User Fields
editUser Fields
editThe user fields describe information about the user that is relevant to the event.
Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
User Field Details
editField | Description | Level |
---|---|---|
Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. type: keyword |
extended |
|
User email address. type: keyword |
extended |
|
User’s full name, if available. type: keyword Multi-fields:
example: |
extended |
|
Unique user hash to correlate information for a user in anonymized form. Useful if type: keyword |
extended |
|
Unique identifier of the user. type: keyword example: |
core |
|
Short name or login of the user. type: keyword Multi-fields:
example: |
core |
|
Array of user roles at the time of the event. type: keyword Note: this field should contain an array of values. example: |
extended |
Field Reuse
editThe user
fields are expected to be nested at:
-
client.user
-
destination.user
-
process.attested_user
-
process.real_user
-
process.saved_user
-
process.user
-
server.user
-
source.user
-
user.changes
-
user.effective
-
user.target
Note also that the user
fields may be used directly at the root of the events.
Field sets that can be nested under User
editLocation | Field Set | Description |
---|---|---|
|
Captures changes made to a user. |
|
|
User whose privileges were assumed. |
|
|
User’s group relevant to the event. |
|
|
Fields for describing risk score and level. |
|
|
Targeted user of action taken. |
User Field Usage
editFor usage and examples of the user fields, please see the User Fields Usage and Examples section.