diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d87b265fb..2f0c30a362 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,8 @@ All notable changes to this project will be documented in this file based on the
* Add `host.name` field and clarify usage of `host.hostname`.
* Add `event.start` and `event.end` date fields.
* Create new `related` field set with `related.ip`. #206
-* Add `user.groups` field. #204
+* Add `user.group` field. #204
+* Create new `group` field set with `group.id` and `group.name`. #203
### Improvements
* Improve and clarify the definition of Device fields #192
diff --git a/README.md b/README.md
index d27ee8d8aa..fe1d1a1fb5 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ ECS defines these fields.
* [Event fields](#event)
* [File fields](#file)
* [Geo fields](#geo)
+ * [Group fields](#group)
* [Host fields](#host)
* [Log fields](#log)
* [Network fields](#network)
@@ -250,6 +251,17 @@ Note also that the `geo` fields are not expected to be used directly at the top
| geo.city_name | City name. | core | keyword | `Montreal` |
+## Group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+| Field | Description | Level | Type | Example |
+|---|---|---|---|---|
+| group.id | Unique identifier for the group on the system/platform. | extended | keyword | |
+| group.name | Name of the group. | extended | keyword | |
+
+
## Host fields
Host fields provide information related to a host. A host can be a physical machine, a virtual machine, or a Docker container.
diff --git a/fields.yml b/fields.yml
index fe8620a8b5..4761bb62a3 100644
--- a/fields.yml
+++ b/fields.yml
@@ -659,6 +659,27 @@
City name.
example: Montreal
+ - name: group
+ title: Group
+ group: 2
+ description: >
+ The group fields are meant to represent groups that are relevant to the
+ event.
+ type: group
+ fields:
+
+ - name: id
+ level: extended
+ type: keyword
+ description: >
+ Unique identifier for the group on the system/platform.
+
+ - name: name
+ level: extended
+ type: keyword
+ description: >
+ Name of the group.
+
- name: host
title: Host
group: 2
diff --git a/schema.csv b/schema.csv
index 38fa454b3b..4af0ef90c9 100644
--- a/schema.csv
+++ b/schema.csv
@@ -70,6 +70,8 @@ geo.continent_name,keyword,core,North America
geo.country_iso_code,keyword,core,CA
geo.location,geo_point,core,"{ ""lon"": -73.614830, ""lat"": 45.505918 }"
geo.region_name,keyword,core,Quebec
+group.id,keyword,extended,
+group.name,keyword,extended,
host.architecture,keyword,core,x86_64
host.hostname,keyword,core,
host.id,keyword,core,
diff --git a/schemas/group.yml b/schemas/group.yml
new file mode 100644
index 0000000000..e0effddbd9
--- /dev/null
+++ b/schemas/group.yml
@@ -0,0 +1,21 @@
+---
+- name: group
+ title: Group
+ group: 2
+ description: >
+ The group fields are meant to represent groups that are relevant to the
+ event.
+ type: group
+ fields:
+
+ - name: id
+ level: extended
+ type: keyword
+ description: >
+ Unique identifier for the group on the system/platform.
+
+ - name: name
+ level: extended
+ type: keyword
+ description: >
+ Name of the group.
diff --git a/template.json b/template.json
index 0220be2138..e6a48277f4 100644
--- a/template.json
+++ b/template.json
@@ -334,6 +334,18 @@
}
}
},
+ "group": {
+ "properties": {
+ "id": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
+ "name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ }
+ }
+ },
"host": {
"properties": {
"architecture": {