RFC: extend entity schema with additional attributes, lifecycle and relationships fields, and enable entity.risk reuse

[uri-weisman]

Summary

Propose a focused 9.4 extension to the ECS entity.* schema.

This follows the direction established in #2513 and consolidates with the ongoing discussion in #2577.

The proposal has two parts:

1. Add a small set of concrete entity.attributes.*, entity.lifecycle.*, and entity.relationships.* leaves.
2. Enable entity.risk.* field reuse so risk can be represented consistently for any entity type.

Proposed fields

New leaves

Field	Type	Description
entity.attributes.storage_class	keyword	The storage tier or class assigned to an object storage resource.
entity.attributes.mfa_enabled	boolean	Indicates whether multi-factor authentication is enabled for this entity.
entity.attributes.granted_permissions	keyword	The set of permissions explicitly granted to this entity. These are individual action-level permissions, not roles or groups — e.g., Read, Write, Delete, Execute, Reset_Password.
entity.attributes.known_redirect	keyword	A known redirect URI or URL associated with this entity, commonly for OAuth applications or services.
entity.attributes.managed	boolean	Indicates whether the entity is managed by an external administration or control system. Applies primarily to host entity.
entity.attributes.oauth_consent_restriction	keyword	Indicates any restriction applied to OAuth consent for this entity (e.g., admin_only, verified_only, unrestricted).
entity.lifecycle.last_activity	date	The timestamp of the most recent action performed by or attributed to this entity. Distinct from last_seen: this implies the entity was active, not just observed.
entity.relationships.owns	keyword	Captures asset ownership — e.g., a user owning a host, email address, Windows SID, or employee ID. We want the raw data on what each integration vendor provides, on the Entity store side we will figure out how we can relate it to our own entity ids.
entity.relationships.depends_on	keyword	Identifiers of entities that this entity depends on to function.
entity.relationships.supervises	keyword	Identifiers of entities that this entity supervises, manages, or is responsible for.
entity.relationships.administrators	keyword	The list of identities (usernames, emails, or IDs) that administer this entity.

Field reuse enabled

• entity.risk.*

This would allow ECS risk.* fields to be nested under entity, so risk information can be represented consistently for any entity type.

Why this change is needed

The current entity.* field set provides a normalized place to represent entities across sources, but several high-value normalized fields are still missing for common security and asset use cases.

These gaps show up in four areas:

• Static or semi-static attributes that analysts want to filter and correlate across providers.
• Explicit relationship leaves that are useful for graph enrichment, ownership, dependency mapping, and organizational context.
• Normalized risk scores that should apply consistently to any entity type, not just field sets that already have dedicated risk placement.

Open questions

• Should entity.relationships.administrators remain a multi-valued keyword list of identifiers, or should ECS eventually define a richer identity structure for administrator references?
• Should entity.attributes.known_redirect remain singular in name while allowing multiple values, or should ECS prefer a pluralized field name?
• Once entity.risk.* is enabled, should ECS explicitly recommend avoiding duplicate risk storage under entity-type-specific paths when the same score describes the normalized entity?

References

• #2513
• #2577

[uri-weisman]

As discussed in our meeting, I’m sharing this initial proposal so we can continue refining the field names and semantics.
@trisch-me @andrewkroh @chemamartinez @narph

[trisch-me]

for the future I would like to split things like defining new data fields and changing field reuse, they are different in nature and I don’t want discussions about one part to block other parts