Skip to content

Extend entity schema with relationship and risk#2577

Open
uri-weisman wants to merge 4 commits intoelastic:mainfrom
uri-weisman:improve_entity_schema
Open

Extend entity schema with relationship and risk#2577
uri-weisman wants to merge 4 commits intoelastic:mainfrom
uri-weisman:improve_entity_schema

Conversation

@uri-weisman
Copy link
Contributor

@uri-weisman uri-weisman commented Jan 8, 2026
edited
Loading

1. What does this PR do?

  • Adds a new entity.relationship field (beta) to track relationship attributes (already part of entity store schema as of 9.2)
  • Enables risk fields to be nested under entity schema (adds entity to risk schema's reusable expected locations)

2. Which ECS fields are affected/introduced?

New fields:

  • entity.relationship (extended, object, beta) - A set of relationship attributes that can vary between entity types. Similar to entity.attributes, this field uses object type to allow flexible schema definitions.

Field reuse enabled:

  • entity.risk.* - Risk fields can now be nested under entity (e.g., entity.risk.calculated_score, entity.risk.calculated_level, etc.)

Purpose:

  • entity.relationship enables tracking relationship characteristics of entities for advanced searching and correlation across different providers/sources and entity types
  • entity.risk.* allows risk scoring for any entity type, not just hosts and users

3. Why is this change necessary?

Entity relationship field:

  • Enables better entity correlation and relationship tracking in security and observability use cases
  • Already part of the entity store schema.
  • We plan to extract relationship data from relevant integration logs, some might be inferred by entity analytics.

Entity risk field reuse:

  • Already part of the schema.

4. Have you added/updated documentation?

YES

5. Have you built ECS and committed any newly generated files?

YES

6. Have you run the ECS validation tests locally?

YES

7. Anything else for the reviewers?

Commit Message

Add entity.relationship field and enable risk field reuse for entity

@uri-weisman
Update host and entity schemas to enhance structure and relationships
ec77b94 
- Removed the reusable section from the host schema for clarity.
- Added a new 'relationship' field to the entity schema to track varying attributes between entity types.
- Updated the risk schema to include 'entity' as an expected type.

These changes aim to improve the organization and functionality of the schemas for better data representation.
@uri-weisman
Add entity.relationship field and enhance risk fields
b55bc55 
- Introduced the `entity.relationship` field to track relationship characteristics of entities for advanced searching and correlation.
- Enhanced risk fields with new properties: `calculated_level`, `calculated_score`, `calculated_score_norm`, `static_level`, `static_score`, and `static_score_norm` to improve risk assessment capabilities.
- Updated documentation to reflect these changes across relevant ECS reference files.
@uri-weisman uri-weisman requested a review from a team as a code owner January 8, 2026 10:29
@github-actions
Copy link

github-actions bot commented Jan 8, 2026

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@github-actions
Copy link

github-actions bot commented Jan 8, 2026

Documentation changes preview: https://docs-v3-preview.elastic.dev/elastic/ecs/pull/2577/reference/

@uri-weisman uri-weisman marked this pull request as draft January 8, 2026 10:29
@github-actions
Copy link

github-actions bot commented Jan 8, 2026
edited
Loading

🔍 Preview links for changed docs

@uri-weisman
Restore host.target reusable section and regenerate artifacts
06c6f58 
- Restore the reusable section for host.target that enables host.target.* fields
- Regenerate all artifacts including documentation, CSV, YAML, and Elasticsearch templates
@uri-weisman uri-weisman changed the title Improve entity schema Extend entity schema with relationship and risk Jan 8, 2026
@uri-weisman uri-weisman marked this pull request as ready for review January 8, 2026 12:13
trisch-me
trisch-me reviewed Jan 8, 2026
View reviewed changes
schemas/entity.yml
short: A set of relationship attributes that can vary between entity types.
description: >
The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.
beta: This field is beta and subject to change.
Copy link
Contributor

@trisch-me trisch-me Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add examples?

Copy link
Contributor

@trisch-me trisch-me Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how this field should be used for external user? It’s not clear what is inside. is it any object or there is some structure.

trisch-me
trisch-me reviewed Jan 8, 2026
View reviewed changes
schemas/risk.yml
expected:
- host
- user
- entity
Copy link
Contributor

@trisch-me trisch-me Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how this work if entity is of type of host? Will be there doubled information for risk?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trisch-me trisch-me trisch-me left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@uri-weisman @trisch-me