From 670f14581611736b91f63b5d07c00ed32382bf17 Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Tue, 25 Mar 2025 00:21:20 -0400 Subject: [PATCH 1/9] add stage 1 readme updates and entity.yml --- rfcs/text/0049-entity-fields.md | 104 ++++------------------------- rfcs/text/0049/entity.yml | 115 ++++++++++++++++++++++++++++++++ 2 files changed, 129 insertions(+), 90 deletions(-) create mode 100644 rfcs/text/0049/entity.yml diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index ed2bf03f35..aaf518c378 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -1,27 +1,7 @@ # 0049: Entity Field Set - - -- Stage: **0 (strawperson)** -- Date: 2025-03-06 - - - - - - - - - +- Stage: **1 (draft)** +- Date: An entity represents a discrete, identifiable component within an IT environment that can be described by a set of attributes and maintains its identity over time. Entities can be physical (like hosts or devices), logical (like containers or processes), or abstract (like applications or services). @@ -48,15 +28,12 @@ This approach would allow ECS to accommodate new types of entities without requi | entity.attributes.* | object | Normalized entity attributes using capitalized field names (e.g., `entity.attributes.StorageClass`, `entity.attributes.MfaEnabled`). Use this field set when you need specific data types, advanced search capabilities, or normalized values across different providers/sources. The capitalization pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. | | entity.raw.* | flattened | Original, unmodified fields from the source system stored in a flattened format that maintains basic searchability. While `entity.attributes` should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. Supports existence queries, exact value matches, and simple aggregations. | - - The fields from the ECS [risk field set](https://www.elastic.co/guide/en/ecs/current/ecs-risk.html) can be nested under entity | Field | Type | Description | |-------|------|-------------| | entity.risk.* | * | Fields for describing risk score and risk level of entities such as hosts and users. | - When representing entities that correspond to existing ECS field sets (e.g., hosts, users, services, containers), the relevant ECS field set should be used to capture detailed metadata about that entity. For example: - Host entities should utilize the `host.*` field set to capture detailed host information @@ -68,91 +45,38 @@ This approach ensures backward compatibility, maintains existing ECS patterns, a ## Usage -Out Of Scope for Stage 0 (based on template) - - +The entity field set enables us to normalize entity data in such a way where we can easily query key attributes in a standardized way regardless of the type and source of the entity. This will be how we'll normalize all entity data in the upcoming inventory experience that we're planning for the security solution. -## Source data - -Out Of Scope for Stage 0 (based on template) +This approach will enable security analysts to view all the entities discovered inside of their environment, whether from logs or other data sources. The entity field set will then begin powering all parts of our security solution experience like alerts, where we can now represent more entities beyond just users and hosts. - +Essentially, this field set gives us a standard way to represent any entity's metadata, regardless of its type or source, and provides customers with the same ability to standardize that information across their environments. - +## Source data - +Due to the high-level taxonomy approach we've developed for the entity field set, it doesn't exclude any data source. Any data source can model an entity using this field set, making it universally applicable across different technologies, platforms, and environments. ## Scope of impact -Out Of Scope for Stage 0 (based on template) - - +TO DO ## Concerns -Out Of Scope for Stage 0 (based on template) - - - - +### Entity Type Governance +The `entity.type` field needs a controlled vocabulary to maintain consistency and interoperability. However, an overly restrictive list might limit the field set's utility for emerging technologies and use cases. - +**Potential solution:** Establish a governance process for `entity.type` values, including an initial set of well-defined types and a mechanism for proposing and reviewing new types. Document a clear taxonomy with examples to guide users in selecting appropriate types. ## People - - The following are the people that consulted on the contents of this RFC. -* Author: @tinnytintin10 -* Sponsor: @MikePaquette & @YulNaumenko - +TO DO ## References -- Related effort in Otel: [Resource and Entities - Data Model](https://github.com/open-telemetry/opentelemetry-specification/blob/main/oteps/entities/0264-resource-and-entities.md) - - - +TO DO ### RFC Pull Requests - - - * Stage 0: https://github.com/elastic/ecs/pull/2434 +* Stage 1: TBD diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml new file mode 100644 index 0000000000..d7fd4270ff --- /dev/null +++ b/rfcs/text/0049/entity.yml @@ -0,0 +1,115 @@ +--- +# Entity field set schema definition +name: entity +title: Entity +group: 2 +type: group +short: Fields to describe various types of entities across IT environments. +description: > + The entity fields provide a standardized way to represent and categorize + different types of components within an IT environment, including those + that don't have dedicated field sets in ECS. An entity represents a discrete, + identifiable component that can be described by a set of attributes and + maintains its identity over time. +root: true +fields: + + - name: entity.id + level: core + type: keyword + short: Unique identifier for the entity. + description: > + A unique identifier for the entity. When multiple identifiers exist, this should be + the most stable and commonly used identifier that: 1) persists across the entity's + lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries + and correlation, and 4) is readily available in most observations (logs/events). + For entities with dedicated field sets (e.g., host, user), this value should match + the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) + can be preserved in entity.raw. + example: i-04ff5d36be3d6896c, arn:aws:s3:::my-bucket, projects/123456789/locations/us-central1/instances/my-db + + - name: entity.source + level: core + type: keyword + short: Source module or integration that provided the entity data. + description: > + The module or integration that provided this entity data (similar to event.module). + This helps identify the origin of the entity information and aids in troubleshooting + or validating data quality. + example: aws, azure, gcp, kubernetes, cloudflare + + - name: entity.type + level: core + type: keyword + short: Standardized high-level classification of the entity. + description: > + A standardized high-level classification of the entity. This provides a normalized way + to group similar entities across different providers or systems. There will be an + allowed set of values maintained for this field to ensure consistency. + example: bucket, database, container, function, queue, host, user, loadbalancer + + - name: entity.sub_type + level: extended + type: keyword + short: The specific type designation for the entity as defined by its provider or system. + description: > + The specific type designation for the entity as defined by its provider or system. This field + provides more granular classification than entity.type. While entity.type provides a normalized + classification across different systems, entity.sub_type preserves the provider-specific + categorization. + example: aws_s3_bucket, gcp_cloud_storage_bucket, azure_blob_container, aws_lambda_function + + - name: entity.name + level: core + type: keyword + multi_fields: + - name: text + type: text + short: The human-readable name of the entity. + description: > + The human-readable name of the entity. The keyword field enables exact matches for filtering + and aggregations, while the text field enables full-text search. For entities with dedicated + field sets (e.g., host), this field should mirror the corresponding *.name value. + example: my-production-database, web-server-01, payment-processing-queue + + - name: entity.url + level: extended + type: keyword + short: A URI, URL, or other direct reference to access or locate the entity. + description: > + A URI, URL, or other direct reference to access or locate the entity in its source system. + This could be an API endpoint, web console URL, or other addressable location. Format may + vary by entity type and source system. + example: https://console.aws.amazon.com/s3/buckets/my-bucket/, https://us-central1-myproject.cloudfunctions.net/processPayment + + - name: entity.attributes + level: extended + type: object + object_type: keyword + short: Normalized entity attributes with specific data types. + description: > + Normalized entity attributes using capitalized field names (e.g., entity.attributes.StorageClass, + entity.attributes.MfaEnabled). Use this field set when you need specific data types, advanced + search capabilities, or normalized values across different providers/sources. The capitalization + pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. + dynamic: true + + - name: entity.raw + level: extended + type: flattened + short: Original, unmodified fields from the source system. + description: > + Original, unmodified fields from the source system stored in a flattened format that maintains + basic searchability. While entity.attributes should be used for normalized fields requiring + advanced queries, this field preserves all source metadata with basic search capabilities. + Supports existence queries, exact value matches, and simple aggregations. + dynamic: true + + - name: entity.risk + level: extended + type: group + short: Fields for describing risk score and risk level of entities. + description: > + Fields for describing risk score and risk level of entities such as hosts and users. + These fields mirror the structure of the ECS risk field set but are nested under entity + to provide consistent risk assessments for all entity types. From e0994c171b3ec14d10ea88bbb1f3e859917ad271 Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 20:38:57 -0400 Subject: [PATCH 2/9] update entity.url to entity.reference --- rfcs/text/0049-entity-fields.md | 2 +- rfcs/text/0049/entity.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index aaf518c378..960cbe8ea6 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -24,7 +24,7 @@ This approach would allow ECS to accommodate new types of entities without requi | entity.type | keyword | A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, etc. There will be an allowed set of values maintained for this field to ensure consistency. | | entity.sub_type | keyword | The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than entity.type. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to type `bucket`. | | entity.name | keyword, text | The human-readable name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. | -| entity.url | keyword | A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. | +| entity.reference | keyword | A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. | | entity.attributes.* | object | Normalized entity attributes using capitalized field names (e.g., `entity.attributes.StorageClass`, `entity.attributes.MfaEnabled`). Use this field set when you need specific data types, advanced search capabilities, or normalized values across different providers/sources. The capitalization pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. | | entity.raw.* | flattened | Original, unmodified fields from the source system stored in a flattened format that maintains basic searchability. While `entity.attributes` should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. Supports existence queries, exact value matches, and simple aggregations. | diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml index d7fd4270ff..7c9aaf601d 100644 --- a/rfcs/text/0049/entity.yml +++ b/rfcs/text/0049/entity.yml @@ -72,7 +72,7 @@ fields: field sets (e.g., host), this field should mirror the corresponding *.name value. example: my-production-database, web-server-01, payment-processing-queue - - name: entity.url + - name: entity.reference level: extended type: keyword short: A URI, URL, or other direct reference to access or locate the entity. From 374ca057f6e1aeff33f5094412a1db0e408750a7 Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 21:18:29 -0400 Subject: [PATCH 3/9] update entity.name description --- rfcs/text/0049/entity.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml index 7c9aaf601d..a514449881 100644 --- a/rfcs/text/0049/entity.yml +++ b/rfcs/text/0049/entity.yml @@ -65,11 +65,11 @@ fields: multi_fields: - name: text type: text - short: The human-readable name of the entity. + short: The name of the entity. description: > - The human-readable name of the entity. The keyword field enables exact matches for filtering + The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated - field sets (e.g., host), this field should mirror the corresponding *.name value. + field sets (e.g., user, host. etc.,), this field should mirror the corresponding *.name value. example: my-production-database, web-server-01, payment-processing-queue - name: entity.reference From 3fcc83a69d02fca5e501e4cb1d0754584e172843 Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 21:35:50 -0400 Subject: [PATCH 4/9] added link to stage 1 rfc pr and fixed some formatting issues --- rfcs/text/0049-entity-fields.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index 960cbe8ea6..325e0bdf0e 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -1,13 +1,14 @@ # 0049: Entity Field Set - Stage: **1 (draft)** -- Date: +- Date: An entity represents a discrete, identifiable component within an IT environment that can be described by a set of attributes and maintains its identity over time. Entities can be physical (like hosts or devices), logical (like containers or processes), or abstract (like applications or services). Currently, ECS provides specific field sets for certain categories of entities (e.g., host, user, cloud, orchestrator) to capture their metadata. However, as IT infrastructure continues to evolve, we encounter an increasing number of entity types that don't cleanly fit into existing field sets – for example, storage services like S3, database instances like DynamoDB, or various other cloud services and IT related infrastructure components (both digital and physical). This field set aims to solve several key challenges: + 1. Providing a flexible way to represent different types of entities without requiring new field sets for each category 2. Supporting a consistent structure for capturing entity metadata across different entity types 3. Enabling the representation of entities that don't fit into existing field sets @@ -62,6 +63,7 @@ TO DO ## Concerns ### Entity Type Governance + The `entity.type` field needs a controlled vocabulary to maintain consistency and interoperability. However, an overly restrictive list might limit the field set's utility for emerging technologies and use cases. **Potential solution:** Establish a governance process for `entity.type` values, including an initial set of well-defined types and a mechanism for proposing and reviewing new types. Document a clear taxonomy with examples to guide users in selecting appropriate types. @@ -70,13 +72,13 @@ The `entity.type` field needs a controlled vocabulary to maintain consistency an The following are the people that consulted on the contents of this RFC. -TO DO +TO DO ## References -TO DO +TO DO ### RFC Pull Requests -* Stage 0: https://github.com/elastic/ecs/pull/2434 -* Stage 1: TBD +- Stage 0: +- Stage 1: From 26cd0d8a7359d70bfcab216a967772a67c90c0bb Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 21:41:14 -0400 Subject: [PATCH 5/9] added author and sponsor info in people section --- rfcs/text/0049-entity-fields.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index 325e0bdf0e..5e1f36838e 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -24,7 +24,7 @@ This approach would allow ECS to accommodate new types of entities without requi | entity.source | keyword | The module or integration that provided this entity data (similar to event.module). | | entity.type | keyword | A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, etc. There will be an allowed set of values maintained for this field to ensure consistency. | | entity.sub_type | keyword | The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than entity.type. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to type `bucket`. | -| entity.name | keyword, text | The human-readable name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. | +| entity.name | keyword, text | The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. | | entity.reference | keyword | A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. | | entity.attributes.* | object | Normalized entity attributes using capitalized field names (e.g., `entity.attributes.StorageClass`, `entity.attributes.MfaEnabled`). Use this field set when you need specific data types, advanced search capabilities, or normalized values across different providers/sources. The capitalization pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. | | entity.raw.* | flattened | Original, unmodified fields from the source system stored in a flattened format that maintains basic searchability. While `entity.attributes` should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. Supports existence queries, exact value matches, and simple aggregations. | @@ -72,7 +72,8 @@ The `entity.type` field needs a controlled vocabulary to maintain consistency an The following are the people that consulted on the contents of this RFC. -TO DO +- Author: @tinnytintin10 +- Sponsor: @MikePaquette & @YulNaumenko ## References From f71cc784e02ca10bfb80eebe9d3a67edf5bd695f Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 22:18:24 -0400 Subject: [PATCH 6/9] update entity.id description --- rfcs/text/0049/entity.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml index a514449881..1d26ab9e55 100644 --- a/rfcs/text/0049/entity.yml +++ b/rfcs/text/0049/entity.yml @@ -24,8 +24,7 @@ fields: lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match - the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) - can be preserved in entity.raw. + the corresponding *.id field. If the entity has multiple identifiers, these alternative identifiers can be preserved in entity.raw. example: i-04ff5d36be3d6896c, arn:aws:s3:::my-bucket, projects/123456789/locations/us-central1/instances/my-db - name: entity.source From 4de79b0d743f41cdcae66bcae40ab9997548f74e Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 22:35:14 -0400 Subject: [PATCH 7/9] remove risk fields --- rfcs/text/0049-entity-fields.md | 6 ------ rfcs/text/0049/entity.yml | 13 +++---------- 2 files changed, 3 insertions(+), 16 deletions(-) diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index 5e1f36838e..2a0b091232 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -29,12 +29,6 @@ This approach would allow ECS to accommodate new types of entities without requi | entity.attributes.* | object | Normalized entity attributes using capitalized field names (e.g., `entity.attributes.StorageClass`, `entity.attributes.MfaEnabled`). Use this field set when you need specific data types, advanced search capabilities, or normalized values across different providers/sources. The capitalization pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. | | entity.raw.* | flattened | Original, unmodified fields from the source system stored in a flattened format that maintains basic searchability. While `entity.attributes` should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. Supports existence queries, exact value matches, and simple aggregations. | -The fields from the ECS [risk field set](https://www.elastic.co/guide/en/ecs/current/ecs-risk.html) can be nested under entity - -| Field | Type | Description | -|-------|------|-------------| -| entity.risk.* | * | Fields for describing risk score and risk level of entities such as hosts and users. | - When representing entities that correspond to existing ECS field sets (e.g., hosts, users, services, containers), the relevant ECS field set should be used to capture detailed metadata about that entity. For example: - Host entities should utilize the `host.*` field set to capture detailed host information diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml index 1d26ab9e55..79b36d8841 100644 --- a/rfcs/text/0049/entity.yml +++ b/rfcs/text/0049/entity.yml @@ -30,6 +30,8 @@ fields: - name: entity.source level: core type: keyword + normalize: + - array short: Source module or integration that provided the entity data. description: > The module or integration that provided this entity data (similar to event.module). @@ -102,13 +104,4 @@ fields: basic searchability. While entity.attributes should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities. Supports existence queries, exact value matches, and simple aggregations. - dynamic: true - - - name: entity.risk - level: extended - type: group - short: Fields for describing risk score and risk level of entities. - description: > - Fields for describing risk score and risk level of entities such as hosts and users. - These fields mirror the structure of the ECS risk field set but are nested under entity - to provide consistent risk assessments for all entity types. + dynamic: true \ No newline at end of file From fdf79d3ce9c457f83d113fafe0141961710732d4 Mon Sep 17 00:00:00 2001 From: Tinsae Erkailo Date: Sun, 20 Apr 2025 23:17:59 -0400 Subject: [PATCH 8/9] refine entity.type's description while we define allowed values --- rfcs/text/0049-entity-fields.md | 2 +- rfcs/text/0049/entity.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index 2a0b091232..0dd2a3dc34 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -22,7 +22,7 @@ This approach would allow ECS to accommodate new types of entities without requi |-------|------|-------------| | entity.id | keyword | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in entity.raw. | | entity.source | keyword | The module or integration that provided this entity data (similar to event.module). | -| entity.type | keyword | A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, etc. There will be an allowed set of values maintained for this field to ensure consistency. | +| entity.type | keyword | A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, etc. | | entity.sub_type | keyword | The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than entity.type. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to type `bucket`. | | entity.name | keyword, text | The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value. | | entity.reference | keyword | A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system. | diff --git a/rfcs/text/0049/entity.yml b/rfcs/text/0049/entity.yml index 79b36d8841..b4612b9fe1 100644 --- a/rfcs/text/0049/entity.yml +++ b/rfcs/text/0049/entity.yml @@ -45,8 +45,7 @@ fields: short: Standardized high-level classification of the entity. description: > A standardized high-level classification of the entity. This provides a normalized way - to group similar entities across different providers or systems. There will be an - allowed set of values maintained for this field to ensure consistency. + to group similar entities across different providers or systems. example: bucket, database, container, function, queue, host, user, loadbalancer - name: entity.sub_type From a1c87c4649f47e53ca1e25db5bf52a91aa54d760 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 23 Apr 2025 10:14:32 -0700 Subject: [PATCH 9/9] Update merge date on RFC --- rfcs/text/0049-entity-fields.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfcs/text/0049-entity-fields.md b/rfcs/text/0049-entity-fields.md index 0dd2a3dc34..9ce7ef4a5d 100644 --- a/rfcs/text/0049-entity-fields.md +++ b/rfcs/text/0049-entity-fields.md @@ -1,7 +1,7 @@ # 0049: Entity Field Set - Stage: **1 (draft)** -- Date: +- Date: 2025-04-23 An entity represents a discrete, identifiable component within an IT environment that can be described by a set of attributes and maintains its identity over time. Entities can be physical (like hosts or devices), logical (like containers or processes), or abstract (like applications or services).