diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index ed2bf03f35..9ce7ef4a5d 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -1,33 +1,14 @@ # 0049: Entity Field Set - - -- Stage: **0 (strawperson)** -- Date: 2025-03-06 - - - - - - - - - +- Stage: **1 (draft)** +- Date: 2025-04-23 An entity represents a discrete, identifiable component within an IT environment that can be described by a set of attributes and maintains its identity over time. Entities can be physical (like hosts or devices), logical (like containers or processes), or abstract (like applications or services). Currently, ECS provides specific field sets for certain categories of entities (e.g., host, user, cloud, orchestrator) to capture their metadata. However, as IT infrastructure continues to evolve, we encounter an increasing number of entity types that don't cleanly fit into existing field sets – for example, storage services like S3, database instances like DynamoDB, or various other cloud services and IT related infrastructure components (both digital and physical). This field set aims to solve several key challenges: + 1. Providing a flexible way to represent different types of entities without requiring new field sets for each category 2. Supporting a consistent structure for capturing entity metadata across different entity types 3. Enabling the representation of entities that don't fit into existing field sets @@ -41,22 +22,13 @@ This approach would allow ECS to accommodate new types of entities without requi |-------|------|-------------| | entity.id | keyword | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in entity.raw. | | entity.source | keyword | The module or integration that provided this entity data (similar to event.module). | -| entity.type | keyword | A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, etc. There will be an allowed set of values maintained for this field to ensure consistency. | +| entity.type | keyword | A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, etc. | | entity.sub_type | keyword | The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than entity.type. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to type `bucket`. | -| entity.name | keyword, text | The human-readable name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. | -| entity.url | keyword | A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. | +| entity.name | keyword, text | The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. | +| entity.reference | keyword | A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. | | entity.attributes.* | object | Normalized entity attributes using capitalized field names (e.g., `entity.attributes.StorageClass`, `entity.attributes.MfaEnabled`). Use this field set when you need specific data types, advanced search capabilities, or normalized values across different providers/sources. The capitalization pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. | | entity.raw.* | flattened | Original, unmodified fields from the source system stored in a flattened format that maintains basic searchability. While `entity.attributes` should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. Supports existence queries, exact value matches, and simple aggregations. | - - -The fields from the ECS [risk field set](https://www.elastic.co/guide/en/ecs/current/ecs-risk.html) can be nested under entity - -| Field | Type | Description | -|-------|------|-------------| -| entity.risk.* | * | Fields for describing risk score and risk level of entities such as hosts and users. | - - When representing entities that correspond to existing ECS field sets (e.g., hosts, users, services, containers), the relevant ECS field set should be used to capture detailed metadata about that entity. For example: - Host entities should utilize the `host.*` field set to capture detailed host information @@ -68,91 +40,40 @@ This approach ensures backward compatibility, maintains existing ECS patterns, a ## Usage -Out Of Scope for Stage 0 (based on template) +The entity field set enables us to normalize entity data in such a way where we can easily query key attributes in a standardized way regardless of the type and source of the entity. This will be how we'll normalize all entity data in the upcoming inventory experience that we're planning for the security solution. - +This approach will enable security analysts to view all the entities discovered inside of their environment, whether from logs or other data sources. The entity field set will then begin powering all parts of our security solution experience like alerts, where we can now represent more entities beyond just users and hosts. -## Source data +Essentially, this field set gives us a standard way to represent any entity's metadata, regardless of its type or source, and provides customers with the same ability to standardize that information across their environments. -Out Of Scope for Stage 0 (based on template) - - - - +## Source data - +Due to the high-level taxonomy approach we've developed for the entity field set, it doesn't exclude any data source. Any data source can model an entity using this field set, making it universally applicable across different technologies, platforms, and environments. ## Scope of impact -Out Of Scope for Stage 0 (based on template) - - +TO DO ## Concerns -Out Of Scope for Stage 0 (based on template) +### Entity Type Governance - +The `entity.type` field needs a controlled vocabulary to maintain consistency and interoperability. However, an overly restrictive list might limit the field set's utility for emerging technologies and use cases. - - - +**Potential solution:** Establish a governance process for `entity.type` values, including an initial set of well-defined types and a mechanism for proposing and reviewing new types. Document a clear taxonomy with examples to guide users in selecting appropriate types. ## People - - -The following are the people that consulted on the contents of this RFC. - -* Author: @tinnytintin10 -* Sponsor: @MikePaquette & @YulNaumenko - +- Author: @tinnytintin10 +- Sponsor: @MikePaquette & @YulNaumenko ## References -- Related effort in Otel: [Resource and Entities - Data Model](https://github.com/open-telemetry/opentelemetry-specification/blob/main/oteps/entities/0264-resource-and-entities.md) - - - +TO DO ### RFC Pull Requests - - - -* Stage 0: https://github.com/elastic/ecs/pull/2434 +- Stage 0: +- Stage 1: diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml new file mode 100644 index 0000000000..b4612b9fe1 --- /dev/null +++ b/rfcs/text/0049/entity.yml @@ -0,0 +1,106 @@ +--- +# Entity field set schema definition +name: entity +title: Entity +group: 2 +type: group +short: Fields to describe various types of entities across IT environments. +description: > + The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those + that don't have dedicated field sets in ECS. An entity represents a discrete, + identifiable component that can be described by a set of attributes and + maintains its identity over time. +root: true +fields: + + - name: entity.id + level: core + type: keyword + short: Unique identifier for the entity. + description: > + A unique identifier for the entity. When multiple identifiers exist, this should be + the most stable and commonly used identifier that: 1) persists across the entity's + lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries + and correlation, and 4) is readily available in most observations (logs/events). + For entities with dedicated field sets (e.g., host, user), this value should match + the corresponding *.id field. If the entity has multiple identifiers, these alternative identifiers can be preserved in entity.raw. + example: i-04ff5d36be3d6896c, arn:aws:s3:::my-bucket, projects/123456789/locations/us-central1/instances/my-db + + - name: entity.source + level: core + type: keyword + normalize: + - array + short: Source module or integration that provided the entity data. + description: > + The module or integration that provided this entity data (similar to event.module). + This helps identify the origin of the entity information and aids in troubleshooting + or validating data quality. + example: aws, azure, gcp, kubernetes, cloudflare + + - name: entity.type + level: core + type: keyword + short: Standardized high-level classification of the entity. + description: > + A standardized high-level classification of the entity. This provides a normalized way + to group similar entities across different providers or systems. + example: bucket, database, container, function, queue, host, user, loadbalancer + + - name: entity.sub_type + level: extended + type: keyword + short: The specific type designation for the entity as defined by its provider or system. + description: > + The specific type designation for the entity as defined by its provider or system. This field + provides more granular classification than entity.type. While entity.type provides a normalized + classification across different systems, entity.sub_type preserves the provider-specific + categorization. + example: aws_s3_bucket, gcp_cloud_storage_bucket, azure_blob_container, aws_lambda_function + + - name: entity.name + level: core + type: keyword + multi_fields: + - name: text + type: text + short: The name of the entity. + description: > + The name of the entity. The keyword field enables exact matches for filtering + and aggregations, while the text field enables full-text search. For entities with dedicated + field sets (e.g., user, host. etc.,), this field should mirror the corresponding *.name value. + example: my-production-database, web-server-01, payment-processing-queue + + - name: entity.reference + level: extended + type: keyword + short: A URI, URL, or other direct reference to access or locate the entity. + description: > + A URI, URL, or other direct reference to access or locate the entity in its source system. + This could be an API endpoint, web console URL, or other addressable location. Format may + vary by entity type and source system. + example: https://console.aws.amazon.com/s3/buckets/my-bucket/, https://us-central1-myproject.cloudfunctions.net/processPayment + + - name: entity.attributes + level: extended + type: object + object_type: keyword + short: Normalized entity attributes with specific data types. + description: > + Normalized entity attributes using capitalized field names (e.g., entity.attributes.StorageClass, + entity.attributes.MfaEnabled). Use this field set when you need specific data types, advanced + search capabilities, or normalized values across different providers/sources. The capitalization + pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. + dynamic: true + + - name: entity.raw + level: extended + type: flattened + short: Original, unmodified fields from the source system. + description: > + Original, unmodified fields from the source system stored in a flattened format that maintains + basic searchability. While entity.attributes should be used for normalized fields requiring + advanced queries, this field preserves all source metadata with basic search capabilities. + Supports existence queries, exact value matches, and simple aggregations. + dynamic: true \ No newline at end of file