Entity Reference fields
A reusable set of identifier fields used to reference other entities in relationship contexts. Each field holds a keyword array of identifiers following the same conventions as the corresponding ECS root field. Only the fields defined in this field set might appear, ad-hoc or integration-specific property names are not allowed.
Warning
This field set is alpha and subject to change.
| Field | Description | Level |
|---|---|---|
| entity_reference.entity.id | Identifiers of referenced entities, using the same meaning as root entity.id (stable id for correlation within scope).type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.host.id | Referenced host ids. type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.host.name | Referenced host names. type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.service.id | Referenced service ids. type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.service.name | Referenced service names. type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.user.domain | Referenced user directory or AD/LDAP domain names (same semantics as ECS user.domain).type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.user.email | Referenced user email addresses. type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.user.id | Referenced user ids. type: keyword Note: This field should contain an array of values. |
extended |
| entity_reference.user.name | Referenced user short names or logins. type: keyword Note: This field should contain an array of values. |
extended |
The entity_reference fields are expected to be nested at:
entity.relationships.administersentity.relationships.depends_onentity.relationships.ownsentity.relationships.supervises
Note also that the entity_reference fields are not expected to be used directly at the root of the events.