User Fields
editUser Fields
editThe user fields describe information about the user that is relevant to the event.
Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
User Field Details
edit| Field | Description | Level |
|---|---|---|
|
Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. type: keyword |
extended |
|
|
User email address. type: keyword |
extended |
|
|
User’s full name, if available. type: keyword Multi-fields:
example: |
extended |
|
|
Unique user hash to correlate information for a user in anonymized form. Useful if type: keyword |
extended |
|
|
Unique identifier of the user. type: keyword example: |
core |
|
|
Short name or login of the user. type: keyword Multi-fields:
example: |
core |
|
|
Array of user roles at the time of the event. type: keyword Note: this field should contain an array of values. example: |
extended |
Field Reuse
editThe user fields are expected to be nested at:
-
client.user -
destination.user -
process.attested_user -
process.real_user -
process.saved_user -
process.user -
server.user -
source.user -
user.changes -
user.effective -
user.target
Note also that the user fields may be used directly at the root of the events.
Field sets that can be nested under User
edit| Location | Field Set | Description |
|---|---|---|
|
Captures changes made to a user. |
|
|
User whose privileges were assumed. |
|
|
User’s group relevant to the event. |
|
|
Fields for describing risk score and level. |
|
|
Targeted user of action taken. |
User Field Usage
editFor usage and examples of the user fields, please see the User Fields Usage and Examples section.