From cc698822ffa47ae3de2b5fc83c1d41c478db3dc0 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Tue, 7 Oct 2025 12:57:39 -0700
Subject: [PATCH 1/3] Change entity multi_field text type to match_only_text
 (#2547)

Change the field type for multi_field values in entity from text to
match_only_text.

This change will match the multi_field type used for other similar fields in
other schema files, and will match the expected dynamic value in ecs@mappings.
---
 docs/reference/ecs-entity.md                  |  4 +-
 experimental/generated/beats/fields.ecs.yml   | 24 ++----
 experimental/generated/csv/fields.csv         | 16 ++--
 experimental/generated/ecs/ecs_flat.yml       | 24 ++----
 experimental/generated/ecs/ecs_nested.yml     | 24 ++----
 .../composable/component/cloud.json           |  6 +-
 .../composable/component/host.json            |  6 +-
 .../composable/component/service.json         |  6 +-
 .../composable/component/user.json            |  6 +-
 .../elasticsearch/legacy/template.json        | 24 ++----
 generated/beats/fields.ecs.yml                | 24 ++----
 generated/csv/fields.csv                      | 16 ++--
 generated/ecs/ecs_flat.yml                    | 24 ++----
 generated/ecs/ecs_nested.yml                  | 24 ++----
 .../composable/component/cloud.json           |  6 +-
 .../composable/component/entity.json          | 74 -------------------
 .../composable/component/host.json            |  6 +-
 .../composable/component/service.json         |  6 +-
 .../composable/component/user.json            |  6 +-
 generated/elasticsearch/legacy/template.json  | 24 ++----
 schemas/entity.yml                            |  4 +-
 21 files changed, 100 insertions(+), 254 deletions(-)
 delete mode 100644 generated/elasticsearch/composable/component/entity.json

diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index 867fbbf47c..aca767a2e7 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -17,12 +17,12 @@ The entity fields provide a standardized way to represent and categorize differe
 | --- | --- | --- |
 | $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
-| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: text) | extended |
+| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: match_only_text) | extended |
 | $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.<br><br>type: keyword | core |
 | $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
 | $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.<br><br>type: object | extended |
-| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: text) | core |
+| $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: match_only_text) | core |
 | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.<br><br>type: object | extended |
 | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.<br><br>type: keyword | extended |
 | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).<br><br>type: keyword | core |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 850dee4b22..80a915f209 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -711,8 +711,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -756,8 +755,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -3943,8 +3941,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -3988,8 +3985,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -9211,8 +9207,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -9256,8 +9251,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -14170,8 +14164,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -14215,8 +14208,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 1b8b36ca20..43ea889466 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -82,13 +82,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0+exp,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0+exp,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0+exp,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,cloud,cloud.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0+exp,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0+exp,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0+exp,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0+exp,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0+exp,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0+exp,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0+exp,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0+exp,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -483,13 +483,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0+exp,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0+exp,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0+exp,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,host,host.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0+exp,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0+exp,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0+exp,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0+exp,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0+exp,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0+exp,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0+exp,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0+exp,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1169,13 +1169,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0+exp,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0+exp,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0+exp,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,service,service.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0+exp,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0+exp,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0+exp,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0+exp,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0+exp,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0+exp,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0+exp,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0+exp,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1823,13 +1823,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0+exp,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0+exp,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0+exp,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0+exp,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,user,user.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0+exp,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0+exp,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0+exp,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0+exp,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0+exp,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0+exp,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0+exp,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0+exp,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0+exp,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0+exp,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 26ec63e227..827e92951b 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1033,8 +1033,7 @@ cloud.target.entity.display_name:
   multi_fields:
   - flat_name: cloud.target.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -1108,8 +1107,7 @@ cloud.target.entity.name:
   multi_fields:
   - flat_name: cloud.target.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
@@ -6813,8 +6811,7 @@ host.entity.display_name:
   multi_fields:
   - flat_name: host.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -6888,8 +6885,7 @@ host.entity.name:
   multi_fields:
   - flat_name: host.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
@@ -15463,8 +15459,7 @@ service.target.entity.display_name:
   multi_fields:
   - flat_name: service.target.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -15538,8 +15533,7 @@ service.target.entity.name:
   multi_fields:
   - flat_name: service.target.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
@@ -23904,8 +23898,7 @@ user.target.entity.display_name:
   multi_fields:
   - flat_name: user.target.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -23979,8 +23972,7 @@ user.target.entity.name:
   multi_fields:
   - flat_name: user.target.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index d691da32fe..c2793b1803 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1235,8 +1235,7 @@ cloud:
       multi_fields:
       - flat_name: cloud.target.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -1312,8 +1311,7 @@ cloud:
       multi_fields:
       - flat_name: cloud.target.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
@@ -8311,8 +8309,7 @@ host:
       multi_fields:
       - flat_name: host.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -8388,8 +8385,7 @@ host:
       multi_fields:
       - flat_name: host.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
@@ -18179,8 +18175,7 @@ service:
       multi_fields:
       - flat_name: service.target.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -18256,8 +18251,7 @@ service:
       multi_fields:
       - flat_name: service.target.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
@@ -26858,8 +26852,7 @@ user:
       multi_fields:
       - flat_name: user.target.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -26935,8 +26928,7 @@ user:
       multi_fields:
       - flat_name: user.target.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
diff --git a/experimental/generated/elasticsearch/composable/component/cloud.json b/experimental/generated/elasticsearch/composable/component/cloud.json
index 4e62ad39c6..e4aa87ecda 100644
--- a/experimental/generated/elasticsearch/composable/component/cloud.json
+++ b/experimental/generated/elasticsearch/composable/component/cloud.json
@@ -169,8 +169,7 @@
                     "display_name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
@@ -192,8 +191,7 @@
                     "name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/host.json b/experimental/generated/elasticsearch/composable/component/host.json
index cc0632b020..e3df6a4a1e 100644
--- a/experimental/generated/elasticsearch/composable/component/host.json
+++ b/experimental/generated/elasticsearch/composable/component/host.json
@@ -61,8 +61,7 @@
                 "display_name": {
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "match_only_text"
                     }
                   },
                   "ignore_above": 1024,
@@ -84,8 +83,7 @@
                 "name": {
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "match_only_text"
                     }
                   },
                   "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/service.json b/experimental/generated/elasticsearch/composable/component/service.json
index 7d62ae4d18..d8e0981798 100644
--- a/experimental/generated/elasticsearch/composable/component/service.json
+++ b/experimental/generated/elasticsearch/composable/component/service.json
@@ -119,8 +119,7 @@
                     "display_name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
@@ -142,8 +141,7 @@
                     "name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/composable/component/user.json b/experimental/generated/elasticsearch/composable/component/user.json
index 9ab70585a5..df004c6410 100644
--- a/experimental/generated/elasticsearch/composable/component/user.json
+++ b/experimental/generated/elasticsearch/composable/component/user.json
@@ -226,8 +226,7 @@
                     "display_name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
@@ -249,8 +248,7 @@
                     "name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index f6b90cf0f8..30a0432658 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -435,8 +435,7 @@
                   "display_name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -458,8 +457,7 @@
                   "name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -2261,8 +2259,7 @@
               "display_name": {
                 "fields": {
                   "text": {
-                    "norms": false,
-                    "type": "text"
+                    "type": "match_only_text"
                   }
                 },
                 "ignore_above": 1024,
@@ -2284,8 +2281,7 @@
               "name": {
                 "fields": {
                   "text": {
-                    "norms": false,
-                    "type": "text"
+                    "type": "match_only_text"
                   }
                 },
                 "ignore_above": 1024,
@@ -5374,8 +5370,7 @@
                   "display_name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -5397,8 +5392,7 @@
                   "name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -8224,8 +8218,7 @@
                   "display_name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -8247,8 +8240,7 @@
                   "name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index eea904bd5d..3511b48bd6 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -661,8 +661,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -706,8 +705,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -3893,8 +3891,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -3938,8 +3935,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -9161,8 +9157,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -9206,8 +9201,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
@@ -14120,8 +14114,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: An optional field used when a pretty name is desired for entity-centric
         operations. This field should not be used for correlation with `*.name` fields
         for entities with dedicated field sets (e.g., `host`).
@@ -14165,8 +14158,7 @@
       ignore_above: 1024
       multi_fields:
       - name: text
-        type: text
-        norms: false
+        type: match_only_text
       description: The name of the entity. The keyword field enables exact matches
         for filtering and aggregations, while the text field enables full-text search.
         For entities with dedicated field sets (e.g., `host`), this field should mirrors
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index eacbbd541b..31c2aabbe6 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -75,13 +75,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0,true,cloud,cloud.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0,true,cloud,cloud.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0,true,cloud,cloud.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,cloud,cloud.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,cloud,cloud.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0,true,cloud,cloud.target.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0,true,cloud,cloud.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0,true,cloud,cloud.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0,true,cloud,cloud.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0,true,cloud,cloud.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,cloud,cloud.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,cloud,cloud.target.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0,true,cloud,cloud.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0,true,cloud,cloud.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0,true,cloud,cloud.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -476,13 +476,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0,true,host,host.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0,true,host,host.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0,true,host,host.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,host,host.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,host,host.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0,true,host,host.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0,true,host,host.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0,true,host,host.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0,true,host,host.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0,true,host,host.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,host,host.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,host,host.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0,true,host,host.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0,true,host,host.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0,true,host,host.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1162,13 +1162,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0,true,service,service.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0,true,service,service.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0,true,service,service.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,service,service.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,service,service.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0,true,service,service.target.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0,true,service,service.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0,true,service,service.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0,true,service,service.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0,true,service,service.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,service,service.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,service,service.target.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0,true,service,service.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0,true,service,service.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0,true,service,service.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
@@ -1816,13 +1816,13 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
 9.2.0,true,user,user.target.entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
 9.2.0,true,user,user.target.entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
-9.2.0,true,user,user.target.entity.display_name.text,text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,user,user.target.entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
 9.2.0,true,user,user.target.entity.id,keyword,core,,,Unique identifier for the entity.
 9.2.0,true,user,user.target.entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
 9.2.0,true,user,user.target.entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
 9.2.0,true,user,user.target.entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
 9.2.0,true,user,user.target.entity.name,keyword,core,,,The name of the entity.
-9.2.0,true,user,user.target.entity.name.text,text,core,,,The name of the entity.
+9.2.0,true,user,user.target.entity.name.text,match_only_text,core,,,The name of the entity.
 9.2.0,true,user,user.target.entity.raw,object,extended,,,"Original, unmodified fields from the source system."
 9.2.0,true,user,user.target.entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
 9.2.0,true,user,user.target.entity.source,keyword,core,,,Source module or integration that provided the entity data.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 68c3dd6471..bde05e89b4 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -964,8 +964,7 @@ cloud.target.entity.display_name:
   multi_fields:
   - flat_name: cloud.target.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -1039,8 +1038,7 @@ cloud.target.entity.name:
   multi_fields:
   - flat_name: cloud.target.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
@@ -6744,8 +6742,7 @@ host.entity.display_name:
   multi_fields:
   - flat_name: host.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -6819,8 +6816,7 @@ host.entity.name:
   multi_fields:
   - flat_name: host.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
@@ -15394,8 +15390,7 @@ service.target.entity.display_name:
   multi_fields:
   - flat_name: service.target.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -15469,8 +15464,7 @@ service.target.entity.name:
   multi_fields:
   - flat_name: service.target.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
@@ -23835,8 +23829,7 @@ user.target.entity.display_name:
   multi_fields:
   - flat_name: user.target.entity.display_name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: display_name
   normalize: []
   original_fieldset: entity
@@ -23910,8 +23903,7 @@ user.target.entity.name:
   multi_fields:
   - flat_name: user.target.entity.name.text
     name: text
-    norms: false
-    type: text
+    type: match_only_text
   name: name
   normalize: []
   original_fieldset: entity
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 749922c0a1..f305cd5fd2 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1155,8 +1155,7 @@ cloud:
       multi_fields:
       - flat_name: cloud.target.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -1232,8 +1231,7 @@ cloud:
       multi_fields:
       - flat_name: cloud.target.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
@@ -8231,8 +8229,7 @@ host:
       multi_fields:
       - flat_name: host.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -8308,8 +8305,7 @@ host:
       multi_fields:
       - flat_name: host.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
@@ -18099,8 +18095,7 @@ service:
       multi_fields:
       - flat_name: service.target.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -18176,8 +18171,7 @@ service:
       multi_fields:
       - flat_name: service.target.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
@@ -26778,8 +26772,7 @@ user:
       multi_fields:
       - flat_name: user.target.entity.display_name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: display_name
       normalize: []
       original_fieldset: entity
@@ -26855,8 +26848,7 @@ user:
       multi_fields:
       - flat_name: user.target.entity.name.text
         name: text
-        norms: false
-        type: text
+        type: match_only_text
       name: name
       normalize: []
       original_fieldset: entity
diff --git a/generated/elasticsearch/composable/component/cloud.json b/generated/elasticsearch/composable/component/cloud.json
index 488968e702..dddd1c8f7a 100644
--- a/generated/elasticsearch/composable/component/cloud.json
+++ b/generated/elasticsearch/composable/component/cloud.json
@@ -169,8 +169,7 @@
                     "display_name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
@@ -192,8 +191,7 @@
                     "name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
deleted file mode 100644
index e1ff7943b9..0000000000
--- a/generated/elasticsearch/composable/component/entity.json
+++ /dev/null
@@ -1,74 +0,0 @@
-{
-  "_meta": {
-    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
-    "ecs_version": "9.3.0-dev"
-  },
-  "template": {
-    "mappings": {
-      "properties": {
-        "entity": {
-          "properties": {
-            "attributes": {
-              "type": "object"
-            },
-            "behavior": {
-              "type": "object"
-            },
-            "display_name": {
-              "fields": {
-                "text": {
-                  "norms": false,
-                  "type": "text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "last_seen_timestamp": {
-              "type": "date"
-            },
-            "lifecycle": {
-              "type": "object"
-            },
-            "metrics": {
-              "type": "object"
-            },
-            "name": {
-              "fields": {
-                "text": {
-                  "norms": false,
-                  "type": "text"
-                }
-              },
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "raw": {
-              "type": "object"
-            },
-            "reference": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "source": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "sub_type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        }
-      }
-    }
-  }
-}
diff --git a/generated/elasticsearch/composable/component/host.json b/generated/elasticsearch/composable/component/host.json
index ef3dfcb66f..45057bc60d 100644
--- a/generated/elasticsearch/composable/component/host.json
+++ b/generated/elasticsearch/composable/component/host.json
@@ -61,8 +61,7 @@
                 "display_name": {
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "match_only_text"
                     }
                   },
                   "ignore_above": 1024,
@@ -84,8 +83,7 @@
                 "name": {
                   "fields": {
                     "text": {
-                      "norms": false,
-                      "type": "text"
+                      "type": "match_only_text"
                     }
                   },
                   "ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/service.json b/generated/elasticsearch/composable/component/service.json
index a25eabd531..5c37290bc3 100644
--- a/generated/elasticsearch/composable/component/service.json
+++ b/generated/elasticsearch/composable/component/service.json
@@ -119,8 +119,7 @@
                     "display_name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
@@ -142,8 +141,7 @@
                     "name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
diff --git a/generated/elasticsearch/composable/component/user.json b/generated/elasticsearch/composable/component/user.json
index 9ec52e2ef7..d6c66ec1fd 100644
--- a/generated/elasticsearch/composable/component/user.json
+++ b/generated/elasticsearch/composable/component/user.json
@@ -226,8 +226,7 @@
                     "display_name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
@@ -249,8 +248,7 @@
                     "name": {
                       "fields": {
                         "text": {
-                          "norms": false,
-                          "type": "text"
+                          "type": "match_only_text"
                         }
                       },
                       "ignore_above": 1024,
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 8d7954cb03..a520c57cfc 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -393,8 +393,7 @@
                   "display_name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -416,8 +415,7 @@
                   "name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -2219,8 +2217,7 @@
               "display_name": {
                 "fields": {
                   "text": {
-                    "norms": false,
-                    "type": "text"
+                    "type": "match_only_text"
                   }
                 },
                 "ignore_above": 1024,
@@ -2242,8 +2239,7 @@
               "name": {
                 "fields": {
                   "text": {
-                    "norms": false,
-                    "type": "text"
+                    "type": "match_only_text"
                   }
                 },
                 "ignore_above": 1024,
@@ -5332,8 +5328,7 @@
                   "display_name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -5355,8 +5350,7 @@
                   "name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -8182,8 +8176,7 @@
                   "display_name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
@@ -8205,8 +8198,7 @@
                   "name": {
                     "fields": {
                       "text": {
-                        "norms": false,
-                        "type": "text"
+                        "type": "match_only_text"
                       }
                     },
                     "ignore_above": 1024,
diff --git a/schemas/entity.yml b/schemas/entity.yml
index bec8b47aa9..9d7326c85e 100644
--- a/schemas/entity.yml
+++ b/schemas/entity.yml
@@ -36,7 +36,7 @@
       type: keyword
       multi_fields:
         - name: text
-          type: text
+          type: match_only_text
       short: The name of the entity.
       description: >
         The name of the entity. The keyword field enables exact matches for filtering
@@ -122,7 +122,7 @@
       type: keyword
       multi_fields:
         - name: text
-          type: text
+          type: match_only_text
       short: An optional field used when a pretty name is desired for entity-centric operations.
       description: >
         An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).

From 87ce83c1bb1be02d8834bfae7a557e0d206964ce Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Thu, 9 Oct 2025 12:20:24 -0700
Subject: [PATCH 2/3] Fix entity generation (#2548)

Correctly add top-level entity fields to the generated files.
This also updates the make clean command to clean generated doc files.
---
 Makefile                                      |  11 +-
 docs/reference/ecs-entity.md                  |   7 +-
 docs/reference/ecs-field-reference.md         |   1 +
 docs/reference/ecs-otel-alignment-overview.md |   1 +
 experimental/generated/beats/fields.ecs.yml   | 129 +++++++++
 experimental/generated/csv/fields.csv         |  15 +
 experimental/generated/ecs/ecs_flat.yml       | 235 +++++++++++++++
 experimental/generated/ecs/ecs_nested.yml     | 271 ++++++++++++++++++
 .../composable/component/entity.json          |  72 +++++
 .../elasticsearch/composable/template.json    |   1 +
 .../elasticsearch/legacy/template.json        |  60 ++++
 generated/beats/fields.ecs.yml                | 129 +++++++++
 generated/csv/fields.csv                      |  15 +
 generated/ecs/ecs_flat.yml                    | 235 +++++++++++++++
 generated/ecs/ecs_nested.yml                  | 271 ++++++++++++++++++
 .../composable/component/entity.json          |  72 +++++
 .../elasticsearch/composable/template.json    |   1 +
 generated/elasticsearch/legacy/template.json  |  60 ++++
 schemas/subsets/main.yml                      |   2 +
 19 files changed, 1584 insertions(+), 4 deletions(-)
 create mode 100644 experimental/generated/elasticsearch/composable/component/entity.json
 create mode 100644 generated/elasticsearch/composable/component/entity.json

diff --git a/Makefile b/Makefile
index 171a965611..41532bb296 100644
--- a/Makefile
+++ b/Makefile
@@ -40,6 +40,15 @@ check_license_headers:
 .PHONY: clean
 clean:
 	rm -rf build generated/elasticsearch/composable/component experimental/generated/elasticsearch/composable/component
+	# Clean generated documentation files
+	@echo "Removing generated documentation files..."
+	@rm -f docs/reference/index.md docs/reference/ecs-field-reference.md docs/reference/ecs-otel-alignment-details.md docs/reference/ecs-otel-alignment-overview.md
+	@for schema in $$(ls schemas/*.yml 2>/dev/null | sed 's/schemas\///' | sed 's/\.yml$$//'); do \
+		if [ -f "docs/reference/ecs-$$schema.md" ]; then \
+			echo "Removing docs/reference/ecs-$$schema.md"; \
+			rm -f "docs/reference/ecs-$$schema.md"; \
+		fi; \
+	done
 
 # Build and serve the docs
 .PHONY: docs
@@ -107,7 +116,7 @@ generate: generator
 # Run the new generator
 .PHONY: generator
 generator: ve
-	$(PYTHON) scripts/generator.py --strict --include "${INCLUDE}" --subset "${SUBSETS_DIR}" --semconv-version "${SEMCONV_VERSION}" --force-docs
+	$(PYTHON) scripts/generator.py --strict $(if $(INCLUDE),--include "$(INCLUDE)") --subset "${SUBSETS_DIR}" --semconv-version "${SEMCONV_VERSION}" --force-docs
 
 # Check Makefile format.
 .PHONY: makelint
diff --git a/docs/reference/ecs-entity.md b/docs/reference/ecs-entity.md
index aca767a2e7..4782b6b6a3 100644
--- a/docs/reference/ecs-entity.md
+++ b/docs/reference/ecs-entity.md
@@ -17,16 +17,17 @@ The entity fields provide a standardized way to represent and categorize differe
 | --- | --- | --- |
 | $$$field-entity-attributes$$$ [entity.attributes](#field-entity-attributes) | _This field is beta and subject to change._ A set of static or semi-static attributes of the entity. Usually boolean or keyword field data types. Use this field set when you need to track static or semi-static characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-behavior$$$ [entity.behavior](#field-entity-behavior) | _This field is beta and subject to change._ A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period. Usually boolean field data type. Use this field set when you need to capture and track ephemeral characteristics of an entity for advanced searching, correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
-| $$$field-entity-display_name$$$ [entity.display_name](#field-entity-display_name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: match_only_text) | extended |
+| $$$field-entity-display-name$$$ [entity.display_name](#field-entity-display-name) | _This field is beta and subject to change._ An optional field used when a pretty name is desired for entity-centric operations. This field should not be used for correlation with `*.name` fields for entities with dedicated field sets (e.g., `host`).<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.display_name.text (type: match_only_text) | extended |
 | $$$field-entity-id$$$ [entity.id](#field-entity-id) | A unique identifier for the entity. When multiple identifiers exist, this should be the most stable and commonly used identifier that: 1) persists across the entity's lifecycle, 2) ensures uniqueness within its scope, 3) is commonly used for queries and correlation, and 4) is readily available in most observations (logs/events). For entities with dedicated field sets (e.g., host, user), this value should match the corresponding *.id field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.<br><br>type: keyword | core |
-| $$$field-entity-last_seen_timestamp$$$ [entity.last_seen_timestamp](#field-entity-last_seen_timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
+| $$$field-entity-last-seen-timestamp$$$ [entity.last_seen_timestamp](#field-entity-last-seen-timestamp) | _This field is beta and subject to change._ Indicates the date/time when this entity was last "seen," usually based upon the last event/log that is initiated by this entity.<br><br>type: date | extended |
 | $$$field-entity-lifecycle$$$ [entity.lifecycle](#field-entity-lifecycle) | _This field is beta and subject to change._ A set of temporal characteristics of the entity. Usually date field data type. Use this field set when you need to track temporal characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-metrics$$$ [entity.metrics](#field-entity-metrics) | _This field is beta and subject to change._ Field set for any fields containing numeric entity metrics. These use dynamic field data type mapping.<br><br>type: object | extended |
 | $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: match_only_text) | core |
 | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.<br><br>type: object | extended |
 | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.<br><br>type: keyword | extended |
 | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).<br><br>type: keyword | core |
-| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>example: `host` | core |
+| $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`.  `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.<br><br>type: keyword<br><br>example: `aws_s3_bucket` | extended |
+| $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, etc.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>**Important:** The field value must be one of the following:<br><br>bucket, database, container, function, queue, host, user, application, service, session<br><br>To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)<br> | core |
 
 ## Field reuse [_field_reuse]
 
diff --git a/docs/reference/ecs-field-reference.md b/docs/reference/ecs-field-reference.md
index 663bd625e7..ed7c7c9973 100644
--- a/docs/reference/ecs-field-reference.md
+++ b/docs/reference/ecs-field-reference.md
@@ -38,6 +38,7 @@ For a single page representation of all fields, please see the [generated CSV of
 | [ECS](/reference/ecs-ecs.md) | Meta-information specific to ECS. |
 | [ELF Header](/reference/ecs-elf.md) | These fields contain Linux Executable Linkable Format (ELF) metadata. |
 | [Email](/reference/ecs-email.md) | Describes an email transaction. |
+| [Entity](/reference/ecs-entity.md) | Fields to describe various types of entities across IT environments. |
 | [Error](/reference/ecs-error.md) | Fields about errors of any kind. |
 | [Event](/reference/ecs-event.md) | Fields breaking down the event details. |
 | [FaaS](/reference/ecs-faas.md) | Fields describing functions as a service. |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index 840dcde1b9..a72629bb79 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -48,6 +48,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · |
 | Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · |
 | End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · |  |
+| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
 | Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · |
 | Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · |
 | Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · |  |
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index 80a915f209..1e68f9585a 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -2186,6 +2186,135 @@
         original email message.
       example: Spambot v2.5
       default_field: false
+  - name: entity
+    title: Entity
+    group: 2
+    description: The entity fields provide a standardized way to represent and categorize
+      different types of components within an IT environment, including those that
+      don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+      component that can be described by a set of attributes and maintains its identity
+      over time.
+    type: group
+    default_field: true
+    fields:
+    - name: attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
   - name: error
     title: Error
     group: 2
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 43ea889466..078c592f4b 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -260,6 +260,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0+exp,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
 9.2.0+exp,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
 9.2.0+exp,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.2.0+exp,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0+exp,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0+exp,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0+exp,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0+exp,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0+exp,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0+exp,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0+exp,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.2.0+exp,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0+exp,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0+exp,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0+exp,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0+exp,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0+exp,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.2.0+exp,true,error,error.code,keyword,core,,,Error code describing the error.
 9.2.0+exp,true,error,error.id,keyword,core,,,Unique identifier for the error.
 9.2.0+exp,true,error,error.message,match_only_text,core,,,Error message.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 827e92951b..933d1f52a8 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -3401,6 +3401,241 @@ email.x_mailer:
   normalize: []
   short: Application that drafted email.
   type: keyword
+entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: entity.display_name.text
+    name: text
+    type: match_only_text
+  name: display_name
+  normalize: []
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+entity.id:
+  dashed_name: entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier for the entity.
+  type: keyword
+entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  short: A set of temporal characteristics of the entity.
+  type: object
+entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: entity.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: The name of the entity.
+  type: keyword
+entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  short: Original, unmodified fields from the source system.
+  type: object
+entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  short: Source module or integration that provided the entity data.
+  type: keyword
+entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  short: Standardized high-level classification of the entity.
+  type: keyword
 error.code:
   dashed_name: error-code
   description: Error code describing the error.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index c2793b1803..5803d7bb48 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -4409,6 +4409,277 @@ email:
   short: Describes an email transaction.
   title: Email
   type: group
+entity:
+  description: The entity fields provide a standardized way to represent and categorize
+    different types of components within an IT environment, including those that don't
+    have dedicated field sets in ECS. An entity represents a discrete, identifiable
+    component that can be described by a set of attributes and maintains its identity
+    over time.
+  fields:
+    entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: entity.display_name.text
+        name: text
+        type: match_only_text
+      name: display_name
+      normalize: []
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    entity.id:
+      dashed_name: entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier for the entity.
+      type: keyword
+    entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      short: A set of temporal characteristics of the entity.
+      type: object
+    entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: entity.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: The name of the entity.
+      type: keyword
+    entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      short: Original, unmodified fields from the source system.
+      type: object
+    entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      short: Standardized high-level classification of the entity.
+      type: keyword
+  group: 2
+  name: entity
+  prefix: entity.
+  reusable:
+    expected:
+    - as: entity
+      at: host
+      full: host.entity
+    - as: entity
+      at: user
+      full: user.target.entity
+      short_override: Entity information for the targeted user.
+    - as: entity
+      at: cloud
+      full: cloud.target.entity
+      short_override: Entity information for the target cloud entity.
+    - as: entity
+      at: service
+      full: service.target.entity
+      short_override: Entity information for the target service.
+    top_level: true
+  short: Fields to describe various types of entities across IT environments.
+  title: Entity
+  type: group
 error:
   description: 'These fields can represent errors of any kind.
 
diff --git a/experimental/generated/elasticsearch/composable/component/entity.json b/experimental/generated/elasticsearch/composable/component/entity.json
new file mode 100644
index 0000000000..3b164f8d05
--- /dev/null
+++ b/experimental/generated/elasticsearch/composable/component/entity.json
@@ -0,0 +1,72 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
+    "ecs_version": "9.2.0+exp"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "entity": {
+          "properties": {
+            "attributes": {
+              "type": "object"
+            },
+            "behavior": {
+              "type": "object"
+            },
+            "display_name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "last_seen_timestamp": {
+              "type": "date"
+            },
+            "lifecycle": {
+              "type": "object"
+            },
+            "metrics": {
+              "type": "object"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "raw": {
+              "type": "object"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "source": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sub_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/experimental/generated/elasticsearch/composable/template.json b/experimental/generated/elasticsearch/composable/template.json
index 391cdac37f..f52b6efecf 100644
--- a/experimental/generated/elasticsearch/composable/template.json
+++ b/experimental/generated/elasticsearch/composable/template.json
@@ -17,6 +17,7 @@
     "ecs_9.2.0-exp_dns",
     "ecs_9.2.0-exp_ecs",
     "ecs_9.2.0-exp_email",
+    "ecs_9.2.0-exp_entity",
     "ecs_9.2.0-exp_error",
     "ecs_9.2.0-exp_event",
     "ecs_9.2.0-exp_faas",
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index 30a0432658..aef0ebd12d 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -1306,6 +1306,66 @@
           }
         }
       },
+      "entity": {
+        "properties": {
+          "attributes": {
+            "type": "object"
+          },
+          "behavior": {
+            "type": "object"
+          },
+          "display_name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "last_seen_timestamp": {
+            "type": "date"
+          },
+          "lifecycle": {
+            "type": "object"
+          },
+          "metrics": {
+            "type": "object"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "raw": {
+            "type": "object"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "source": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "sub_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
       "error": {
         "properties": {
           "code": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 3511b48bd6..6f80bcbf8b 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -2136,6 +2136,135 @@
         original email message.
       example: Spambot v2.5
       default_field: false
+  - name: entity
+    title: Entity
+    group: 2
+    description: The entity fields provide a standardized way to represent and categorize
+      different types of components within an IT environment, including those that
+      don't have dedicated field sets in ECS. An entity represents a discrete, identifiable
+      component that can be described by a set of attributes and maintains its identity
+      over time.
+    type: group
+    default_field: true
+    fields:
+    - name: attributes
+      level: extended
+      type: object
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      default_field: false
+    - name: behavior
+      level: extended
+      type: object
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: display_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      default_field: false
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      default_field: false
+    - name: last_seen_timestamp
+      level: extended
+      type: date
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      default_field: false
+    - name: lifecycle
+      level: extended
+      type: object
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      default_field: false
+    - name: metrics
+      level: extended
+      type: object
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      default_field: false
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: match_only_text
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      default_field: false
+    - name: raw
+      level: extended
+      type: object
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      default_field: false
+    - name: reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      default_field: false
+    - name: source
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      default_field: false
+    - name: sub_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      default_field: false
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      default_field: false
   - name: error
     title: Error
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 31c2aabbe6..fe8916f4a8 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -253,6 +253,21 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.2.0,true,email,email.subject.text,match_only_text,extended,,Please see this important message.,The subject of the email message.
 9.2.0,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient
 9.2.0,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email.
+9.2.0,true,entity,entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
+9.2.0,true,entity,entity.behavior,object,extended,,,"A set of ephemeral characteristics of the entity, derived from observed behaviors during a specific time period."
+9.2.0,true,entity,entity.display_name,keyword,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,entity,entity.display_name.text,match_only_text,extended,,,An optional field used when a pretty name is desired for entity-centric operations.
+9.2.0,true,entity,entity.id,keyword,core,,,Unique identifier for the entity.
+9.2.0,true,entity,entity.last_seen_timestamp,date,extended,,,"Indicates the date/time when this entity was last ""seen."""
+9.2.0,true,entity,entity.lifecycle,object,extended,,,A set of temporal characteristics of the entity.
+9.2.0,true,entity,entity.metrics,object,extended,,,Field set for any fields containing numeric entity metrics.
+9.2.0,true,entity,entity.name,keyword,core,,,The name of the entity.
+9.2.0,true,entity,entity.name.text,match_only_text,core,,,The name of the entity.
+9.2.0,true,entity,entity.raw,object,extended,,,"Original, unmodified fields from the source system."
+9.2.0,true,entity,entity.reference,keyword,extended,,,"A URI, URL, or other direct reference to access or locate the entity."
+9.2.0,true,entity,entity.source,keyword,core,,,Source module or integration that provided the entity data.
+9.2.0,true,entity,entity.sub_type,keyword,extended,,aws_s3_bucket,The specific type designation for the entity as defined by its provider or system.
+9.2.0,true,entity,entity.type,keyword,core,array,host,Standardized high-level classification of the entity.
 9.2.0,true,error,error.code,keyword,core,,,Error code describing the error.
 9.2.0,true,error,error.id,keyword,core,,,Unique identifier for the error.
 9.2.0,true,error,error.message,match_only_text,core,,,Error message.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index bde05e89b4..4ef1b45c4b 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -3332,6 +3332,241 @@ email.x_mailer:
   normalize: []
   short: Application that drafted email.
   type: keyword
+entity.attributes:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-attributes
+  description: A set of static or semi-static attributes of the entity. Usually boolean
+    or keyword field data types. Use this field set when you need to track static
+    or semi-static characteristics of an entity for advanced searching and correlation
+    of normalized values across different providers/sources and entity types.
+  flat_name: entity.attributes
+  level: extended
+  name: attributes
+  normalize: []
+  short: A set of static or semi-static attributes of the entity.
+  type: object
+entity.behavior:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-behavior
+  description: A set of ephemeral characteristics of the entity, derived from observed
+    behaviors during a specific time period. Usually boolean field data type. Use
+    this field set when you need to capture and track ephemeral characteristics of
+    an entity for advanced searching, correlation of normalized values across different
+    providers/sources and entity types.
+  flat_name: entity.behavior
+  level: extended
+  name: behavior
+  normalize: []
+  short: A set of ephemeral characteristics of the entity, derived from observed behaviors
+    during a specific time period.
+  type: object
+entity.display_name:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-display-name
+  description: An optional field used when a pretty name is desired for entity-centric
+    operations. This field should not be used for correlation with `*.name` fields
+    for entities with dedicated field sets (e.g., `host`).
+  flat_name: entity.display_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: entity.display_name.text
+    name: text
+    type: match_only_text
+  name: display_name
+  normalize: []
+  short: An optional field used when a pretty name is desired for entity-centric operations.
+  type: keyword
+entity.id:
+  dashed_name: entity-id
+  description: 'A unique identifier for the entity. When multiple identifiers exist,
+    this should be the most stable and commonly used identifier that: 1) persists
+    across the entity''s lifecycle, 2) ensures uniqueness within its scope, 3) is
+    commonly used for queries and correlation, and 4) is readily available in most
+    observations (logs/events). For entities with dedicated field sets (e.g., host,
+    user), this value should match the corresponding *.id field. Alternative identifiers
+    (e.g., ARNs values in AWS, URLs) can be preserved in the raw field.'
+  flat_name: entity.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  short: Unique identifier for the entity.
+  type: keyword
+entity.last_seen_timestamp:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-last-seen-timestamp
+  description: Indicates the date/time when this entity was last "seen," usually based
+    upon the last event/log that is initiated by this entity.
+  flat_name: entity.last_seen_timestamp
+  level: extended
+  name: last_seen_timestamp
+  normalize: []
+  short: Indicates the date/time when this entity was last "seen."
+  type: date
+entity.lifecycle:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-lifecycle
+  description: A set of temporal characteristics of the entity. Usually date field
+    data type. Use this field set when you need to track temporal characteristics
+    of an entity for advanced searching and correlation of normalized values across
+    different providers/sources and entity types.
+  flat_name: entity.lifecycle
+  level: extended
+  name: lifecycle
+  normalize: []
+  short: A set of temporal characteristics of the entity.
+  type: object
+entity.metrics:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-metrics
+  description: Field set for any fields containing numeric entity metrics. These use
+    dynamic field data type mapping.
+  flat_name: entity.metrics
+  level: extended
+  name: metrics
+  normalize: []
+  short: Field set for any fields containing numeric entity metrics.
+  type: object
+entity.name:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-name
+  description: The name of the entity. The keyword field enables exact matches for
+    filtering and aggregations, while the text field enables full-text search. For
+    entities with dedicated field sets (e.g., `host`), this field should mirrors the
+    corresponding *.name value.
+  flat_name: entity.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: entity.name.text
+    name: text
+    type: match_only_text
+  name: name
+  normalize: []
+  short: The name of the entity.
+  type: keyword
+entity.raw:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-raw
+  description: Original, unmodified fields from the source system. Usually flattened
+    field data type. While the attributes field should be used for normalized fields
+    requiring advanced queries, this field preserves all source metadata with basic
+    search capabilities.
+  flat_name: entity.raw
+  level: extended
+  name: raw
+  normalize: []
+  short: Original, unmodified fields from the source system.
+  type: object
+entity.reference:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-reference
+  description: A URI, URL, or other direct reference to access or locate the entity
+    in its source system. This could be an API endpoint, web console URL, or other
+    addressable location. Format may vary by entity type and source system.
+  flat_name: entity.reference
+  ignore_above: 1024
+  level: extended
+  name: reference
+  normalize: []
+  short: A URI, URL, or other direct reference to access or locate the entity.
+  type: keyword
+entity.source:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-source
+  description: The module or integration that provided this entity data (similar to
+    event.module).
+  flat_name: entity.source
+  ignore_above: 1024
+  level: core
+  name: source
+  normalize: []
+  short: Source module or integration that provided the entity data.
+  type: keyword
+entity.sub_type:
+  beta: This field is beta and subject to change.
+  dashed_name: entity-sub-type
+  description: 'The specific type designation for the entity as defined by its provider
+    or system. This field provides more granular classification than the type field.
+    Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+    would all map to entity type `bucket`.  `hardware` , `virtual` , `container` ,
+    `node` , `cloud_instance` would all map to entity type `host`.'
+  example: aws_s3_bucket
+  flat_name: entity.sub_type
+  ignore_above: 1024
+  level: extended
+  name: sub_type
+  normalize: []
+  short: The specific type designation for the entity as defined by its provider or
+    system.
+  type: keyword
+entity.type:
+  allowed_values:
+  - description: Represents a storage container or bucket, typically used for object
+      storage. Common examples include AWS S3 buckets, Google Cloud Storage buckets,
+      Azure Blob containers, and other cloud storage services. Buckets are used to
+      organize and store files, objects, or data in cloud environments.
+    name: bucket
+  - description: Represents a database system or database instance. This includes
+      relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+      Cassandra, DynamoDB), time-series databases, and other data storage systems.
+      The entity may represent the entire database system or a specific database instance.
+    name: database
+  - description: Represents a containerized application or process. This includes
+      Docker containers, Kubernetes pods, and other containerization technologies.
+      Containers encapsulate applications and their dependencies, providing isolation
+      and portability across different environments.
+    name: container
+  - description: Represents a serverless function or Function-as-a-Service (FaaS)
+      component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+      Functions, and other serverless computing resources. Functions are typically
+      event-driven and execute code without managing the underlying infrastructure.
+    name: function
+  - description: Represents a message queue or messaging system. This includes message
+      brokers, event queues, and other messaging infrastructure components such as
+      Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues facilitate
+      asynchronous communication between applications and services.
+    name: queue
+  - description: Represents a computing host or machine. This includes physical servers,
+      virtual machines, cloud instances, and other computing resources that can run
+      applications or services. Hosts provide the fundamental computing infrastructure
+      for other entity types.
+    name: host
+  - description: Represents a user account or identity. This includes human users,
+      service accounts, system accounts, and other identity entities that can interact
+      with systems, applications, or services. Users may have various roles, permissions,
+      and attributes associated with their identity.
+    name: user
+  - description: Represents a software application or service. This includes web applications,
+      mobile applications, desktop applications, and other software components that
+      provide functionality to users or other systems. Applications may run on various
+      infrastructure components and can span multiple hosts or containers.
+    name: application
+  - description: Represents a service or microservice component. This includes web
+      services, APIs, background services, and other service-oriented architecture
+      components. Services provide specific functionality and may communicate with
+      other services to fulfill business requirements.
+    name: service
+  - description: Represents a user session or connection session. This includes user
+      login sessions, database connections, network sessions, and other temporary
+      interactive or persistent connections between users, applications, or systems.
+    name: session
+  beta: This field is beta and subject to change.
+  dashed_name: entity-type
+  description: 'A standardized high-level classification of the entity. This provides
+    a normalized way to group similar entities across different providers or systems.
+    Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+    `user`, `application`, `session`, etc.'
+  example: host
+  flat_name: entity.type
+  ignore_above: 1024
+  level: core
+  name: type
+  normalize:
+  - array
+  short: Standardized high-level classification of the entity.
+  type: keyword
 error.code:
   dashed_name: error-code
   description: Error code describing the error.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index f305cd5fd2..fe33493556 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -4329,6 +4329,277 @@ email:
   short: Describes an email transaction.
   title: Email
   type: group
+entity:
+  description: The entity fields provide a standardized way to represent and categorize
+    different types of components within an IT environment, including those that don't
+    have dedicated field sets in ECS. An entity represents a discrete, identifiable
+    component that can be described by a set of attributes and maintains its identity
+    over time.
+  fields:
+    entity.attributes:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-attributes
+      description: A set of static or semi-static attributes of the entity. Usually
+        boolean or keyword field data types. Use this field set when you need to track
+        static or semi-static characteristics of an entity for advanced searching
+        and correlation of normalized values across different providers/sources and
+        entity types.
+      flat_name: entity.attributes
+      level: extended
+      name: attributes
+      normalize: []
+      short: A set of static or semi-static attributes of the entity.
+      type: object
+    entity.behavior:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-behavior
+      description: A set of ephemeral characteristics of the entity, derived from
+        observed behaviors during a specific time period. Usually boolean field data
+        type. Use this field set when you need to capture and track ephemeral characteristics
+        of an entity for advanced searching, correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: entity.behavior
+      level: extended
+      name: behavior
+      normalize: []
+      short: A set of ephemeral characteristics of the entity, derived from observed
+        behaviors during a specific time period.
+      type: object
+    entity.display_name:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-display-name
+      description: An optional field used when a pretty name is desired for entity-centric
+        operations. This field should not be used for correlation with `*.name` fields
+        for entities with dedicated field sets (e.g., `host`).
+      flat_name: entity.display_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: entity.display_name.text
+        name: text
+        type: match_only_text
+      name: display_name
+      normalize: []
+      short: An optional field used when a pretty name is desired for entity-centric
+        operations.
+      type: keyword
+    entity.id:
+      dashed_name: entity-id
+      description: 'A unique identifier for the entity. When multiple identifiers
+        exist, this should be the most stable and commonly used identifier that: 1)
+        persists across the entity''s lifecycle, 2) ensures uniqueness within its
+        scope, 3) is commonly used for queries and correlation, and 4) is readily
+        available in most observations (logs/events). For entities with dedicated
+        field sets (e.g., host, user), this value should match the corresponding *.id
+        field. Alternative identifiers (e.g., ARNs values in AWS, URLs) can be preserved
+        in the raw field.'
+      flat_name: entity.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      short: Unique identifier for the entity.
+      type: keyword
+    entity.last_seen_timestamp:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-last-seen-timestamp
+      description: Indicates the date/time when this entity was last "seen," usually
+        based upon the last event/log that is initiated by this entity.
+      flat_name: entity.last_seen_timestamp
+      level: extended
+      name: last_seen_timestamp
+      normalize: []
+      short: Indicates the date/time when this entity was last "seen."
+      type: date
+    entity.lifecycle:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-lifecycle
+      description: A set of temporal characteristics of the entity. Usually date field
+        data type. Use this field set when you need to track temporal characteristics
+        of an entity for advanced searching and correlation of normalized values across
+        different providers/sources and entity types.
+      flat_name: entity.lifecycle
+      level: extended
+      name: lifecycle
+      normalize: []
+      short: A set of temporal characteristics of the entity.
+      type: object
+    entity.metrics:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-metrics
+      description: Field set for any fields containing numeric entity metrics. These
+        use dynamic field data type mapping.
+      flat_name: entity.metrics
+      level: extended
+      name: metrics
+      normalize: []
+      short: Field set for any fields containing numeric entity metrics.
+      type: object
+    entity.name:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-name
+      description: The name of the entity. The keyword field enables exact matches
+        for filtering and aggregations, while the text field enables full-text search.
+        For entities with dedicated field sets (e.g., `host`), this field should mirrors
+        the corresponding *.name value.
+      flat_name: entity.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: entity.name.text
+        name: text
+        type: match_only_text
+      name: name
+      normalize: []
+      short: The name of the entity.
+      type: keyword
+    entity.raw:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-raw
+      description: Original, unmodified fields from the source system. Usually flattened
+        field data type. While the attributes field should be used for normalized
+        fields requiring advanced queries, this field preserves all source metadata
+        with basic search capabilities.
+      flat_name: entity.raw
+      level: extended
+      name: raw
+      normalize: []
+      short: Original, unmodified fields from the source system.
+      type: object
+    entity.reference:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-reference
+      description: A URI, URL, or other direct reference to access or locate the entity
+        in its source system. This could be an API endpoint, web console URL, or other
+        addressable location. Format may vary by entity type and source system.
+      flat_name: entity.reference
+      ignore_above: 1024
+      level: extended
+      name: reference
+      normalize: []
+      short: A URI, URL, or other direct reference to access or locate the entity.
+      type: keyword
+    entity.source:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-source
+      description: The module or integration that provided this entity data (similar
+        to event.module).
+      flat_name: entity.source
+      ignore_above: 1024
+      level: core
+      name: source
+      normalize: []
+      short: Source module or integration that provided the entity data.
+      type: keyword
+    entity.sub_type:
+      beta: This field is beta and subject to change.
+      dashed_name: entity-sub-type
+      description: 'The specific type designation for the entity as defined by its
+        provider or system. This field provides more granular classification than
+        the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container`
+        would all map to entity type `bucket`.  `hardware` , `virtual` , `container`
+        , `node` , `cloud_instance` would all map to entity type `host`.'
+      example: aws_s3_bucket
+      flat_name: entity.sub_type
+      ignore_above: 1024
+      level: extended
+      name: sub_type
+      normalize: []
+      short: The specific type designation for the entity as defined by its provider
+        or system.
+      type: keyword
+    entity.type:
+      allowed_values:
+      - description: Represents a storage container or bucket, typically used for
+          object storage. Common examples include AWS S3 buckets, Google Cloud Storage
+          buckets, Azure Blob containers, and other cloud storage services. Buckets
+          are used to organize and store files, objects, or data in cloud environments.
+        name: bucket
+      - description: Represents a database system or database instance. This includes
+          relational databases (MySQL, PostgreSQL, Oracle), NoSQL databases (MongoDB,
+          Cassandra, DynamoDB), time-series databases, and other data storage systems.
+          The entity may represent the entire database system or a specific database
+          instance.
+        name: database
+      - description: Represents a containerized application or process. This includes
+          Docker containers, Kubernetes pods, and other containerization technologies.
+          Containers encapsulate applications and their dependencies, providing isolation
+          and portability across different environments.
+        name: container
+      - description: Represents a serverless function or Function-as-a-Service (FaaS)
+          component. This includes AWS Lambda functions, Azure Functions, Google Cloud
+          Functions, and other serverless computing resources. Functions are typically
+          event-driven and execute code without managing the underlying infrastructure.
+        name: function
+      - description: Represents a message queue or messaging system. This includes
+          message brokers, event queues, and other messaging infrastructure components
+          such as Amazon SQS, RabbitMQ, Apache Kafka, and Azure Service Bus. Queues
+          facilitate asynchronous communication between applications and services.
+        name: queue
+      - description: Represents a computing host or machine. This includes physical
+          servers, virtual machines, cloud instances, and other computing resources
+          that can run applications or services. Hosts provide the fundamental computing
+          infrastructure for other entity types.
+        name: host
+      - description: Represents a user account or identity. This includes human users,
+          service accounts, system accounts, and other identity entities that can
+          interact with systems, applications, or services. Users may have various
+          roles, permissions, and attributes associated with their identity.
+        name: user
+      - description: Represents a software application or service. This includes web
+          applications, mobile applications, desktop applications, and other software
+          components that provide functionality to users or other systems. Applications
+          may run on various infrastructure components and can span multiple hosts
+          or containers.
+        name: application
+      - description: Represents a service or microservice component. This includes
+          web services, APIs, background services, and other service-oriented architecture
+          components. Services provide specific functionality and may communicate
+          with other services to fulfill business requirements.
+        name: service
+      - description: Represents a user session or connection session. This includes
+          user login sessions, database connections, network sessions, and other temporary
+          interactive or persistent connections between users, applications, or systems.
+        name: session
+      beta: This field is beta and subject to change.
+      dashed_name: entity-type
+      description: 'A standardized high-level classification of the entity. This provides
+        a normalized way to group similar entities across different providers or systems.
+        Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`,
+        `user`, `application`, `session`, etc.'
+      example: host
+      flat_name: entity.type
+      ignore_above: 1024
+      level: core
+      name: type
+      normalize:
+      - array
+      short: Standardized high-level classification of the entity.
+      type: keyword
+  group: 2
+  name: entity
+  prefix: entity.
+  reusable:
+    expected:
+    - as: entity
+      at: host
+      full: host.entity
+    - as: entity
+      at: user
+      full: user.target.entity
+      short_override: Entity information for the targeted user.
+    - as: entity
+      at: cloud
+      full: cloud.target.entity
+      short_override: Entity information for the target cloud entity.
+    - as: entity
+      at: service
+      full: service.target.entity
+      short_override: Entity information for the target service.
+    top_level: true
+  short: Fields to describe various types of entities across IT environments.
+  title: Entity
+  type: group
 error:
   description: 'These fields can represent errors of any kind.
 
diff --git a/generated/elasticsearch/composable/component/entity.json b/generated/elasticsearch/composable/component/entity.json
new file mode 100644
index 0000000000..be001bdc19
--- /dev/null
+++ b/generated/elasticsearch/composable/component/entity.json
@@ -0,0 +1,72 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-entity.html",
+    "ecs_version": "9.2.0"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "entity": {
+          "properties": {
+            "attributes": {
+              "type": "object"
+            },
+            "behavior": {
+              "type": "object"
+            },
+            "display_name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "last_seen_timestamp": {
+              "type": "date"
+            },
+            "lifecycle": {
+              "type": "object"
+            },
+            "metrics": {
+              "type": "object"
+            },
+            "name": {
+              "fields": {
+                "text": {
+                  "type": "match_only_text"
+                }
+              },
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "raw": {
+              "type": "object"
+            },
+            "reference": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "source": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "sub_type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/generated/elasticsearch/composable/template.json b/generated/elasticsearch/composable/template.json
index f78d3a4a69..ea900ffd6f 100644
--- a/generated/elasticsearch/composable/template.json
+++ b/generated/elasticsearch/composable/template.json
@@ -16,6 +16,7 @@
     "ecs_9.2.0_dns",
     "ecs_9.2.0_ecs",
     "ecs_9.2.0_email",
+    "ecs_9.2.0_entity",
     "ecs_9.2.0_error",
     "ecs_9.2.0_event",
     "ecs_9.2.0_faas",
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index a520c57cfc..b8ed11959c 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -1264,6 +1264,66 @@
           }
         }
       },
+      "entity": {
+        "properties": {
+          "attributes": {
+            "type": "object"
+          },
+          "behavior": {
+            "type": "object"
+          },
+          "display_name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "id": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "last_seen_timestamp": {
+            "type": "date"
+          },
+          "lifecycle": {
+            "type": "object"
+          },
+          "metrics": {
+            "type": "object"
+          },
+          "name": {
+            "fields": {
+              "text": {
+                "type": "match_only_text"
+              }
+            },
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "raw": {
+            "type": "object"
+          },
+          "reference": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "source": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "sub_type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "type": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
       "error": {
         "properties": {
           "code": {
diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml
index b28783c4be..951c896c81 100644
--- a/schemas/subsets/main.yml
+++ b/schemas/subsets/main.yml
@@ -135,6 +135,8 @@ fields:
     fields: "*"
   email:
     fields: "*"
+  entity:
+    fields: "*"
   error:
     fields: "*"
   event:

From 9ca11908cddaff16ed7a7678d00228cd59d64129 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Fri, 17 Oct 2025 07:34:22 -0700
Subject: [PATCH 3/3] Update embedded semconv version to v1.37.0 (#2550)

Update the semconv version used with ECS to generate documentation to
semantic-conventions v1.37.0.

This will ensure that documentation is built with the latest semconv
version, and prepare ECS to work with more related fields.
---
 docs/reference/ecs-container.md               |  2 +-
 docs/reference/ecs-dns.md                     |  2 +-
 docs/reference/ecs-gen_ai.md                  |  2 +-
 docs/reference/ecs-host.md                    |  6 ++---
 docs/reference/ecs-otel-alignment-details.md  | 13 +++++-----
 docs/reference/ecs-otel-alignment-overview.md | 24 ++++++++++---------
 experimental/generated/ecs/ecs_flat.yml       | 16 +++++++++----
 experimental/generated/ecs/ecs_nested.yml     | 16 +++++++++----
 generated/ecs/ecs_flat.yml                    | 16 +++++++++----
 generated/ecs/ecs_nested.yml                  | 16 +++++++++----
 otel-semconv-version                          |  2 +-
 schemas/container.yml                         |  3 ++-
 schemas/dns.yml                               |  3 +++
 schemas/gen_ai.yml                            |  3 ++-
 schemas/host.yml                              |  6 ++---
 15 files changed, 81 insertions(+), 49 deletions(-)

diff --git a/docs/reference/ecs-container.md b/docs/reference/ecs-container.md
index e920fabc97..c7707df0e9 100644
--- a/docs/reference/ecs-container.md
+++ b/docs/reference/ecs-container.md
@@ -29,7 +29,7 @@ These fields help correlate data based containers from any runtime.
 | $$$field-container-name$$$ [container.name](#field-container-name) | Container name.<br><br>type: keyword<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [container.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-name) | extended |
 | $$$field-container-network-egress-bytes$$$ [container.network.egress.bytes](#field-container-network-egress-bytes) | The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection.<br><br>type: long | extended |
 | $$$field-container-network-ingress-bytes$$$ [container.network.ingress.bytes](#field-container-network-ingress-bytes) | The number of bytes received (gauge) on all network interfaces by the container since the last metric collection.<br><br>type: long | extended |
-| $$$field-container-runtime$$$ [container.runtime](#field-container-runtime) | Runtime managing this container.<br><br>type: keyword<br><br>example: `docker`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [container.runtime](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime) | extended |
+| $$$field-container-runtime$$$ [container.runtime](#field-container-runtime) | Runtime managing this container.<br><br>type: keyword<br><br>example: `docker`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [container.runtime.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime-name) | extended |
 | $$$field-container-security-context-privileged$$$ [container.security_context.privileged](#field-container-security-context-privileged) | Indicates whether the container is running in privileged mode.<br><br>type: boolean | extended |
 
 
diff --git a/docs/reference/ecs-dns.md b/docs/reference/ecs-dns.md
index f9beaf1725..75d55f3b1c 100644
--- a/docs/reference/ecs-dns.md
+++ b/docs/reference/ecs-dns.md
@@ -17,7 +17,7 @@ DNS events should either represent a single DNS query prior to getting answers (
 
 | Field | Description | Level |
 | --- | --- | --- |
-| $$$field-dns-answers$$$ [dns.answers](#field-dns-answers) | An array containing an object for each answer section returned by the server.<br><br>The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.<br><br>Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.<br><br>type: object<br><br>Note: This field should contain an array of values. | extended |
+| $$$field-dns-answers$$$ [dns.answers](#field-dns-answers) | An array containing an object for each answer section returned by the server.<br><br>The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.<br><br>Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.<br><br>type: object<br><br>Note: This field should contain an array of values.<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [dns.answers](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns/#dns-answers) | extended |
 | $$$field-dns-answers-class$$$ [dns.answers.class](#field-dns-answers-class) | The class of DNS data contained in this resource record.<br><br>type: keyword<br><br>example: `IN` | extended |
 | $$$field-dns-answers-data$$$ [dns.answers.data](#field-dns-answers-data) | The data describing the resource.<br><br>The meaning of this data depends on the type and class of the resource record.<br><br>type: keyword<br><br>example: `10.10.10.10` | extended |
 | $$$field-dns-answers-name$$$ [dns.answers.name](#field-dns-answers-name) | The domain name to which this resource record pertains.<br><br>If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.<br><br>type: keyword<br><br>example: `www.example.com` | extended |
diff --git a/docs/reference/ecs-gen_ai.md b/docs/reference/ecs-gen_ai.md
index ffe5605004..23300697b2 100644
--- a/docs/reference/ecs-gen_ai.md
+++ b/docs/reference/ecs-gen_ai.md
@@ -36,7 +36,7 @@ This field group definition is based on the Gen AI namespace of the OpenTelemetr
 | $$$field-gen-ai-response-finish-reasons$$$ [gen_ai.response.finish_reasons](#field-gen-ai-response-finish-reasons) | _This field is beta and subject to change._ Array of reasons the model stopped generating tokens, corresponding to each generation received.<br><br>type: nested<br><br>example: `["stop", "length"]`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.finish_reasons](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-finish-reasons) | extended |
 | $$$field-gen-ai-response-id$$$ [gen_ai.response.id](#field-gen-ai-response-id) | _This field is beta and subject to change._ The unique identifier for the completion.<br><br>type: keyword<br><br>example: `chatcmpl-123`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-id) | extended |
 | $$$field-gen-ai-response-model$$$ [gen_ai.response.model](#field-gen-ai-response-model) | _This field is beta and subject to change._ The name of the model that generated the response.<br><br>type: keyword<br><br>example: `gpt-4-0613`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.response.model](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-model) | extended |
-| $$$field-gen-ai-system$$$ [gen_ai.system](#field-gen-ai-system) | _This field is beta and subject to change._ The Generative AI product as identified by the client or server instrumentation.<br><br>type: keyword<br><br>example: `openai`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.system](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-system) | extended |
+| $$$field-gen-ai-system$$$ [gen_ai.system](#field-gen-ai-system) | _This field is beta and subject to change._ The Generative AI product as identified by the client or server instrumentation.<br><br>type: keyword<br><br>example: `openai`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.provider.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-provider-name) | extended |
 | $$$field-gen-ai-token-type$$$ [gen_ai.token.type](#field-gen-ai-token-type) | _This field is beta and subject to change._ The type of token being counted.<br><br>type: keyword<br><br>example: `input; output`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.token.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-token-type) | extended |
 | $$$field-gen-ai-tool-call-id$$$ [gen_ai.tool.call.id](#field-gen-ai-tool-call-id) | _This field is beta and subject to change._ The tool call identifier.<br><br>type: keyword<br><br>example: `call_mszuSIzqtI65i1wAUOE8w5H4`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.call.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-call-id) | extended |
 | $$$field-gen-ai-tool-name$$$ [gen_ai.tool.name](#field-gen-ai-tool-name) | _This field is beta and subject to change._ Name of the tool utilized by the agent.<br><br>type: keyword<br><br>example: `Flights`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [gen_ai.tool.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-name) | extended |
diff --git a/docs/reference/ecs-host.md b/docs/reference/ecs-host.md
index 41b5e1c407..51705caaf2 100644
--- a/docs/reference/ecs-host.md
+++ b/docs/reference/ecs-host.md
@@ -19,7 +19,7 @@ ECS host.* fields should be populated with details about the host on which the e
 | --- | --- | --- |
 | $$$field-host-architecture$$$ [host.architecture](#field-host-architecture) | Operating system architecture.<br><br>type: keyword<br><br>example: `x86_64`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.arch](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-arch) | core |
 | $$$field-host-boot-id$$$ [host.boot.id](#field-host-boot-id) | Linux boot uuid taken from /proc/sys/kernel/random/boot_id. Note the boot_id value from /proc may or may not be the same in containers as on the host. Some container runtimes will bind mount a new boot_id value onto the proc file in each container.<br><br>type: keyword<br><br>example: `88a1f0ed-5ae5-41ee-af6b-41921c311872` | extended |
-| $$$field-host-cpu-usage$$$ [host.cpu.usage](#field-host-cpu-usage) | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.<br><br>Scaling factor: 1000.<br><br>For example: For a two core host, this value should be the average of the two cores, between 0 and 1.<br><br>type: scaled_float<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.cpu.utilization+--%3E%22&type=code) | extended |
+| $$$field-host-cpu-usage$$$ [host.cpu.usage](#field-host-cpu-usage) | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1.<br><br>Scaling factor: 1000.<br><br>For example: For a two core host, this value should be the average of the two cores, between 0 and 1.<br><br>type: scaled_float<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.cpu.utilization+--%3E%22&type=code) | extended |
 | $$$field-host-disk-read-bytes$$$ [host.disk.read.bytes](#field-host-disk-read-bytes) | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) | extended |
 | $$$field-host-disk-write-bytes$$$ [host.disk.write.bytes](#field-host-disk-write-bytes) | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) | extended |
 | $$$field-host-domain$$$ [host.domain](#field-host-domain) | Name of the domain of which the host is a member.<br><br>For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.<br><br>type: keyword<br><br>example: `CONTOSO` | extended |
@@ -29,9 +29,9 @@ ECS host.* fields should be populated with details about the host on which the e
 | $$$field-host-mac$$$ [host.mac](#field-host-mac) | Host MAC addresses.<br><br>The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>example: `["00-00-5E-00-53-23", "00-00-5E-00-53-24"]`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.mac](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-mac) | core |
 | $$$field-host-name$$$ [host.name](#field-host-name) | Name of the host.<br><br>It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.<br><br>type: keyword<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-name) | core |
 | $$$field-host-network-egress-bytes$$$ [host.network.egress.bytes](#field-host-network-egress-bytes) | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) | extended |
-| $$$field-host-network-egress-packets$$$ [host.network.egress.packets](#field-host-network-egress-packets) | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) | extended |
+| $$$field-host-network-egress-packets$$$ [host.network.egress.packets](#field-host-network-egress-packets) | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) | extended |
 | $$$field-host-network-ingress-bytes$$$ [host.network.ingress.bytes](#field-host-network-ingress-bytes) | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) | extended |
-| $$$field-host-network-ingress-packets$$$ [host.network.ingress.packets](#field-host-network-ingress-packets) | The number of packets (gauge) received on all network interfaces by the host since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) | extended |
+| $$$field-host-network-ingress-packets$$$ [host.network.ingress.packets](#field-host-network-ingress-packets) | The number of packets (gauge) received on all network interfaces by the host since the last metric collection.<br><br>type: long<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) | extended |
 | $$$field-host-pid-ns-ino$$$ [host.pid_ns_ino](#field-host-pid-ns-ino) | This is the inode number of the namespace in the namespace file system (nsfs). Unsigned int inum in include/linux/ns_common.h.<br><br>type: keyword<br><br>example: `256383` | extended |
 | $$$field-host-type$$$ [host.type](#field-host-type) | Type of host.<br><br>For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.<br><br>type: keyword<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) | core |
 | $$$field-host-uptime$$$ [host.uptime](#field-host-uptime) | Seconds the host has been up.<br><br>type: long<br><br>example: `1325`<br><br>![OTel Badge](https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentelemetry) [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) | extended |
diff --git a/docs/reference/ecs-otel-alignment-details.md b/docs/reference/ecs-otel-alignment-details.md
index dda32899a4..84e2ba2a4c 100644
--- a/docs/reference/ecs-otel-alignment-details.md
+++ b/docs/reference/ecs-otel-alignment-details.md
@@ -6,7 +6,7 @@ mapped_pages:
 
 # Field & Attributes Alignment [ecs-otel-alignment-details]
 
-The following table gives an overview of mappings between individual ECS fields (in ECS version `9.2.0`) and corresponding OTel semantic convention attributes (in SemConv version `1.34.0`).
+The following table gives an overview of mappings between individual ECS fields (in ECS version `9.2.0`) and corresponding OTel semantic convention attributes (in SemConv version `1.37.0`).
 
 | ECS Field | Relation | OTel Semantic Conventions Attribute | Stability  $$$otel-mapping-namespace-base$$$ |
 | --- | --- | --- | --- |
@@ -35,7 +35,7 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-container-labels$$$ [container.labels](/reference/ecs-container.md#field-container-labels) | [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.label](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-label) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-container-memory-usage$$$ [container.memory.usage](/reference/ecs-container.md#field-container-memory-usage) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.memory.usage](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.container.memory.usage+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-container-name$$$ [container.name](/reference/ecs-container.md#field-container-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-container-runtime$$$ [container.runtime](/reference/ecs-container.md#field-container-runtime) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.runtime](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-container-runtime$$$ [container.runtime](/reference/ecs-container.md#field-container-runtime) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [container.runtime.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container/#container-runtime-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | **Data Stream Fields** |
 | $$$otel-mapping-for-data-stream-dataset$$$ [data_stream.dataset](/reference/ecs-data_stream.md#field-data-stream-dataset) | [![not-applicable](https://img.shields.io/badge/n%2Fa-f2f4fb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | Not applicable. | |
 | $$$otel-mapping-for-data-stream-namespace$$$ [data_stream.namespace](/reference/ecs-data_stream.md#field-data-stream-namespace) | [![not-applicable](https://img.shields.io/badge/n%2Fa-f2f4fb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | Not applicable. | |
@@ -49,6 +49,7 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-device-model-identifier$$$ [device.model.identifier](/reference/ecs-device.md#field-device-model-identifier) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [device.model.identifier](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-model-identifier) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-device-model-name$$$ [device.model.name](/reference/ecs-device.md#field-device-model-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [device.model.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device/#device-model-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | **DNS Fields** |
+| $$$otel-mapping-for-dns-answers$$$ [dns.answers](/reference/ecs-dns.md#field-dns-answers) | [![related](https://img.shields.io/badge/related-efc20d?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [dns.answers](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns/#dns-answers) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-dns-question-name$$$ [dns.question.name](/reference/ecs-dns.md#field-dns-question-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [dns.question.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns/#dns-question-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | **ECS Fields** |
 | $$$otel-mapping-for-ecs-version$$$ [ecs.version](/reference/ecs-ecs.md#field-ecs-version) | [![not-applicable](https://img.shields.io/badge/n%2Fa-f2f4fb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | Not applicable. | |
@@ -101,7 +102,7 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-gen-ai-response-finish-reasons$$$ [gen_ai.response.finish_reasons](/reference/ecs-gen_ai.md#field-gen-ai-response-finish-reasons) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.finish_reasons](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-finish-reasons) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-response-id$$$ [gen_ai.response.id](/reference/ecs-gen_ai.md#field-gen-ai-response-id) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-response-model$$$ [gen_ai.response.model](/reference/ecs-gen_ai.md#field-gen-ai-response-model) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.response.model](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-response-model) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-gen-ai-system$$$ [gen_ai.system](/reference/ecs-gen_ai.md#field-gen-ai-system) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.system](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-system) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-gen-ai-system$$$ [gen_ai.system](/reference/ecs-gen_ai.md#field-gen-ai-system) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.provider.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-provider-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-token-type$$$ [gen_ai.token.type](/reference/ecs-gen_ai.md#field-gen-ai-token-type) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.token.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-token-type) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-tool-call-id$$$ [gen_ai.tool.call.id](/reference/ecs-gen_ai.md#field-gen-ai-tool-call-id) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.call.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-call-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-gen-ai-tool-name$$$ [gen_ai.tool.name](/reference/ecs-gen_ai.md#field-gen-ai-tool-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [gen_ai.tool.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai/#gen-ai-tool-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
@@ -118,7 +119,7 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-geo-region-iso-code$$$ [geo.region_iso_code](/reference/ecs-geo.md#field-geo-region-iso-code) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [geo.region.iso_code](https://opentelemetry.io/docs/specs/semconv/attributes-registry/geo/#geo-region-iso-code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | **Host Fields** |
 | $$$otel-mapping-for-host-architecture$$$ [host.architecture](/reference/ecs-host.md#field-host-architecture) | [![equivalent](https://img.shields.io/badge/equivalent-1ba9f5?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.arch](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-arch) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-host-cpu-usage$$$ [host.cpu.usage](/reference/ecs-host.md#field-host-cpu-usage) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.cpu.utilization+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-host-cpu-usage$$$ [host.cpu.usage](/reference/ecs-host.md#field-host-cpu-usage) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.cpu.utilization](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.cpu.utilization+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-disk-read-bytes$$$ [host.disk.read.bytes](/reference/ecs-host.md#field-host-disk-read-bytes) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-disk-write-bytes$$$ [host.disk.write.bytes](/reference/ecs-host.md#field-host-disk-write-bytes) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.disk.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.disk.io+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-id$$$ [host.id](/reference/ecs-host.md#field-host-id) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.id](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-id) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
@@ -126,9 +127,9 @@ The following table gives an overview of mappings between individual ECS fields
 | $$$otel-mapping-for-host-mac$$$ [host.mac](/reference/ecs-host.md#field-host-mac) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.mac](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-mac) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-name$$$ [host.name](/reference/ecs-host.md#field-host-name) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.name](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-name) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-network-egress-bytes$$$ [host.network.egress.bytes](/reference/ecs-host.md#field-host-network-egress-bytes) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-host-network-egress-packets$$$ [host.network.egress.packets](/reference/ecs-host.md#field-host-network-egress-packets) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-host-network-egress-packets$$$ [host.network.egress.packets](/reference/ecs-host.md#field-host-network-egress-packets) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-network-ingress-bytes$$$ [host.network.ingress.bytes](/reference/ecs-host.md#field-host-network-ingress-bytes) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.io](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.io+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
-| $$$otel-mapping-for-host-network-ingress-packets$$$ [host.network.ingress.packets](/reference/ecs-host.md#field-host-network-ingress-packets) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packets](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packets+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
+| $$$otel-mapping-for-host-network-ingress-packets$$$ [host.network.ingress.packets](/reference/ecs-host.md#field-host-network-ingress-packets) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.network.packet.count](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.network.packet.count+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-type$$$ [host.type](/reference/ecs-host.md#field-host-type) | [![match](https://img.shields.io/badge/match-93c93e?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [host.type](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host/#host-type) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | $$$otel-mapping-for-host-uptime$$$ [host.uptime](/reference/ecs-host.md#field-host-uptime) | [![metric](https://img.shields.io/badge/metric-cb00cb?style=flat)](/reference/ecs-opentelemetry.md#ecs-opentelemetry-relation) | [system.uptime](https://github.com/search?q=repo%3Aopen-telemetry%2Fsemantic-conventions+%22%3C%21--\+semconv+metric.system.uptime+--%3E%22&type=code) | ![development](https://img.shields.io/badge/✘-fed10c?style=flat) |
 | **HTTP Fields** |
diff --git a/docs/reference/ecs-otel-alignment-overview.md b/docs/reference/ecs-otel-alignment-overview.md
index a72629bb79..36e2082ed4 100644
--- a/docs/reference/ecs-otel-alignment-overview.md
+++ b/docs/reference/ecs-otel-alignment-overview.md
@@ -6,7 +6,7 @@ mapped_pages:
 
 # OTel Alignment Overview [ecs-otel-alignment-overview]
 
-The following table summarizes the alignment status by namespaces between ECS in version `9.2.0` and OpenTelemetry semantic conventions in version `1.34.0`.
+The following table summarizes the alignment status by namespaces between ECS in version `9.2.0` and OpenTelemetry semantic conventions in version `1.37.0`.
 
 |     |     |
 | --- | --- |
@@ -14,13 +14,12 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Namespace | ECS | OTel | ![relation](https://img.shields.io/badge/match-93c93e?style=flat "match") | ![relation](https://img.shields.io/badge/equivalent-1ba9f5?style=flat "equivalent") | ![relation](https://img.shields.io/badge/related-efc20d?style=flat "related") | ![relation](https://img.shields.io/badge/conflict-910000?style=flat "conflict") | ![relation](https://img.shields.io/badge/metric-cb00cb?style=flat "metric") | ![relation](https://img.shields.io/badge/OTLP-ffdcb2?style=flat "OTLP") | ![relation](https://img.shields.io/badge/n%2Fa-f2f4fb?style=flat "na") |
 | Agent | [6](/reference/ecs-agent.md) | · | · | · | · | · | · | · | · |
 | Android | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/android) | · | · | · | · | · | · |  |
-| Application | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/app) | · | · | · | · | · | · |  |
+| Application | · | [9](https://opentelemetry.io/docs/specs/semconv/attributes-registry/app) | · | · | · | · | · | · |  |
 | Artifact | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/artifact) | · | · | · | · | · | · |  |
 | Autonomous System | [2](/reference/ecs-as.md) | · | · | · | · | · | · | · | · |
-| ASP.NET Core | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/aspnetcore) | · | · | · | · | · | · |  |
+| ASP.NET Core | · | [23](https://opentelemetry.io/docs/specs/semconv/attributes-registry/aspnetcore) | · | · | · | · | · | · |  |
 | General AWS | · | [52](https://opentelemetry.io/docs/specs/semconv/attributes-registry/aws) | · | · | · | · | · | · |  |
-| Azure Client Library | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/az) | · | · | · | · | · | · |  |
-| Azure Client Library | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/azure) | · | · | · | · | · | · |  |
+| Azure Client Library | · | [9](https://opentelemetry.io/docs/specs/semconv/attributes-registry/azure) | · | · | · | · | · | · |  |
 | Base | [4](/reference/ecs-base.md) | · | · | · | 2 | · | · | 4 | · |
 | Browser | · | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/browser) | · | · | · | · | · | · |  |
 | Cassandra | · | [6](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cassandra) | · | · | · | · | · | · |  |
@@ -31,7 +30,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | CloudFoundry | · | [11](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cloudfoundry) | · | · | · | · | · | · |  |
 | Code | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/code) | · | · | · | · | · | · |  |
 | Code Signature | [11](/reference/ecs-code_signature.md) | · | · | · | · | · | · | · | · |
-| Container | [14](/reference/ecs-container.md) | [13](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container) | 4 | 2 | 1 | · | 2 | · | · |
+| Container | [14](/reference/ecs-container.md) | [15](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container) | 3 | 3 | 1 | · | 2 | · | · |
 | CPU | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cpu) | · | · | · | · | · | · |  |
 | CPython attributes | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cpython) | · | · | · | · | · | · |  |
 | Data Stream | [3](/reference/ecs-data_stream.md) | · | · | · | · | · | · | · | 3 |
@@ -41,7 +40,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Device | [10](/reference/ecs-device.md) | [4](https://opentelemetry.io/docs/specs/semconv/attributes-registry/device) | 4 | · | · | · | · | · | · |
 | Disk | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/disk) | · | · | · | · | · | · |  |
 | DLL | [4](/reference/ecs-dll.md) | · | · | · | · | · | · | · | · |
-| DNS | [18](/reference/ecs-dns.md) | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns) | 1 | · | · | · | · | · | · |
+| DNS | [18](/reference/ecs-dns.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dns) | 1 | · | 1 | · | · | · | · |
 | .NET | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/dotnet) | · | · | · | · | · | · |  |
 | ECS | [1](/reference/ecs-ecs.md) | · | · | · | · | · | · | · | 1 |
 | Elasticsearch | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/elasticsearch) | · | · | · | · | · | · |  |
@@ -56,7 +55,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Feature Flag | · | [8](https://opentelemetry.io/docs/specs/semconv/attributes-registry/feature-flag) | · | · | · | · | · | · |  |
 | File | [24](/reference/ecs-file.md) | [18](https://opentelemetry.io/docs/specs/semconv/attributes-registry/file) | 11 | 7 | · | · | · | · | · |
 | GCP Client | · | [14](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gcp) | · | · | · | · | · | · |  |
-| Gen AI | [26](/reference/ecs-gen_ai.md) | [32](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai) | 26 | · | · | · | · | · | · |
+| Gen AI | [26](/reference/ecs-gen_ai.md) | [32](https://opentelemetry.io/docs/specs/semconv/attributes-registry/gen-ai) | 25 | 1 | · | · | · | · | · |
 | Geo | [11](/reference/ecs-geo.md) | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/geo) | 1 | 4 | 2 | · | · | · | · |
 | Go | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/go) | · | · | · | · | · | · |  |
 | GraphQL | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/graphql) | · | · | · | · | · | · |  |
@@ -65,24 +64,26 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Heroku | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/heroku) | · | · | · | · | · | · |  |
 | Host | [18](/reference/ecs-host.md) | [15](https://opentelemetry.io/docs/specs/semconv/attributes-registry/host) | 5 | 1 | · | · | 8 | · | · |
 | HTTP | [13](/reference/ecs-http.md) | [12](https://opentelemetry.io/docs/specs/semconv/attributes-registry/http) | 1 | 5 | 2 | 1 | · | · | · |
-| Hardware | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/hw) | · | · | · | · | · | · |  |
+| Hardware | · | [27](https://opentelemetry.io/docs/specs/semconv/attributes-registry/hw) | · | · | · | · | · | · |  |
 | Interface | [3](/reference/ecs-interface.md) | · | · | · | · | · | · | · | · |
 | iOS | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/ios) | · | · | · | · | · | · |  |
 | Java Virtual Machine (JVM) | · | [8](https://opentelemetry.io/docs/specs/semconv/attributes-registry/jvm) | · | · | · | · | · | · |  |
-| Kubernetes | · | [49](https://opentelemetry.io/docs/specs/semconv/attributes-registry/k8s) | · | · | · | · | · | · |  |
+| Kubernetes | · | [60](https://opentelemetry.io/docs/specs/semconv/attributes-registry/k8s) | · | · | · | · | · | · |  |
 | Linux Memory | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/linux) | · | · | · | · | · | · |  |
 | Log | [18](/reference/ecs-log.md) | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/log) | 1 | · | · | · | · | 1 | · |
 | Mach-O Header | [16](/reference/ecs-macho.md) | · | · | · | · | · | · | · | · |
+| Mainframe LPAR attributes | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/mainframe) | · | · | · | · | · | · |  |
 | General Messaging | · | [37](https://opentelemetry.io/docs/specs/semconv/attributes-registry/messaging) | · | · | · | · | · | · |  |
 | Network | [12](/reference/ecs-network.md) | [17](https://opentelemetry.io/docs/specs/semconv/attributes-registry/network) | 2 | 1 | · | · | · | · | · |
 | Node.js | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/nodejs) | · | · | · | · | · | · |  |
 | Observer | [13](/reference/ecs-observer.md) | · | · | · | · | · | · | · | · |
 | Open Container Initiative (OCI) | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/oci) | · | · | · | · | · | · |  |
+| OpenAI | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/openai) | · | · | · | · | · | · |  |
 | OpenTracing | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/opentracing) | · | · | · | · | · | · |  |
 | Orchestrator | [15](/reference/ecs-orchestrator.md) | · | · | · | · | · | · | · | · |
 | Organization | [2](/reference/ecs-organization.md) | · | · | · | · | · | · | · | · |
 | Operating System | [7](/reference/ecs-os.md) | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/os) | 2 | 1 | · | 1 | · | · | · |
-| OTel | · | [7](https://opentelemetry.io/docs/specs/semconv/attributes-registry/otel) | · | · | · | · | · | · |  |
+| OTel | · | [9](https://opentelemetry.io/docs/specs/semconv/attributes-registry/otel) | · | · | · | · | · | · |  |
 | Package | [13](/reference/ecs-package.md) | · | · | · | · | · | · | · | · |
 | PE Header | [23](/reference/ecs-pe.md) | · | · | · | · | · | · | · | · |
 | Peer | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/peer) | · | · | · | · | · | · |  |
@@ -116,3 +117,4 @@ The following table summarizes the alignment status by namespaces between ECS in
 | Vulnerability | [13](/reference/ecs-vulnerability.md) | · | · | · | · | · | · | · | · |
 | Web Engine | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/webengine) | · | · | · | · | · | · |  |
 | x509 Certificate | [24](/reference/ecs-x509.md) | · | · | · | · | · | · | · | · |
+| z/OS attributes | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/zos) | · | · | · | · | · | · |  |
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 933d1f52a8..82935b7df5 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1510,7 +1510,8 @@ container.runtime:
   name: runtime
   normalize: []
   otel:
-  - relation: match
+  - attribute: container.runtime.name
+    relation: equivalent
     stability: development
   short: Runtime managing this container.
   type: keyword
@@ -2814,6 +2815,10 @@ dns.answers:
   name: answers
   normalize:
   - array
+  otel:
+  - attribute: dns.answers
+    relation: related
+    stability: development
   short: Array of DNS answers.
   type: object
 dns.answers.class:
@@ -6789,7 +6794,8 @@ gen_ai.system:
   name: system
   normalize: []
   otel:
-  - relation: match
+  - attribute: gen_ai.provider.name
+    relation: equivalent
     stability: development
   short: The Generative AI product as identified by the client or server instrumentation.
   type: keyword
@@ -6956,7 +6962,7 @@ host.cpu.usage:
   name: cpu.usage
   normalize: []
   otel:
-  - metric: cpu.utilization
+  - metric: system.cpu.utilization
     relation: metric
     stability: development
   scaling_factor: 1000
@@ -7496,7 +7502,7 @@ host.network.egress.packets:
   name: network.egress.packets
   normalize: []
   otel:
-  - metric: system.network.packets
+  - metric: system.network.packet.count
     relation: metric
     stability: development
   short: The number of packets sent on all network interfaces.
@@ -7524,7 +7530,7 @@ host.network.ingress.packets:
   name: network.ingress.packets
   normalize: []
   otel:
-  - metric: system.network.packets
+  - metric: system.network.packet.count
     relation: metric
     stability: development
   short: The number of packets received on all network interfaces.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 5803d7bb48..e9f9f1a261 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -1933,7 +1933,8 @@ container:
       name: runtime
       normalize: []
       otel:
-      - relation: match
+      - attribute: container.runtime.name
+        relation: equivalent
         stability: development
       short: Runtime managing this container.
       type: keyword
@@ -3361,6 +3362,10 @@ dns:
       name: answers
       normalize:
       - array
+      otel:
+      - attribute: dns.answers
+        relation: related
+        stability: development
       short: Array of DNS answers.
       type: object
     dns.answers.class:
@@ -7954,7 +7959,8 @@ gen_ai:
       name: system
       normalize: []
       otel:
-      - relation: match
+      - attribute: gen_ai.provider.name
+        relation: equivalent
         stability: development
       short: The Generative AI product as identified by the client or server instrumentation.
       type: keyword
@@ -8488,7 +8494,7 @@ host:
       name: cpu.usage
       normalize: []
       otel:
-      - metric: cpu.utilization
+      - metric: system.cpu.utilization
         relation: metric
         stability: development
       scaling_factor: 1000
@@ -9035,7 +9041,7 @@ host:
       name: network.egress.packets
       normalize: []
       otel:
-      - metric: system.network.packets
+      - metric: system.network.packet.count
         relation: metric
         stability: development
       short: The number of packets sent on all network interfaces.
@@ -9063,7 +9069,7 @@ host:
       name: network.ingress.packets
       normalize: []
       otel:
-      - metric: system.network.packets
+      - metric: system.network.packet.count
         relation: metric
         stability: development
       short: The number of packets received on all network interfaces.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 4ef1b45c4b..8336eaac97 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1441,7 +1441,8 @@ container.runtime:
   name: runtime
   normalize: []
   otel:
-  - relation: match
+  - attribute: container.runtime.name
+    relation: equivalent
     stability: development
   short: Runtime managing this container.
   type: keyword
@@ -2745,6 +2746,10 @@ dns.answers:
   name: answers
   normalize:
   - array
+  otel:
+  - attribute: dns.answers
+    relation: related
+    stability: development
   short: Array of DNS answers.
   type: object
 dns.answers.class:
@@ -6720,7 +6725,8 @@ gen_ai.system:
   name: system
   normalize: []
   otel:
-  - relation: match
+  - attribute: gen_ai.provider.name
+    relation: equivalent
     stability: development
   short: The Generative AI product as identified by the client or server instrumentation.
   type: keyword
@@ -6887,7 +6893,7 @@ host.cpu.usage:
   name: cpu.usage
   normalize: []
   otel:
-  - metric: cpu.utilization
+  - metric: system.cpu.utilization
     relation: metric
     stability: development
   scaling_factor: 1000
@@ -7427,7 +7433,7 @@ host.network.egress.packets:
   name: network.egress.packets
   normalize: []
   otel:
-  - metric: system.network.packets
+  - metric: system.network.packet.count
     relation: metric
     stability: development
   short: The number of packets sent on all network interfaces.
@@ -7455,7 +7461,7 @@ host.network.ingress.packets:
   name: network.ingress.packets
   normalize: []
   otel:
-  - metric: system.network.packets
+  - metric: system.network.packet.count
     relation: metric
     stability: development
   short: The number of packets received on all network interfaces.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index fe33493556..af8b28777f 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -1853,7 +1853,8 @@ container:
       name: runtime
       normalize: []
       otel:
-      - relation: match
+      - attribute: container.runtime.name
+        relation: equivalent
         stability: development
       short: Runtime managing this container.
       type: keyword
@@ -3281,6 +3282,10 @@ dns:
       name: answers
       normalize:
       - array
+      otel:
+      - attribute: dns.answers
+        relation: related
+        stability: development
       short: Array of DNS answers.
       type: object
     dns.answers.class:
@@ -7874,7 +7879,8 @@ gen_ai:
       name: system
       normalize: []
       otel:
-      - relation: match
+      - attribute: gen_ai.provider.name
+        relation: equivalent
         stability: development
       short: The Generative AI product as identified by the client or server instrumentation.
       type: keyword
@@ -8408,7 +8414,7 @@ host:
       name: cpu.usage
       normalize: []
       otel:
-      - metric: cpu.utilization
+      - metric: system.cpu.utilization
         relation: metric
         stability: development
       scaling_factor: 1000
@@ -8955,7 +8961,7 @@ host:
       name: network.egress.packets
       normalize: []
       otel:
-      - metric: system.network.packets
+      - metric: system.network.packet.count
         relation: metric
         stability: development
       short: The number of packets sent on all network interfaces.
@@ -8983,7 +8989,7 @@ host:
       name: network.ingress.packets
       normalize: []
       otel:
-      - metric: system.network.packets
+      - metric: system.network.packet.count
         relation: metric
         stability: development
       short: The number of packets received on all network interfaces.
diff --git a/otel-semconv-version b/otel-semconv-version
index 995ab8e3fc..b909b32cd5 100644
--- a/otel-semconv-version
+++ b/otel-semconv-version
@@ -1 +1 @@
-v1.34.0
+v1.37.0
diff --git a/schemas/container.yml b/schemas/container.yml
index 576000e7b9..445527ebe5 100644
--- a/schemas/container.yml
+++ b/schemas/container.yml
@@ -157,4 +157,5 @@
         Runtime managing this container.
       example: docker
       otel:
-        - relation: match
+        - relation: equivalent
+          attribute: container.runtime.name
diff --git a/schemas/dns.yml b/schemas/dns.yml
index 7475ce9829..1eb3c023f9 100644
--- a/schemas/dns.yml
+++ b/schemas/dns.yml
@@ -171,6 +171,9 @@
         and add any additional fields to the answer objects as custom fields.
       normalize:
         - array
+      otel:
+        - relation: related
+          attribute: dns.answers
 
     - name: answers.name
       level: extended
diff --git a/schemas/gen_ai.yml b/schemas/gen_ai.yml
index 95a567a641..c7dd9d5df3 100644
--- a/schemas/gen_ai.yml
+++ b/schemas/gen_ai.yml
@@ -186,7 +186,8 @@
       level: extended
       beta: This field is beta and subject to change.
       otel:
-        - relation: match
+        - relation: equivalent
+          attribute: gen_ai.provider.name
     - name: token.type
       type: keyword
       description: The type of token being counted.
diff --git a/schemas/host.yml b/schemas/host.yml
index 21b7dbb1d7..2782b569c7 100644
--- a/schemas/host.yml
+++ b/schemas/host.yml
@@ -151,7 +151,7 @@
         For example: For a two core host, this value should be the average of
         the two cores, between 0 and 1.
       otel:
-        - metric: cpu.utilization
+        - metric: system.cpu.utilization
           relation: metric
 
     - name: disk.read.bytes
@@ -195,7 +195,7 @@
         The number of packets (gauge) received on all network interfaces by the
         host since the last metric collection.
       otel:
-        - metric: system.network.packets
+        - metric: system.network.packet.count
           relation: metric
 
     - name: network.egress.bytes
@@ -217,7 +217,7 @@
         The number of packets (gauge) sent out on all network interfaces by the
         host since the last metric collection.
       otel:
-        - metric: system.network.packets
+        - metric: system.network.packet.count
           relation: metric
 
     - name: boot.id