IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Common Schema (ECS) Reference [1.1] ECS Field Reference
« URL Fields User agent Fields »

User Fieldsedit

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User Field Detailsedit

Field Description Level

user.domain

Name of the directory the user is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword

extended

user.email

User email address.

type: keyword

extended

user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

extended

user.hash

Unique user hash to correlate information for a user in anonymized form.

Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

extended

user.id

One or multiple unique identifiers of the user.

type: keyword

core

user.name

Short name or login of the user.

type: keyword

example: albert

core

Field Reuseedit

The user fields are expected to be nested at: client.user, destination.user, host.user, server.user, source.user.

Note also that the user fields may be used directly at the top level.

Field sets that can be nested under Useredit
Nested fields Description

user.group.*

User’s group relevant to the event.
« URL Fields User agent Fields »