User Fieldsedit

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User Field Detailsedit

Field Description Level

user.domain

Name of the directory the user is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword

extended

user.email

User email address.

type: keyword

extended

user.full_name

User’s full name, if available.

type: keyword

Multi-fields:

  • user.full_name.text (type: match_only_text)

example: Albert Einstein

extended

user.hash

Unique user hash to correlate information for a user in anonymized form.

Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

extended

user.id

Unique identifier of the user.

type: keyword

example: S-1-5-21-202424912787-2692429404-2351956786-1000

core

user.name

Short name or login of the user.

type: keyword

Multi-fields:

  • user.name.text (type: match_only_text)

example: a.einstein

core

user.roles

Array of user roles at the time of the event.

type: keyword

Note: this field should contain an array of values.

example: ["kibana_admin", "reporting_user"]

extended

Field Reuseedit

The user fields are expected to be nested at:

  • client.user
  • destination.user
  • process.attested_user
  • process.real_user
  • process.saved_user
  • process.user
  • server.user
  • source.user
  • user.changes
  • user.effective
  • user.target

Note also that the user fields may be used directly at the root of the events.

Field sets that can be nested under Useredit
Location Field Set Description

user.changes.*

user

Captures changes made to a user.

user.effective.*

user

User whose privileges were assumed.

user.group.*

group

User’s group relevant to the event.

user.risk.*

risk

Fields for describing risk score and level.

user.target.*

user

Targeted user of action taken.

User Field Usageedit

For usage and examples of the user fields, please see the User Fields Usage and Examples section.