elastic · uri-weisman · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
@@ -25,6 +25,7 @@ The entity fields provide a standardized way to represent and categorize differe
 | $$$field-entity-name$$$ [entity.name](#field-entity-name) | _This field is beta and subject to change._ The name of the entity. The keyword field enables exact matches for filtering and aggregations, while the text field enables full-text search. For entities with dedicated field sets (e.g., `host`), this field should mirrors the corresponding *.name value.<br><br>type: keyword<br><br>Multi-fields:<br><br>* entity.name.text (type: match_only_text) | core |
 | $$$field-entity-raw$$$ [entity.raw](#field-entity-raw) | _This field is beta and subject to change._ Original, unmodified fields from the source system. Usually flattened field data type. While the attributes field should be used for normalized fields requiring advanced queries, this field preserves all source metadata with basic search capabilities.<br><br>type: object | extended |
 | $$$field-entity-reference$$$ [entity.reference](#field-entity-reference) | _This field is beta and subject to change._ A URI, URL, or other direct reference to access or locate the entity in its source system. This could be an API endpoint, web console URL, or other addressable location. Format may vary by entity type and source system.<br><br>type: keyword | extended |
+| $$$field-entity-relationship$$$ [entity.relationship](#field-entity-relationship) | _This field is beta and subject to change._ The structure and content of this field set may differ depending on the entity type. Use this field set when you need to track relationship characteristics of an entity for advanced searching and correlation of normalized values across different providers/sources and entity types.<br><br>type: object | extended |
 | $$$field-entity-source$$$ [entity.source](#field-entity-source) | _This field is beta and subject to change._ The module or integration that provided this entity data (similar to event.module).<br><br>type: keyword | core |
 | $$$field-entity-sub-type$$$ [entity.sub_type](#field-entity-sub-type) | _This field is beta and subject to change._ The specific type designation for the entity as defined by its provider or system. This field provides more granular classification than the type field. Examples: `aws_s3_bucket`, `gcp_cloud_storage_bucket`, `azure_blob_container` would all map to entity type `bucket`.  `hardware` , `virtual` , `container` , `node` , `cloud_instance` would all map to entity type `host`.<br><br>type: keyword<br><br>example: `aws_s3_bucket` | extended |
 | $$$field-entity-type$$$ [entity.type](#field-entity-type) | _This field is beta and subject to change._ A standardized high-level classification of the entity. This provides a normalized way to group similar entities across different providers or systems. Example values: `bucket`, `database`, `container`, `function`, `queue`, `host`, `user`, `application`, `session`, `cloud`, `orchestrator`, etc. If an entity is nested under a top-level namespace like `host` or `cloud`, or similar, its type array should include the matching value — for example, `host` or `cloud`.<br><br>type: keyword<br><br>Note: This field should contain an array of values.<br><br>**Important:** The field value must be one of the following:<br><br>bucket, database, container, function, queue, host, user, application, service, session, cloud, orchestrator<br><br>To learn more about when to use which value, visit the page [allowed values for entity.type](/reference/ecs-allowed-values-entity-type.md)<br> | core |
@@ -47,4 +48,5 @@ Note also that the `entity` fields may be used directly at the root of the event
 
 | Location | Field Set | Description |
 | --- | --- | --- |
+| `entity.risk.*` | [risk](/reference/ecs-risk.md) | Fields for describing risk score and level. |
 | `entity.target.*` | [entity](/reference/ecs-entity.md) | Targeted entity of action taken. |
@@ -47,7 +47,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | ELF Header | [38](/reference/ecs-elf.md) | · | · | · | · | · | · | · | · |
 | Email | [19](/reference/ecs-email.md) | · | · | · | · | · | · | · | · |
 | End User | · | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/enduser) | · | · | · | · | · | · |  |
-| Entity | [13](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
+| Entity | [14](/reference/ecs-entity.md) | · | · | · | · | · | · | · | · |
 | Error | [5](/reference/ecs-error.md) | [2](https://opentelemetry.io/docs/specs/semconv/attributes-registry/error) | 1 | 2 | · | · | · | · | · |
 | Event | [26](/reference/ecs-event.md) | · | · | · | · | · | · | · | · |
 | Exception | · | [3](https://opentelemetry.io/docs/specs/semconv/attributes-registry/exception) | · | · | · | · | · | · |  |

@@ -30,6 +30,7 @@ These fields are in beta and are subject to change.
 
 The `risk` fields are expected to be nested at:
 
+* `entity.risk`
 * `host.risk`
 * `user.risk`
 

@@ -600,6 +600,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: entity.source
       level: core
       type: keyword
@@ -765,6 +773,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: origin.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: origin.entity.source
       level: core
       type: keyword
@@ -1019,6 +1035,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: target.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: target.entity.source
       level: core
       type: keyword
@@ -2537,6 +2561,60 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
+    - name: risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: source
       level: core
       type: keyword
@@ -2645,6 +2723,60 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: target.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
+    - name: target.risk.calculated_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: High
+      default_field: false
+    - name: target.risk.calculated_score
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring.
+      example: 880.73
+      default_field: false
+    - name: target.risk.calculated_score_norm
+      level: extended
+      type: float
+      description: A risk classification score calculated by an internal system as
+        part of entity analytics and entity risk scoring, and normalized to a range
+        of 0 to 100.
+      example: 88.73
+      default_field: false
+    - name: target.risk.static_level
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A risk classification level obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: High
+      default_field: false
+    - name: target.risk.static_score
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform.
+      example: 830.0
+      default_field: false
+    - name: target.risk.static_score_norm
+      level: extended
+      type: float
+      description: A risk classification score obtained from outside the system, such
+        as from some external Threat Intelligence Platform, and normalized to a range
+        of 0 to 100.
+      example: 83.0
+      default_field: false
     - name: target.source
       level: core
       type: keyword
@@ -4510,6 +4642,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: entity.source
       level: core
       type: keyword
@@ -4935,6 +5075,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: target.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: target.entity.source
       level: core
       type: keyword
@@ -6146,6 +6294,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: entity.source
       level: core
       type: keyword
@@ -10097,6 +10253,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: entity.source
       level: core
       type: keyword
@@ -10330,6 +10494,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: origin.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: origin.entity.source
       level: core
       type: keyword
@@ -10600,6 +10772,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: target.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: target.entity.source
       level: core
       type: keyword
@@ -15287,6 +15467,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: changes.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: changes.entity.source
       level: core
       type: keyword
@@ -15539,6 +15727,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: effective.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: effective.entity.source
       level: core
       type: keyword
@@ -15775,6 +15971,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: entity.source
       level: core
       type: keyword
@@ -16015,6 +16219,14 @@
         in its source system. This could be an API endpoint, web console URL, or other
         addressable location. Format may vary by entity type and source system.
       default_field: false
+    - name: target.entity.relationship
+      level: extended
+      type: object
+      description: The structure and content of this field set may differ depending
+        on the entity type. Use this field set when you need to track relationship
+        characteristics of an entity for advanced searching and correlation of normalized
+        values across different providers/sources and entity types.
+      default_field: false
     - name: target.entity.source
       level: core
       type: keyword