-
Notifications
You must be signed in to change notification settings - Fork 451
[RFC] Advance Entity Field Set to Stage 1 #2461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
670f145
add stage 1 readme updates and entity.yml
tinnytintin10 e0994c1
update entity.url to entity.reference
tinnytintin10 374ca05
update entity.name description
tinnytintin10 3fcc83a
added link to stage 1 rfc pr and fixed some formatting issues
tinnytintin10 26cd0d8
added author and sponsor info in people section
tinnytintin10 f71cc78
update entity.id description
tinnytintin10 4de79b0
remove risk fields
tinnytintin10 fdf79d3
refine entity.type's description while we define allowed values
tinnytintin10 425b4f0
Merge remote-tracking branch 'upstream/main' into add-entity-fields-s…
mjwolf a1c87c4
Update merge date on RFC
mjwolf File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| --- | ||
| # Entity field set schema definition | ||
| name: entity | ||
| title: Entity | ||
| group: 2 | ||
| type: group | ||
| short: Fields to describe various types of entities across IT environments. | ||
|
romulets marked this conversation as resolved.
|
||
| description: > | ||
| The entity fields provide a standardized way to represent and categorize | ||
| different types of components within an IT environment, including those | ||
| that don't have dedicated field sets in ECS. An entity represents a discrete, | ||
| identifiable component that can be described by a set of attributes and | ||
| maintains its identity over time. | ||
| root: true | ||
| fields: | ||
|
|
||
| - name: entity.id | ||
| level: core | ||
| type: keyword | ||
| short: Unique identifier for the entity. | ||
| description: > | ||
| A unique identifier for the entity. When multiple identifiers exist, this should be | ||
| the most stable and commonly used identifier that: 1) persists across the entity's | ||
| lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries | ||
| and correlation, and 4) is readily available in most observations (logs/events). | ||
| For entities with dedicated field sets (e.g., host, user), this value should match | ||
| the corresponding *.id field. If the entity has multiple identifiers, these alternative identifiers can be preserved in entity.raw. | ||
| example: i-04ff5d36be3d6896c, arn:aws:s3:::my-bucket, projects/123456789/locations/us-central1/instances/my-db | ||
|
|
||
| - name: entity.source | ||
|
tinnytintin10 marked this conversation as resolved.
|
||
| level: core | ||
| type: keyword | ||
| normalize: | ||
| - array | ||
| short: Source module or integration that provided the entity data. | ||
| description: > | ||
|
mjwolf marked this conversation as resolved.
|
||
| The module or integration that provided this entity data (similar to event.module). | ||
| This helps identify the origin of the entity information and aids in troubleshooting | ||
| or validating data quality. | ||
| example: aws, azure, gcp, kubernetes, cloudflare | ||
|
|
||
| - name: entity.type | ||
| level: core | ||
| type: keyword | ||
| short: Standardized high-level classification of the entity. | ||
| description: > | ||
| A standardized high-level classification of the entity. This provides a normalized way | ||
| to group similar entities across different providers or systems. | ||
| example: bucket, database, container, function, queue, host, user, loadbalancer | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: I think edit: I see I guess this is just a small example for why the |
||
|
|
||
| - name: entity.sub_type | ||
| level: extended | ||
| type: keyword | ||
| short: The specific type designation for the entity as defined by its provider or system. | ||
| description: > | ||
| The specific type designation for the entity as defined by its provider or system. This field | ||
| provides more granular classification than entity.type. While entity.type provides a normalized | ||
| classification across different systems, entity.sub_type preserves the provider-specific | ||
| categorization. | ||
| example: aws_s3_bucket, gcp_cloud_storage_bucket, azure_blob_container, aws_lambda_function | ||
|
tinnytintin10 marked this conversation as resolved.
|
||
|
|
||
| - name: entity.name | ||
| level: core | ||
| type: keyword | ||
| multi_fields: | ||
| - name: text | ||
| type: text | ||
| short: The name of the entity. | ||
| description: > | ||
| The name of the entity. The keyword field enables exact matches for filtering | ||
| and aggregations, while the text field enables full-text search. For entities with dedicated | ||
| field sets (e.g., user, host. etc.,), this field should mirror the corresponding *.name value. | ||
| example: my-production-database, web-server-01, payment-processing-queue | ||
|
|
||
| - name: entity.reference | ||
| level: extended | ||
| type: keyword | ||
| short: A URI, URL, or other direct reference to access or locate the entity. | ||
| description: > | ||
| A URI, URL, or other direct reference to access or locate the entity in its source system. | ||
| This could be an API endpoint, web console URL, or other addressable location. Format may | ||
| vary by entity type and source system. | ||
| example: https://console.aws.amazon.com/s3/buckets/my-bucket/, https://us-central1-myproject.cloudfunctions.net/processPayment | ||
|
|
||
| - name: entity.attributes | ||
| level: extended | ||
| type: object | ||
| object_type: keyword | ||
| short: Normalized entity attributes with specific data types. | ||
| description: > | ||
| Normalized entity attributes using capitalized field names (e.g., entity.attributes.StorageClass, | ||
| entity.attributes.MfaEnabled). Use this field set when you need specific data types, advanced | ||
| search capabilities, or normalized values across different providers/sources. The capitalization | ||
| pattern indicates these are entity-specific fields that won't be enumerated in the ECS schema. | ||
| dynamic: true | ||
|
|
||
| - name: entity.raw | ||
| level: extended | ||
| type: flattened | ||
| short: Original, unmodified fields from the source system. | ||
| description: > | ||
| Original, unmodified fields from the source system stored in a flattened format that maintains | ||
| basic searchability. While entity.attributes should be used for normalized fields requiring | ||
| advanced queries, this field preserves all source metadata with basic search capabilities. | ||
| Supports existence queries, exact value matches, and simple aggregations. | ||
| dynamic: true | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.