diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 31273d8c4b..a9555fcd99 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -9060,6 +9060,25 @@ A concrete example is IP addresses, which can be under host, observer, source, d // =============================================================== +| +[[field-related-entity]] +<> + +a| All the entity identifiers related to the document. If the document contains multiple entities, identifiers belonging to different entities will be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, or hostnames. + +type: keyword + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + | [[field-related-hash]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bc95a6db22..eb9742fe0d 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -7864,6 +7864,15 @@ type: group default_field: true fields: + - name: entity + level: extended + type: keyword + ignore_above: 1024 + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + default_field: false - name: hash level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 292ac5f917..b1c3d350b2 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1016,6 +1016,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 8.12.0-dev+exp,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.12.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +8.12.0-dev+exp,true,related,related.entity,keyword,extended,array,,All the entity identifiers 8.12.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 8.12.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 8.12.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 02b972886f..ff20ac0186 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12796,6 +12796,20 @@ registry.value: normalize: [] short: Name of the value written. type: keyword +related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will be + present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then using diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f600ab293a..ede3b3a049 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -15226,6 +15226,20 @@ related: `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.' fields: + related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then diff --git a/experimental/generated/elasticsearch/composable/component/related.json b/experimental/generated/elasticsearch/composable/component/related.json index 529fa9a356..2430ad0b2c 100644 --- a/experimental/generated/elasticsearch/composable/component/related.json +++ b/experimental/generated/elasticsearch/composable/component/related.json @@ -8,6 +8,10 @@ "properties": { "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 18386e190c..b9a9e56043 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -4644,6 +4644,10 @@ }, "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fa0007884b..45cc569555 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -7814,6 +7814,15 @@ type: group default_field: true fields: + - name: entity + level: extended + type: keyword + ignore_above: 1024 + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + default_field: false - name: hash level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c31a8de31c..8674a5fa19 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1009,6 +1009,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 8.12.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 8.12.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +8.12.0-dev,true,related,related.entity,keyword,extended,array,,All the entity identifiers 8.12.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. 8.12.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. 8.12.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2022bddaf4..1b14191487 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -12727,6 +12727,20 @@ registry.value: normalize: [] short: Name of the value written. type: keyword +related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will be + present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then using diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8057eeed15..be1c4cebde 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -15146,6 +15146,20 @@ related: `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`.' fields: + related.entity: + dashed_name: related-entity + description: All the entity identifiers related to the document. If the document + contains multiple entities, identifiers belonging to different entities will + be present. Example identifiers include Cloud Resource Ids, ARNs, email addresses, + or hostnames. + flat_name: related.entity + ignore_above: 1024 + level: extended + name: entity + normalize: + - array + short: All the entity identifiers + type: keyword related.hash: dashed_name: related-hash description: All the hashes seen on your event. Populating this field, then diff --git a/generated/elasticsearch/composable/component/related.json b/generated/elasticsearch/composable/component/related.json index cac093b662..5dc640a08f 100644 --- a/generated/elasticsearch/composable/component/related.json +++ b/generated/elasticsearch/composable/component/related.json @@ -8,6 +8,10 @@ "properties": { "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index a6b67033e2..db3a79d72f 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -4602,6 +4602,10 @@ }, "related": { "properties": { + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, "hash": { "ignore_above": 1024, "type": "keyword"