User Fields

edit

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User Field Details

edit
Field Description Level

user.domain

Name of the directory the user is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword

extended

user.email

User email address.

type: keyword

OTel Badge relation user.email

extended

user.full_name

User’s full name, if available.

type: keyword

Multi-fields:

  • user.full_name.text (type: match_only_text)

example: Albert Einstein

OTel Badge relation user.full_name

extended

user.hash

Unique user hash to correlate information for a user in anonymized form.

Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

OTel Badge relation user.hash

extended

user.id

Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000

OTel Badge relation user.id

core

user.name

Short name or login of the user.

type: keyword

Multi-fields:

  • user.name.text (type: match_only_text)

example: a.einstein

OTel Badge relation user.name

core

user.roles

Array of user roles at the time of the event.

type: keyword

Note: this field should contain an array of values.

example: ["kibana_admin", "reporting_user"]

OTel Badge relation user.roles

extended

Field Reuse

edit

The user fields are expected to be nested at:

  • client.user
  • destination.user
  • process.attested_user
  • process.real_user
  • process.saved_user
  • process.user
  • server.user
  • source.user
  • user.changes
  • user.effective
  • user.target

Note also that the user fields may be used directly at the root of the events.

Field sets that can be nested under User
edit
Location Field Set Description

user.changes.*

user

Captures changes made to a user.

user.effective.*

user

User whose privileges were assumed.

user.group.*

group

User’s group relevant to the event.

user.risk.*

risk

Fields for describing risk score and level.

user.target.*

user

Targeted user of action taken.

User Field Usage

edit

For usage and examples of the user fields, please see the User Fields Usage and Examples section.