat_name: user.entity.raw
level: extended
- name: domain
+ name: raw
normalize: []
- original_fieldset: group
- short: Name of the directory the group is a member of.
- type: keyword
- user.effective.group.id:
- dashed_name: user-effective-group-id
- description: Unique identifier for the group on the system/platform.
- flat_name: user.effective.group.id
+ original_fieldset: entity
+ short: Original, unmodified fields from the source system.
+ type: object
+ user.entity.reference:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-reference
+ description: A URI, URL, or other direct reference to access or locate the entity
+ in its source system. This could be an API endpoint, web console URL, or other
+ addressable location. Format may vary by entity type and source system.
+ flat_name: user.entity.reference
ignore_above: 1024
level: extended
- name: id
+ name: reference
normalize: []
- original_fieldset: group
- short: Unique identifier for the group on the system/platform.
+ original_fieldset: entity
+ short: A URI, URL, or other direct reference to access or locate the entity.
type: keyword
- user.effective.group.name:
- dashed_name: user-effective-group-name
- description: Name of the group.
- flat_name: user.effective.group.name
+ user.entity.source:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-source
+ description: The module or integration that provided this entity data (similar
+ to event.module).
+ flat_name: user.entity.source
ignore_above: 1024
- level: extended
- name: name
+ level: core
+ name: source
normalize: []
- original_fieldset: group
- short: Name of the group.
+ original_fieldset: entity
+ short: Source module or integration that provided the entity data.
type: keyword
- user.effective.hash:
- dashed_name: user-effective-hash
- description: 'Unique user hash to correlate information for a user in anonymized
- form.
-
- Useful if `user.id` or `user.name` contain confidential information and cannot
- be used.'
- flat_name: user.effective.hash
+ user.entity.sub_type:
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-sub-type
+ description: 'The specific type designation for the entity as defined by its
+ provider or system. This field provides more granular classification than
+ the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+ would all map to entity type `bucket`. `hardware` , `virtual` , `container`
+ , `node` , `cloud_instance` would all map to entity type `host`.'
+ example: aws_s3_bucket
+ flat_name: user.entity.sub_type
ignore_above: 1024
level: extended
- name: hash
- normalize: []
- original_fieldset: user
- short: Unique user hash to correlate information for a user in anonymized form.
- type: keyword
- user.effective.id:
- dashed_name: user-effective-id
- description: Unique identifier of the user.
- example: S-1-5-21-202424912787-2692429404-2351956786-1000
- flat_name: user.effective.id
- ignore_above: 1024
- level: core
- name: id
+ name: sub_type
normalize: []
- original_fieldset: user
- short: Unique identifier of the user.
+ original_fieldset: entity
+ short: The specific type designation for the entity as defined by its provider
+ or system.
type: keyword
- user.effective.name:
- dashed_name: user-effective-name
- description: Short name or login of the user.
- example: a.einstein
- flat_name: user.effective.name
+ user.entity.type:
+ allowed_values:
+ - description: Represents a storage container or bucket, typically used for
+ object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+ buckets, Azure Blob containers, and other cloud storage services. Buckets
+ are used to organize and store files, objects, or data in cloud environments.
+ name: bucket
+ - description: Represents a database system or database instance. This includes
+ relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+ Cassandra, DynamoDB), time-series databases, and other data storage systems.
+ The entity may represent the entire database system or a specific database
+ instance.
+ name: database
+ - description: Represents a containerized application or process. This includes
+ Docker containers, Kubernetes pods, and other containerization technologies.
+ Containers encapsulate applications and their dependencies, providing isolation
+ and portability across different environments.
+ name: container
+ - description: Represents a serverless function or Function-as-a-Service (FaaS)
+ component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+ Functions, and other serverless computing resources. Functions are typically
+ event-driven and execute code without managing the underlying infrastructure.
+ name: function
+ - description: Represents a message queue or messaging system. This includes
+ message brokers, event queues, and other messaging infrastructure components
+ such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+ facilitate asynchronous communication between applications and services.
+ name: queue
+ - description: Represents a computing host or machine. This includes physical
+ servers, virtual machines, cloud instances, and other computing resources
+ that can run applications or services. Hosts provide the fundamental computing
+ infrastructure for other entity types.
+ name: host
+ - description: Represents a user account or identity. This includes human users,
+ service accounts, system accounts, and other identity entities that can
+ interact with systems, applications, or services. Users may have various
+ roles, permissions, and attributes associated with their identity.
+ name: user
+ - description: Represents a software application or service. This includes web
+ applications, mobile applications, desktop applications, and other software
+ components that provide functionality to users or other systems. Applications
+ may run on various infrastructure components and can span multiple hosts
+ or containers.
+ name: application
+ - description: Represents a service or microservice component. This includes
+ web services, APIs, background services, and other service-oriented architecture
+ components. Services provide specific functionality and may communicate
+ with other services to fulfill business requirements.
+ name: service
+ - description: Represents a user session or connection session. This includes
+ user login sessions, database connections, network sessions, and other temporary
+ interactive or persistent connections between users, applications, or systems.
+ name: session
+ beta: This field is beta and subject to change.
+ dashed_name: user-entity-type
+ description: 'A standardized high-level classification of the entity. This provides
+ a normalized way to group similar entities across different providers or systems.
+ Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+ `user`, `application`, `session`, etc.'
+ example: host
+ flat_name: user.entity.type
ignore_above: 1024
level: core
- multi_fields:
- - flat_name: user.effective.name.text
- name: text
- type: match_only_text
- name: name
- normalize: []
- original_fieldset: user
- short: Short name or login of the user.
- type: keyword
- user.effective.roles:
- dashed_name: user-effective-roles
- description: Array of user roles at the time of the event.
- example: '["kibana_admin", "reporting_user"]'
- flat_name: user.effective.roles
- ignore_above: 1024
- level: extended
- name: roles
+ name: type
normalize:
- array
- original_fieldset: user
- short: Array of user roles at the time of the event.
- synthetic_source_keep: none
- type: keyword
- user.email:
- dashed_name: user-email
- description: User email address.
- flat_name: user.email
- ignore_above: 1024
- level: extended
- name: email
- normalize: []
- otel:
- - relation: match
- stability: development
- short: User email address.
+ original_fieldset: entity
+ short: Standardized high-level classification of the entity.
type: keyword
user.full_name:
dashed_name: user-full-name
@@ -27353,6 +29543,86 @@ user:
original_fieldset: user
short: Short name or login of the user.
type: keyword
+ user.target.risk.calculated_level:
+ dashed_name: user-target-risk-calculated-level
+ description: A risk classification level calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: High
+ flat_name: user.target.risk.calculated_level
+ ignore_above: 1024
+ level: extended
+ name: calculated_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: keyword
+ user.target.risk.calculated_score:
+ dashed_name: user-target-risk-calculated-score
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring.
+ example: 880.73
+ flat_name: user.target.risk.calculated_score
+ level: extended
+ name: calculated_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score calculated by an internal system as part
+ of entity analytics and entity risk scoring.
+ type: float
+ user.target.risk.calculated_score_norm:
+ dashed_name: user-target-risk-calculated-score-norm
+ description: A risk classification score calculated by an internal system as
+ part of entity analytics and entity risk scoring, and normalized to a range
+ of 0 to 100.
+ example: 88.73
+ flat_name: user.target.risk.calculated_score_norm
+ level: extended
+ name: calculated_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an internal system.
+ type: float
+ user.target.risk.static_level:
+ dashed_name: user-target-risk-static-level
+ description: A risk classification level obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: High
+ flat_name: user.target.risk.static_level
+ ignore_above: 1024
+ level: extended
+ name: static_level
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification level obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: keyword
+ user.target.risk.static_score:
+ dashed_name: user-target-risk-static-score
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform.
+ example: 830.0
+ flat_name: user.target.risk.static_score
+ level: extended
+ name: static_score
+ normalize: []
+ original_fieldset: risk
+ short: A risk classification score obtained from outside the system, such as
+ from some external Threat Intelligence Platform.
+ type: float
+ user.target.risk.static_score_norm:
+ dashed_name: user-target-risk-static-score-norm
+ description: A risk classification score obtained from outside the system, such
+ as from some external Threat Intelligence Platform, and normalized to a range
+ of 0 to 100.
+ example: 83.0
+ flat_name: user.target.risk.static_score_norm
+ level: extended
+ name: static_score_norm
+ normalize: []
+ original_fieldset: risk
+ short: A normalized risk score calculated by an external system.
+ type: float
user.target.roles:
dashed_name: user-target-roles
description: Array of user roles at the time of the event.
@@ -27372,10 +29642,10 @@ user:
nestings:
- user.changes
- user.effective
+ - user.entity
- user.group
- user.risk
- user.target
- - user.target.entity
prefix: user.
reusable:
expected:
@@ -27426,9 +29696,9 @@ user:
- full: user.group
schema_name: group
short: User's group relevant to the event.
- - full: user.target.entity
+ - full: user.entity
schema_name: entity
- short: Entity information for the targeted user.
+ short: Fields to describe various types of entities across IT environments.
- full: user.risk
schema_name: risk
short: Fields for describing risk score and level.
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index dddd1c8f7a..1f74a7835a 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -24,6 +24,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
@@ -62,6 +122,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
deleted file mode 100644
index be001bdc19..0000000000
--- a/generated/elasticsearch/composable/component/entity.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
- "_meta": {
- "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
- "ecs_version": "9.2.0"
- },
- "template": {
- "mappings": {
- "properties": {
- "entity": {
- "properties": {
- "attributes": {
- "type": "object"
- },
- "behavior": {
- "type": "object"
- },
- "display_name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_seen_timestamp": {
- "type": "date"
- },
- "lifecycle": {
- "type": "object"
- },
- "metrics": {
- "type": "object"
- },
- "name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "raw": {
- "type": "object"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
-}
diff --git a/generated/elasticsearch/composable/component/orchestrator.json b/generated/elasticsearch/composable/component/orchestrator.json
index 6006f237cc..18d612ed19 100644
--- a/generated/elasticsearch/composable/component/orchestrator.json
+++ b/generated/elasticsearch/composable/component/orchestrator.json
@@ -32,6 +32,66 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"namespace": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index 5c37290bc3..c0b1145614 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -12,6 +12,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"environment": {
"ignore_above": 1024,
"type": "keyword"
@@ -51,6 +111,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"environment": {
"ignore_above": 1024,
"type": "keyword"
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index d6c66ec1fd..321049925b 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -18,6 +18,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -60,6 +120,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -81,6 +165,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -123,6 +267,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -134,6 +302,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -317,6 +545,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index ea900ffd6f..f78d3a4a69 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -16,7 +16,6 @@
"ecs_9.2.0_dns",
"ecs_9.2.0_ecs",
"ecs_9.2.0_email",
- "ecs_9.2.0_entity",
"ecs_9.2.0_error",
"ecs_9.2.0_event",
"ecs_9.2.0_faas",
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index b8ed11959c..e9e8ce7072 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -248,6 +248,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
@@ -286,6 +346,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"instance": {
"properties": {
"id": {
@@ -1264,66 +1384,6 @@
}
}
},
- "entity": {
- "properties": {
- "attributes": {
- "type": "object"
- },
- "behavior": {
- "type": "object"
- },
- "display_name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_seen_timestamp": {
- "type": "date"
- },
- "lifecycle": {
- "type": "object"
- },
- "metrics": {
- "type": "object"
- },
- "name": {
- "fields": {
- "text": {
- "type": "match_only_text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "raw": {
- "type": "object"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
"error": {
"properties": {
"code": {
@@ -2972,6 +3032,66 @@
}
}
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"namespace": {
"ignore_above": 1024,
"type": "keyword"
@@ -5281,30 +5401,90 @@
"ignore_above": 1024,
"type": "keyword"
},
- "environment": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
+ "entity": {
"properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
+ "attributes": {
+ "type": "object"
},
- "role": {
- "ignore_above": 1024,
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
+ "environment": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "ephemeral_id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "node": {
+ "properties": {
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "role": {
+ "ignore_above": 1024,
"type": "keyword"
},
"roles": {
@@ -5320,6 +5500,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"environment": {
"ignore_above": 1024,
"type": "keyword"
@@ -8028,6 +8268,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -8070,6 +8370,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -8091,6 +8415,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -8133,6 +8517,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
@@ -8144,6 +8552,66 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "entity": {
+ "properties": {
+ "attributes": {
+ "type": "object"
+ },
+ "behavior": {
+ "type": "object"
+ },
+ "display_name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "last_seen_timestamp": {
+ "type": "date"
+ },
+ "lifecycle": {
+ "type": "object"
+ },
+ "metrics": {
+ "type": "object"
+ },
+ "name": {
+ "fields": {
+ "text": {
+ "type": "match_only_text"
+ }
+ },
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "raw": {
+ "type": "object"
+ },
+ "reference": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "source": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "sub_type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "type": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"full_name": {
"fields": {
"text": {
@@ -8327,6 +8795,30 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "risk": {
+ "properties": {
+ "calculated_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "calculated_score": {
+ "type": "float"
+ },
+ "calculated_score_norm": {
+ "type": "float"
+ },
+ "static_level": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "static_score": {
+ "type": "float"
+ },
+ "static_score_norm": {
+ "type": "float"
+ }
+ }
+ },
"roles": {
"ignore_above": 1024,
"synthetic_source_keep": "none",
diff --git a/schemas/entity.yml b/schemas/entity.yml
index 9d7326c85e..b4ec7dbedd 100644
--- a/schemas/entity.yml
+++ b/schemas/entity.yml
@@ -13,22 +13,14 @@
maintains its identity over time.
root: false
reusable:
- top_level: true
+ top_level: false
order: 2
expected:
+ - user
+ - cloud
- host
- - at: user
- as: entity
- full: user.target.entity
- short_override: Entity information for the targeted user.
- - at: cloud
- as: entity
- full: cloud.target.entity
- short_override: Entity information for the target cloud entity.
- - at: service
- as: entity
- full: service.target.entity
- short_override: Entity information for the target service.
+ - service
+ - orchestrator
fields:
- name: name
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index 951c896c81..26cf72181a 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -59,25 +59,14 @@ fields:
account:
fields: "*"
availability_zone: {}
+ entity:
+ fields: "*"
instance:
fields: "*"
machine:
fields: "*"
origin:
- fields:
- account:
- fields: "*"
- availability_zone: {}
- instance:
- fields: "*"
- machine:
- fields: "*"
- project:
- fields: "*"
- provider: {}
- region: {}
- service:
- fields: "*"
+ fields: "*"
project:
fields: "*"
provider: {}
@@ -554,6 +543,8 @@ fields:
service:
fields:
address: {}
+ entity:
+ fields: "*"
environment: {}
ephemeral_id: {}
id: {}
@@ -561,17 +552,7 @@ fields:
node:
fields: "*"
origin:
- fields:
- address: {}
- environment: {}
- ephemeral_id: {}
- id: {}
- name: {}
- node:
- fields: "*"
- state: {}
- type: {}
- version: {}
+ fields: "*"
state: {}
target:
fields: "*"
@@ -621,28 +602,12 @@ fields:
user:
fields:
changes:
- fields:
- domain: {}
- email: {}
- group:
- fields: "*"
- full_name: {}
- hash: {}
- id: {}
- name: {}
- roles: {}
+ fields: "*"
domain: {}
+ entity:
+ fields: "*"
effective:
- fields:
- domain: {}
- email: {}
- group:
- fields: "*"
- full_name: {}
- hash: {}
- id: {}
- name: {}
- roles: {}
+ fields: "*"
email: {}
group:
fields: "*"
@@ -654,18 +619,7 @@ fields:
fields: "*"
roles: {}
target:
- fields:
- domain: {}
- email: {}
- entity:
- fields: "*"
- group:
- fields: "*"
- full_name: {}
- hash: {}
- id: {}
- name: {}
- roles: {}
+ fields: "*"
vlan:
fields: "*"
volume:
diff --git a/scripts/generators/markdown_fields.py b/scripts/generators/markdown_fields.py
index ad51d4db61..87be2acb8c 100644
--- a/scripts/generators/markdown_fields.py
+++ b/scripts/generators/markdown_fields.py
@@ -53,16 +53,9 @@ def render_fieldset_reuse_text(fieldset):
:param fieldset: The fieldset to evaluate
"""
- # Special handling for entity fieldset which has reusable in schema_details
- if fieldset.get('field_details', {}).get('name') == 'entity':
- reusable = fieldset.get('schema_details', {}).get('reusable')
- else:
- # For all other fieldsets, use the original location
- reusable = fieldset.get('reusable')
-
- if not reusable:
+ if not fieldset.get('reusable'):
return None
- reusable_fields = reusable['expected']
+ reusable_fields = fieldset['reusable']['expected']
sorted_fields = sorted(reusable_fields, key=lambda k: k['full'])
return map(lambda f: f['full'], sorted_fields)
@@ -111,48 +104,6 @@ def sort_fields(fieldset):
fields_list = list(fieldset['fields'].values())
for field in fields_list:
field['allowed_value_names'] = extract_allowed_values_key_names(field)
-
- # For fields with nested field_details structure, flatten the properties
- if 'field_details' in field:
- field_details = field['field_details']
- # Copy essential properties from field_details to top level for template compatibility
- field['name'] = field_details.get('name', field.get('name', ''))
- field['level'] = field_details.get('level', field.get('level'))
- field['type'] = field_details.get('type', field.get('type'))
- field['description'] = field_details.get('description', field.get('description'))
- field['beta'] = field_details.get('beta', field.get('beta'))
- field['short'] = field_details.get('short', field.get('short'))
-
- # Only include example if it has a real value (not None or empty)
- example = field_details.get('example')
- if example is not None and example != '' and str(example).lower() != 'none':
- field['example'] = example
- # Don't set example at all if it's None/empty - let template handle conditional logic
-
- # Construct flat_name and dashed_name from the fieldset and field name
- fieldset_name = fieldset.get('field_details', {}).get('name', fieldset.get('name', ''))
- field_name = field_details.get('name', '')
- if fieldset_name and field_name:
- field['flat_name'] = f"{fieldset_name}.{field_name}"
- field['dashed_name'] = f"{fieldset_name}-{field_name}"
-
- # Handle multi_fields if present - ensure proper structure
- if 'multi_fields' in field_details and field_details['multi_fields']:
- multi_fields = field_details['multi_fields']
- # Process multi_fields to ensure proper field names
- processed_multi_fields = []
- for mf in multi_fields:
- if isinstance(mf, dict) and 'name' in mf:
- # Construct full field name for multi-field
- if fieldset_name and field_name:
- mf_copy = dict(mf)
- mf_copy['flat_name'] = f"{fieldset_name}.{field_name}.{mf['name']}"
- processed_multi_fields.append(mf_copy)
- else:
- processed_multi_fields.append(mf)
- if processed_multi_fields:
- field['multi_fields'] = processed_multi_fields
-
return sorted(fields_list, key=lambda field: field['name'])
@@ -227,24 +178,10 @@ def page_index(ecs_generated_version):
@templated('fieldset.j2')
def page_fieldset(fieldset, nested, ecs_generated_version):
sorted_reuse_fields = render_fieldset_reuse_text(fieldset)
- if sorted_reuse_fields is not None:
- sorted_reuse_fields = list(sorted_reuse_fields)
render_nestings_reuse_fields = render_nestings_reuse_section(fieldset)
sorted_fields = sort_fields(fieldset)
-
- # Normalize fieldset structure for template compatibility
- normalized_fieldset = dict(fieldset)
- field_details = fieldset.get('field_details', {})
- schema_details = fieldset.get('schema_details', {})
-
- # Ensure top-level attributes are available
- normalized_fieldset['name'] = field_details.get('name', fieldset.get('name', ''))
- normalized_fieldset['title'] = schema_details.get('title', fieldset.get('title', ''))
- normalized_fieldset['description'] = field_details.get('description', fieldset.get('description', ''))
- normalized_fieldset['short'] = field_details.get('short', fieldset.get('short', ''))
-
- usage_doc = check_for_usage_doc(normalized_fieldset['name'])
- return dict(fieldset=normalized_fieldset,
+ usage_doc = check_for_usage_doc(fieldset.get('name'))
+ return dict(fieldset=fieldset,
sorted_reuse_fields=sorted_reuse_fields,
render_nestings_reuse_section=render_nestings_reuse_fields,
sorted_fields=sorted_fields,
@@ -276,8 +213,6 @@ def page_field_details(nested, docs_only_nested):
def generate_field_details_page(fieldset):
# render field reuse text section
sorted_reuse_fields = render_fieldset_reuse_text(fieldset)
- if sorted_reuse_fields is not None:
- sorted_reuse_fields = list(sorted_reuse_fields)
render_nestings_reuse_fields = render_nestings_reuse_section(fieldset)
sorted_fields = sort_fields(fieldset)
usage_doc = check_for_usage_doc(fieldset.get('name'))
diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py
index 206740b6e9..10e54213ec 100644
--- a/scripts/schema/cleaner.py
+++ b/scripts/schema/cleaner.py
@@ -142,8 +142,7 @@ def normalize_reuse_notation(schema: FieldEntry) -> None:
f"Got {reuse_entry}.")
else: # Make it explicit
explicit_entry = {'at': reuse_entry, 'as': schema_name}
- if 'full' not in explicit_entry:
- explicit_entry['full'] = explicit_entry['at'] + '.' + explicit_entry['as']
+ explicit_entry['full'] = explicit_entry['at'] + '.' + explicit_entry['as']
reuse_entries.append(explicit_entry)
schema['schema_details']['reusable']['expected'] = reuse_entries
diff --git a/scripts/schema/finalizer.py b/scripts/schema/finalizer.py
index 8e645b3f14..43ede81a19 100644
--- a/scripts/schema/finalizer.py
+++ b/scripts/schema/finalizer.py
@@ -21,7 +21,8 @@
from schema import visitor
# This script takes the fleshed out deeply nested fields dictionary as emitted by
-# cleaner.py, and performs field reuse in two phases.
+# cleaner.py, and performs field reuse in two phases, repeated for each reuse order, from highest
+# priority to lowest.
#
# Phase 1 performs field reuse across field sets. E.g. `group` fields should also be under `user`.
# This type of reuse is then carried around if the receiving field set is also reused.
@@ -52,8 +53,9 @@ def order_reuses(fields):
destination_schema_name = reuse_entry['full'].split('.')[0]
if destination_schema_name == schema_name:
# Accumulate self-nestings for phase 2.
- self_nestings.setdefault(destination_schema_name, [])
- self_nestings[destination_schema_name].extend([reuse_entry])
+ self_nestings.setdefault(reuse_order, {})
+ self_nestings[reuse_order].setdefault(destination_schema_name, [])
+ self_nestings[reuse_order][destination_schema_name].extend([reuse_entry])
else:
# Group foreign reuses by 'order' attribute.
foreign_reuses.setdefault(reuse_order, {})
@@ -63,60 +65,61 @@ def order_reuses(fields):
def perform_reuse(fields):
- """Performs field reuse in two phases"""
+ """Performs field reuse respecting order for both foreign reuses and self-nestings"""
foreign_reuses, self_nestings = order_reuses(fields)
- # Phase 1: foreign reuse
- # These are done respecting the reusable.order attribute.
- # This lets us force the order for chained reuses (e.g. group => user, then user => many places)
- for order in sorted(foreign_reuses.keys()):
- for schema_name, reuse_entries in foreign_reuses[order].items():
- schema = fields[schema_name]
- for reuse_entry in reuse_entries:
- # print(order, "{} => {}".format(schema_name, reuse_entry['full']))
- nest_as = reuse_entry['as']
- destination_schema_name = reuse_entry['full'].split('.')[0]
- destination_schema = fields[destination_schema_name]
- ensure_valid_reuse(schema, destination_schema)
-
- new_field_details = copy.deepcopy(schema['field_details'])
- new_field_details['name'] = nest_as
- new_field_details['original_fieldset'] = schema_name
- new_field_details['intermediate'] = True
+ # Process foreign reuses and self-nestings together, respecting order
+ all_orders = sorted(set(list(foreign_reuses.keys()) + list(self_nestings.keys())))
+
+ for order in all_orders:
+ # Phase 1: foreign reuse for this order
+ if order in foreign_reuses:
+ for schema_name, reuse_entries in foreign_reuses[order].items():
+ schema = fields[schema_name]
+ for reuse_entry in reuse_entries:
+ nest_as = reuse_entry['as']
+ destination_schema_name = reuse_entry['full'].split('.')[0]
+ destination_schema = fields[destination_schema_name]
+ ensure_valid_reuse(schema, destination_schema)
+
+ new_field_details = copy.deepcopy(schema['field_details'])
+ new_field_details['name'] = nest_as
+ new_field_details['original_fieldset'] = schema_name
+ new_field_details['intermediate'] = True
+ reused_fields = copy.deepcopy(schema['fields'])
+ set_original_fieldset(reused_fields, schema_name)
+ destination_fields = field_group_at_path(reuse_entry['at'], fields)
+ destination_fields[nest_as] = {
+ 'field_details': new_field_details,
+ 'fields': reused_fields,
+ }
+ append_reused_here(schema, reuse_entry, destination_schema)
+
+ # Phase 2: self-nesting for this order
+ if order in self_nestings:
+ for schema_name, reuse_entries in self_nestings[order].items():
+ schema = fields[schema_name]
+ ensure_valid_reuse(schema)
+ # Since we're about self-nest more fields within these, make a pristine copy first
reused_fields = copy.deepcopy(schema['fields'])
set_original_fieldset(reused_fields, schema_name)
- destination_fields = field_group_at_path(reuse_entry['at'], fields)
- destination_fields[nest_as] = {
- 'field_details': new_field_details,
- 'fields': reused_fields,
- }
- append_reused_here(schema, reuse_entry, destination_schema)
-
- # Phase 2: self-nesting
- for schema_name, reuse_entries in self_nestings.items():
- schema = fields[schema_name]
- ensure_valid_reuse(schema)
- # Since we're about self-nest more fields within these, make a pristine copy first
- reused_fields = copy.deepcopy(schema['fields'])
- set_original_fieldset(reused_fields, schema_name)
- for reuse_entry in reuse_entries:
- # print("x {} => {}".format(schema_name, reuse_entry['full']))
- nest_as = reuse_entry['as']
- new_field_details = copy.deepcopy(schema['field_details'])
- new_field_details['name'] = nest_as
- new_field_details['original_fieldset'] = schema_name
- new_field_details['intermediate'] = True
- # to handle multi-level self-nesting
- if reuse_entry['at'] != schema_name:
- destination_fields = field_group_at_path(reuse_entry['at'], fields)
- else:
- destination_fields = schema['fields']
- destination_fields[nest_as] = {
- 'field_details': new_field_details,
- # Make a new copy of the pristine copy
- 'fields': copy.deepcopy(reused_fields),
- }
- append_reused_here(schema, reuse_entry, fields[schema_name])
+ for reuse_entry in reuse_entries:
+ nest_as = reuse_entry['as']
+ new_field_details = copy.deepcopy(schema['field_details'])
+ new_field_details['name'] = nest_as
+ new_field_details['original_fieldset'] = schema_name
+ new_field_details['intermediate'] = True
+ # to handle multi-level self-nesting
+ if reuse_entry['at'] != schema_name:
+ destination_fields = field_group_at_path(reuse_entry['at'], fields)
+ else:
+ destination_fields = schema['fields']
+ destination_fields[nest_as] = {
+ 'field_details': new_field_details,
+ # Make a new copy of the pristine copy
+ 'fields': copy.deepcopy(reused_fields),
+ }
+ append_reused_here(schema, reuse_entry, fields[schema_name])
def ensure_valid_reuse(reused_schema, destination_schema=None):
diff --git a/scripts/templates/fieldset.j2 b/scripts/templates/fieldset.j2
index cd0c0be721..390cd65bfc 100644
--- a/scripts/templates/fieldset.j2
+++ b/scripts/templates/fieldset.j2
@@ -77,7 +77,7 @@ applies_to:
{% endfor %}
{# field reuse section -#}
-{% if 'reusable' in fieldset or (fieldset['name'] == 'entity' and sorted_reuse_fields) -%}
+{% if 'reusable' in fieldset -%}
## Field reuse [_field_reuse]
@@ -87,12 +87,7 @@ The `{{ fieldset['name'] }}` fields are expected to be nested at:
* `{{ entry }}`
{% endfor %}
-{% if fieldset['name'] == 'entity' -%}
-{% set reusable = fieldset.get('schema_details', {}).get('reusable', {}) -%}
-{% else -%}
-{% set reusable = fieldset.get('reusable', {}) -%}
-{% endif -%}
-{% if reusable.get('top_level') -%}
+{% if 'top_level' in fieldset['reusable'] and fieldset['reusable']['top_level'] -%}
Note also that the `{{ fieldset['name'] }}` fields may be used directly at the root of the events.