Extend entity schema with relationship and risk #2577
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Removed the reusable section from the host schema for clarity. - Added a new 'relationship' field to the entity schema to track varying attributes between entity types. - Updated the risk schema to include 'entity' as an expected type. These changes aim to improve the organization and functionality of the schemas for better data representation.
- Introduced the `entity.relationship` field to track relationship characteristics of entities for advanced searching and correlation. - Enhanced risk fields with new properties: `calculated_level`, `calculated_score`, `calculated_score_norm`, `static_level`, `static_score`, and `static_score_norm` to improve risk assessment capabilities. - Updated documentation to reflect these changes across relevant ECS reference files.
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
|
Documentation changes preview: https://docs-v3-preview.elastic.dev/elastic/ecs/pull/2577/reference/ |
🔍 Preview links for changed docs |
- Restore the reusable section for host.target that enables host.target.* fields - Regenerate all artifacts including documentation, CSV, YAML, and Elasticsearch templates
uri-weisman
changed the title
trisch-me
reviewed
Jan 8, 2026
| short: A set of relationship attributes that can vary between entity types. | ||
| description: > | ||
| The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types. | ||
| beta: This field is beta and subject to change. |
Contributor
There was a problem hiding this comment.
how this field should be used for external user? It’s not clear what is inside. is it any object or there is some structure.
trisch-me
reviewed
Jan 8, 2026
| expected: | ||
| - host | ||
| - user | ||
| - entity |
Contributor
There was a problem hiding this comment.
how this work if entity is of type of host? Will be there doubled information for risk?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. What does this PR do?
entity.relationshipfield (beta) to track relationship attributes (already part of entity store schema as of 9.2)entityto risk schema's reusable expected locations)2. Which ECS fields are affected/introduced?
New fields:
entity.relationship(extended, object, beta) - A set of relationship attributes that can vary between entity types. Similar toentity.attributes, this field uses object type to allow flexible schema definitions.Field reuse enabled:
entity.risk.*- Risk fields can now be nested under entity (e.g.,entity.risk.calculated_score,entity.risk.calculated_level, etc.)Purpose:
entity.relationshipenables tracking relationship characteristics of entities for advanced searching and correlation across different providers/sources and entity typesentity.risk.*allows risk scoring for any entity type, not just hosts and users3. Why is this change necessary?
Entity relationship field:
Entity risk field reuse:
4. Have you added/updated documentation?
YES
5. Have you built ECS and committed any newly generated files?
YES
6. Have you run the ECS validation tests locally?
YES
7. Anything else for the reviewers?
Commit Message
Add entity.relationship field and enable risk field reuse for entity