User Fields

edit

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User Field Details

edit
Field Description Level

user.domain

Name of the directory the user is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword

extended

user.email

User email address.

type: keyword

extended

user.full_name

User’s full name, if available.

type: keyword

Multi-fields:

* user.full_name.text (type: match_only_text)

example: Albert Einstein

extended

user.hash

Unique user hash to correlate information for a user in anonymized form.

Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

extended

user.id

Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000

core

user.name

Short name or login of the user.

type: keyword

Multi-fields:

* user.name.text (type: match_only_text)

example: a.einstein

core

user.roles

Array of user roles at the time of the event.

type: keyword

Note: this field should contain an array of values.

example: ["kibana_admin", "reporting_user"]

extended

Field Reuse

edit

The user fields are expected to be nested at:

  • client.user
  • destination.user
  • server.user
  • source.user
  • user.changes
  • user.effective
  • user.target

Note also that the user fields may be used directly at the root of the events.

Field sets that can be nested under User
edit
Location Field Set Description

user.changes.*

user

Captures changes made to a user.

user.effective.*

user

User whose privileges were assumed.

user.group.*

group

User’s group relevant to the event.

user.target.*

user

Targeted user of action taken.

User Field Usage

edit

For usage and examples of the user fields, please see the User Fields Usage and Examples section.