Skip to content

Add entity to the top level namespaces in which it's being used #2556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 24, 2025
Merged

Add entity to the top level namespaces in which it's being used #2556

merged 9 commits into from
Oct 24, 2025

Conversation

@mjwolf
Copy link
Contributor

@mjwolf mjwolf commented Oct 22, 2025
edited
Loading

1. What does this PR do?

Add entity to the top level namespace of which it's used in sub-types.

For example, we want user.target.entity fields to be present. user.entity itself is a user type, so entity must be reused on the user type.

This also removes custom generator code which was being used to workaround the fact that this wasn't true before.

2. Which ECS fields are affected/introduced?

3. Why is this change necessary?

Fixes #2555

4. Have you added/updated documentation?

YES

5. Have you built ECS and committed any newly generated files?

YES

6. Have you run the ECS validation tests locally?

YES

7. Anything else for the reviewers?

Commit Message

Add entity to the top level namespace of which it's used in sub-types.

For example, we want user.target.entity fields to be present. user.entity itself is a user type, so entity must be reused on the user type.

This also removes custom generator code which was being used to workaround the fact that this wasn't true before.

@mjwolf
Add entity to the top level namespaces which it's a part of
9b65a28 
Add entity to the top level namespace of which it's used in sub-types.

For example, we want `user.target.entity` fields to be present.
`user.entity` itself is a `user` type, so `entity` must be reused on the
user type.

This also removes custom generator code which was being used to
workaround the fact that this wasn't true before.
@github-actions
Copy link

Documentation changes preview: https://docs-v3-preview.elastic.dev/elastic/ecs/pull/2556/reference/

@github-actions
Copy link

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@github-actions
Copy link

github-actions bot commented Oct 22, 2025
edited
Loading

🔍 Preview links for changed docs

@mjwolf mjwolf mentioned this pull request Oct 22, 2025
Closed
trisch-me
trisch-me reviewed Oct 23, 2025
View reviewed changes
docs/reference/ecs-entity.md
## Field reuse [_field_reuse]

The `entity` fields are expected to be nested at:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cloud.entity is missing

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

trisch-me
trisch-me reviewed Oct 23, 2025
View reviewed changes
@mjwolf mjwolf marked this pull request as ready for review October 23, 2025 16:04
@mjwolf mjwolf requested a review from a team as a code owner October 23, 2025 16:04
@mjwolf mjwolf requested a review from trisch-me October 23, 2025 17:24
kgeller
kgeller reviewed Oct 23, 2025
View reviewed changes
kgeller
kgeller reviewed Oct 23, 2025
View reviewed changes
kgeller
kgeller reviewed Oct 23, 2025
View reviewed changes
Copy link
Contributor

@kgeller kgeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple questions

@mjwolf mjwolf requested a review from kgeller October 23, 2025 19:01
kgeller
kgeller reviewed Oct 23, 2025
View reviewed changes
generated/csv/fields.csv Outdated
9.3.0-dev,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider.
9.3.0-dev,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located."
9.3.0-dev,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name.
9.3.0-dev,true,cloud,cloud.target.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we are getting target duplicated in the output

cloud.target.target.entity.attributes

kgeller
kgeller reviewed Oct 23, 2025
View reviewed changes
generated/csv/fields.csv
9.3.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
9.3.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
9.3.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
9.3.0-dev,true,user,user.target.entity.attributes,object,extended,,,A set of static or semi-static attributes of the entity.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like all the user.* entity related fields are removed?

mjwolf added 4 commits October 23, 2025 14:35
@mjwolf
Remove double nesting of target
2635952
@mjwolf
Add entity to correct top-level objects
a31ca11
@mjwolf
Update the finalizer to order self-nested fields.
abf2a66 
Re-organize the finalizer to consider order first, and process
self-nested and foreign reuse by order level, rather than doing all
foreign reuse first, and then self-nested reuse second. This also
collects self-nested fields by order level, to enable the above.
@mjwolf
fix lint errors
4f237fc
@mjwolf
Copy link
Contributor Author

mjwolf commented Oct 23, 2025
edited
Loading

This is a summary of the changes I made in this PR now:

  • Removed entity as a top-level field
  • Added entity as a field on top-level objects:
    • cloud.entity.*
    • user.entity.*
    • service.entity.*
    • host.entity.*
    • orchestrator.entity.* (this is new. It's requested in the RFC but was missed before)
  • Added with self-nested objects:
    • cloud.origin.entity.*
    • cloud.target.entity.*
    • user.changes.entity.*
    • user.effective.entity.*
    • user.target.entity.*
    • service.origin.entity.*
    • service.target.entity.*
  • Reverted the changes I made to the generator scripts previously for entity, which enabled the incorrect reuse that was fixed with this
  • Modified finalizer.py, to consider order level first, and process foreign and self-nested reuse at the same time for each level. This was needed to allow both self-nested and foreign reuse to work with entity.

@nick-alayil, can you confirm if these changes are correct and what you want for entity? entity is added to some other objects as a consequence of being added to the top-level field (i.e. user.effective is a user type, and since entity is now a field on user, it's also added at user.effective.entity). It could be changed, if you don't want entity on these fields

@mjwolf mjwolf requested a review from kgeller October 23, 2025 22:50
@nick-alayil
Copy link

@nick-alayil, can you confirm if these changes are correct and what you want for entity?

Thanks @mjwolf for making these changes! From this ticket’s context, everything looks good. I was mainly aiming to get user.entity.* and service.entity.* added.

There are a few other fields missing from a Graph Viz perspective, but I think those should be handled separately from this PR:

  • host.target.entity.* needed for Graph Viz, but the host FieldSet doesn’t currently have a target nested under host.
  • generic.entity.* and generic.target.entity.* also needed for Graph Viz, though the generic FieldSet doesn’t exist yet. This would introduce a new root-level object and likely requires a separate discussion/PR.

It could be changed, if you don't want entity on these fields

Not required (user.changes.entity.*, user.effective.entity.*) from the Graph Viz perspective. Similarly, *.origin.entity.* fields (like cloud.origin.entity.* and service.origin.entity.*) are also not needed.

kgeller
kgeller reviewed Oct 24, 2025
View reviewed changes
generated/csv/fields.csv
Comment on lines +1873 to +1878
9.3.0-dev,true,user,user.changes.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
9.3.0-dev,true,user,user.changes.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
9.3.0-dev,true,user,user.changes.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
9.3.0-dev,true,user,user.changes.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
9.3.0-dev,true,user,user.changes.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
9.3.0-dev,true,user,user.changes.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did we mean for user.changes.risk.* to be added?

generated/csv/fields.csv
Comment on lines +1907 to +1912
9.3.0-dev,true,user,user.effective.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
9.3.0-dev,true,user,user.effective.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
9.3.0-dev,true,user,user.effective.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system.
9.3.0-dev,true,user,user.effective.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform."
9.3.0-dev,true,user,user.effective.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform."
9.3.0-dev,true,user,user.effective.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same with user.effective.risk.*?

mjwolf
mjwolf commented Oct 24, 2025
View reviewed changes
experimental/generated/csv/fields.csv
9.3.0-dev+exp,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
9.3.0-dev+exp,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user.
9.3.0-dev+exp,true,user,user.target.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
9.3.0-dev+exp,true,user,user.target.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These new risk fields should have existed previously. risk is a field in user type, and since user.target is a user type, user.target.risk should have exist. This is fixed by the change to finalizer ordering that fixed entity fields in the same situation.

@mjwolf mjwolf merged commit 5db6546 into elastic:main Oct 24, 2025
7 checks passed
mjwolf added a commit to mjwolf/ecs that referenced this pull request Oct 24, 2025
@mjwolf
Add entity to the top level namespaces in which it's being used (elas…
a8f75ad 
…tic#2556)

Add entity to the top level namespace of which it's used in sub-types.

For example, we want user.target.entity fields to be present. user.entity itself is a user type, so entity must be reused on the user type.

This also removes custom generator code which was being used to workaround the fact that this wasn't true before.
@mjwolf mjwolf mentioned this pull request Oct 24, 2025
Merged
mjwolf added a commit that referenced this pull request Oct 24, 2025
@mjwolf
Add entity to the top level namespaces in which it's being used (#2556)…
6d26a0b 
… (#2557)

Add entity to the top level namespace of which it's used in sub-types.

For example, we want user.target.entity fields to be present. user.entity itself is a user type, so entity must be reused on the user type.

This also removes custom generator code which was being used to workaround the fact that this wasn't true before.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kgeller kgeller kgeller approved these changes

@trisch-me trisch-me Awaiting requested review from trisch-me

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Entity subdomain doesn’t exist in top level domains

4 participants

@mjwolf @nick-alayil @kgeller @trisch-me