Update entities schema to support integrations data#262242
Merged
uri-weisman merged 20 commits intoelastic:mainfrom Apr 13, 2026
Merged
Update entities schema to support integrations data#262242uri-weisman merged 20 commits intoelastic:mainfrom
uri-weisman merged 20 commits intoelastic:mainfrom
Conversation
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
…hub.com/uri-weisman/kibana into feat/entity-store-ecs-relationship-bags
…hub.com/uri-weisman/kibana into feat/entity-store-ecs-relationship-bags
uri-weisman
added
release_note:skip
Contributor
|
Thanks Uri |
Contributor
Author
|
@coderabbitai full review |
Contributor
✅ Actions performedFull review triggered. |
Contributor
Author
@niros1 The Integration log will look as follows (integrations are less likely to populate |
Contributor
✅ Actions performedFull review triggered. |
…hub.com/uri-weisman/kibana into feat/entity-store-ecs-relationship-bags
romulets
reviewed
Apr 13, 2026
| return `${col} = COALESCE(\`entity.relationships.resolution.resolved_to\`, [""])`; | ||
| } | ||
|
|
||
| return `${col} = COALESCE(\`entity.relationships.${field}.ids\`, [""])`; |
Member
There was a problem hiding this comment.
Is graph ok with having correlations for id only?
Contributor
There was a problem hiding this comment.
for my understanding that was the format before the change but it was directly under the {field}.
@kfirpeled ?
Contributor
There was a problem hiding this comment.
The graph works with ids only
In order to correlate between entities and events we pull relevant data per node. And based on the enginemetadata we build the filters using the DSL functions
it is now in review: #261420
romulets
approved these changes
Apr 13, 2026
Contributor
Author
|
/ci |
kfirpeled
requested changes
Apr 13, 2026
Contributor
kfirpeled
left a comment
kfirpeled
left a comment
There was a problem hiding this comment.
Checked on existing environment
The graph fails to load due to this change
Tried to "clear all data" from entity store. But now entity store cannot recover due to another issue.
Providing here the error message from the API
Error log 📁
“message”: “verification_exception: Found 7 problems\nline 3:49: Unknown column [entity.relationships.accesses_frequently.ids], did you mean any of [entity.relationships.accesses_frequently, entity.relationships.accesses_infrequently, entity.relationships.owns_inferred, entity.relationships.supervises, entity.relationships.depends_on, entity.relationships.communicates_with, entity.relationships.resolution.resolved_to, entity.relationships.owns]?\nline 4:51: Unknown column [entity.relationships.accesses_infrequently.ids], did you mean any of [entity.relationships.accesses_infrequently, entity.relationships.accesses_frequently, entity.relationships.owns_inferred, entity.relationships.resolution.resolved_to, entity.relationships.communicates_with, entity.relationships.supervises, entity.relationships.depends_on, entity.relationships.resolution.risk.calculated_score, entity.relationships.owns]?\nline 5:47: Unknown column [entity.relationships.communicates_with.ids], did you mean any of [entity.relationships.communicates_with, entity.relationships.owns_inferred, entity.relationships.supervises, entity.relationships.owns, entity.relationships.depends_on, entity.relationships.resolution.resolved_to, entity.relationships.accesses_frequently, entity.relationships.accesses_infrequently, entity.relationships.resolution.risk.calculated_score_norm]?\nline 6:40: Unknown column [entity.relationships.depends_on.ids], did you mean any of [entity.relationships.depends_on, entity.relationships.supervises, entity.relationships.owns, entity.relationships.owns_inferred, entity.relationships.communicates_with, entity.relationships.resolution.resolved_to, entity.relationships.accesses_frequently, entity.relationships.accesses_infrequently, entity.relationships.resolution.risk.calculated_score, entity.relationships.resolution.risk.calculated_level]?\nline 7:34: Unknown column [entity.relationships.owns.ids], did you mean any of [entity.relationships.owns, entity.relationships.owns_inferred, entity.relationships.supervises, entity.relationships.depends_on, entity.relationships.communicates_with, entity.relationships.resolution.resolved_to, entity.relationships.accesses_frequently, entity.relationships.accesses_infrequently, entity.relationships.resolution.risk.calculated_score]?\nline 8:43: Unknown column [entity.relationships.owns_inferred.ids], did you mean any of [entity.relationships.owns_inferred, entity.relationships.owns, entity.relationships.supervises, entity.relationships.accesses_infrequently, entity.relationships.communicates_with, entity.relationships.depends_on, entity.relationships.accesses_frequently, entity.relationships.resolution.resolved_to]?\nline 10:40: Unknown column [entity.relationships.supervises.ids], did you mean any of [entity.relationships.supervises, entity.relationships.depends_on, entity.relationships.communicates_with, entity.relationships.owns_inferred, entity.relationships.owns, entity.relationships.resolution.resolved_to, entity.relationships.accesses_frequently, entity.relationships.accesses_infrequently, entity.relationships.resolution.risk.calculated_score]?”
Contributor
Author
|
/ci |
kfirpeled
approved these changes
Apr 13, 2026
Contributor
kfirpeled
left a comment
kfirpeled
left a comment
There was a problem hiding this comment.
Tested on existing serverless
Relationships Owns and resolution, it covers all edge cases
Both worked
Contributor
Author
|
/ci |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
|
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/24354816960 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 13, 2026
(cherry picked from commit 1270467)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Apr 13, 2026
…262856) # Backport This will backport the following commits from `main` to `9.4`: - [Update entities schema to support integrations data (#262242)](#262242) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Uri Weisman","email":"68195305+uri-weisman@users.noreply.github.com"},"sourceCommit":{"committedDate":"2026-04-13T16:33:21Z","message":"Update entities schema to support integrations data (#262242)","sha":"1270467a2b81d39d05db63cf527ae7a6c7322c76","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","ci:build-serverless-image","backport:version","v9.4.0","v9.5.0"],"title":"Update entities schema to support integrations data","number":262242,"url":"https://github.com/elastic/kibana/pull/262242","mergeCommit":{"message":"Update entities schema to support integrations data (#262242)","sha":"1270467a2b81d39d05db63cf527ae7a6c7322c76"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/262242","number":262242,"mergeCommit":{"message":"Update entities schema to support integrations data (#262242)","sha":"1270467a2b81d39d05db63cf527ae7a6c7322c76"}}]}] BACKPORT--> Co-authored-by: Uri Weisman <68195305+uri-weisman@users.noreply.github.com>
Closed
4 tasks
seanrathier
added a commit
to seanrathier/kibana
that referenced
this pull request
Apr 13, 2026
Tracks the changes needed in communicates_with and accesses maintainers to align with the EntityRelationship schema introduced in elastic#262242. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Merged
3 tasks
seanrathier
added a commit
to seanrathier/kibana
that referenced
this pull request
Apr 28, 2026
Tracks the changes needed in communicates_with and accesses maintainers to align with the EntityRelationship schema introduced in elastic#262242. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced Apr 29, 2026
seanrathier
added a commit
to seanrathier/kibana
that referenced
this pull request
Apr 29, 2026
Tracks the changes needed in communicates_with and accesses maintainers to align with the EntityRelationship schema introduced in elastic#262242. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Update entities schema to align with the populated integrations data.
related:
Summary
Refines how relationship fields from logs are materialized on entity documents in the entity store v2 index:
each relationship besides
resolution(e.g. owns, supervises) is now an object of{ raw_identifiers, ids }.We introduce a data structure that allows integrations and entity maintainers to populate as much identifiers as possible, it will provide us the ability, in the future, to run a maintainer on entity store indices and find a correlation to those identifiers.
What changed:
For each supported relationship, we collect identifier fields into
entity.relationships.<relationship>.raw_identifiers.*.entity.relationships.<relationship>.ids- should represent EUIDs (will be updated by entity maintainers).Integration data (source) example:
Stored shape in
.entities.v2.without post processing:Stored shape in
.entities.v2after post-processing:Values in raw_identifiers and ids are aggregated over time per entity-store rules (collect / dedupe), so the index may show more than a single event contributed.