forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuser.yml
121 lines (110 loc) · 3.57 KB
/
user.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: user
title: User
group: 2
short: Fields to describe the user relevant to the event.
description: >
The user fields describe information about the user that is relevant
to the event.
Fields can have one entry or multiple entries. If a
user has more than one id, provide an array that includes all of
them.
reusable:
top_level: true
expected:
- client
- destination
- server
- source
- at: user
as: target
short_override: Targeted user of action taken.
- at: user
as: effective
short_override: User whose privileges were assumed.
- at: user
as: changes
short_override: Captures changes made to a user.
- at: process
as: user
short_override: The effective user (euid).
- at: process
as: saved_user
short_override: The saved user (suid).
- at: process
as: real_user
short_override: The real user (ruid). Identifies the real owner of the process.
- at: process
as: attested_user
short_override: The externally attested user based on an external source such as the Kube API.
beta: Reusing the `user` fields in this location is currently considered beta.
type: group
fields:
- name: id
level: core
type: keyword
example: S-1-5-21-202424912787-2692429404-2351956786-1000
description: >
Unique identifier of the user.
- name: name
level: core
type: keyword
example: a.einstein
description: >
Short name or login of the user.
multi_fields:
- type: match_only_text
name: text
- name: full_name
level: extended
type: keyword
example: Albert Einstein
description: >
User's full name, if available.
multi_fields:
- type: match_only_text
name: text
- name: email
level: extended
type: keyword
description: >
User email address.
- name: hash
level: extended
type: keyword
short: Unique user hash to correlate information for a user in anonymized form.
description: >
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and
cannot be used.
- name: domain
level: extended
type: keyword
short: Name of the directory the user is a member of.
description: >
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
- name: roles
level: extended
type: keyword
normalize:
- array
description: >
Array of user roles at the time of the event.
example: '["kibana_admin", "reporting_user"]'