Entity resolution
This feature requires the appropriate subscription in Elastic Stack or project feature tier in Serverless.
In enterprise environments, a single person or host often appears as multiple entity records across different identity providers — such as Okta or Active Directory — as well as local log sources. Without resolution, risk scores and alerts are fragmented across these duplicate records, making it difficult to assess the true risk of a real-world identity.
Entity resolution links multiple entity records that represent the same real-world identity into a resolution group, consolidates their risk scores into a single view, and reduces noise in the entities table by surfacing only the authoritative record. Resolution groups also receive a combined resolution group risk score that aggregates risk inputs from all members of the group.
Entity resolution can happen automatically or manually. Automated resolution matches user entities based on shared email addresses without any configuration. Manual resolution lets you explicitly link entity records using a CSV file or directly from the entity details flyout.
A resolution group consists of:
- Primary entity: The authoritative representation of the real-world identity. It receives aggregated risk scores that combine the risk from all linked records in the group. When an entity from an identity provider (Okta, Active Directory, or Entra ID) is linked with a local entity, the IDP entity is preferred as the primary entity.
- Alias entities: Records that point to the primary entity via a
resolved_tofield. In the Entities section of the Entity analytics page, alias entities appear nested under their primary entity when the table is grouped by Resolution (the default view).
Resolution group relationships are also visible as Resolved to connections in the entity details flyout's Graph View tab.
Entity resolution runs an automated process that matches user entities across identity providers based on shared email addresses. For example, if an Okta user and an Active Directory user share the same email address, they are automatically linked into a resolution group. Automated resolution does not override manual resolution.
Automated resolution currently matches on email addresses only. Automated resolution may produce false-positive links when non-IDP entities happen to share an email address with an IDP entity.
You can manually link entity records using a CSV bulk upload on the Entity Analytics management page, or by adding and removing entities directly from the entity details flyout.
You can bulk-link entity records to primary entities by importing a CSV file from the Entity Analytics management page.
Each row in the CSV uses identity fields to find matching entities and links them to a primary entity specified by its entity ID.
The CSV must include a header row with type and resolved_to columns. Additional columns are identity fields (for example, user.email, user.name) used as AND-combined filters to find matching entities.
| Column | Description |
|---|---|
type |
Entity type: user, host, or service |
resolved_to |
The entity.id of the primary entity |
| Additional columns | Identity fields used to match alias entities (for example, user.email, user.name, host.name) |
Supported file formats: CSV, TXT, TSV (maximum 1 MB)
Example:
type,user.email,user.name,resolved_to
user,emily@acme.com,,user:emily.chen@acme.com@okta
user,echen@azure.com,,user:emily.chen@acme.com@okta
user,,bob.smith,user:bob@acme.com@active_directory
- Find the Entity Analytics management page in the main menu or by using the global search field.
- Go to the Entity Resolution tab.
- Select or drag and drop your CSV file.
- Review the file validation results and fix any errors if needed.
- Confirm to apply the links.
Bulk unlinking is not available in the UI; use the API instead.
You can view, add to, and remove entities from a resolution group directly from the entity details flyout. The flyout's Resolution group tab shows all linked records and lets you search for entities to add, or remove individual aliases.