User Fieldsedit

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

Find additional usage and examples in the user fields usage section.

User Field Detailsedit

Field Description Level

user.domain

Name of the directory the user is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword

extended

user.email

User email address.

type: keyword

extended

user.full_name

User’s full name, if available.

type: keyword

Multi-fields:

* user.full_name.text (type: text)

example: Albert Einstein

extended

user.hash

Unique user hash to correlate information for a user in anonymized form.

Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

extended

user.id

Unique identifier of the user.

type: keyword

core

user.name

Short name or login of the user.

type: keyword

Multi-fields:

* user.name.text (type: text)

example: albert

core

user.roles

Array of user roles at the time of the event.

type: keyword

Note: this field should contain an array of values.

example: ["kibana_admin", "reporting_user"]

extended

Field Reuseedit

The user fields are expected to be nested at: client.user, destination.user, host.user, server.user, source.user, user.changes, user.effective, user.target.

Note also that the user fields may be used directly at the root of the events.

Field sets that can be nested under Useredit
Nested fields Description

user.changes.*

Fields to describe the user relevant to the event.

user.effective.*

Fields to describe the user relevant to the event.

user.group.*

User’s group relevant to the event.

user.target.*

Fields to describe the user relevant to the event.