Added related.user field (#694)

Author: janniten

CHANGELOG.next.md

@@ -22,6 +22,7 @@ Thanks, you're awesome :-) -->
 * Added `rule` fields. #665
 * Added default `text` analyzer as a multi-field to around 25 more fields. #680
 * Added `registry.*` fieldset for the Windows registry. #673
+* Added `related.user` #694
 
 #### Improvements
 

code/go/ecs/related.go

@@ -3641,6 +3641,17 @@ type: ip
 
 
 
+| extended
+
+// ===============================================================
+
+| related.user
+| All the user names seen on your event.
+
+type: keyword
+
+
+
 | extended
 
 // ===============================================================

docs/field-details.asciidoc

@@ -2657,6 +2657,11 @@
       level: extended
       type: ip
       description: All of the IPs seen on your event.
+    - name: user
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All the user names seen on your event.
   - name: rule
     title: Rule
     group: 2

generated/beats/fields.ecs.yml

@@ -350,6 +350,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.4.0-dev,true,registry,registry.path,keyword,core,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.4.0-dev,true,registry,registry.value,keyword,core,Debugger,Name of the value written.
 1.4.0-dev,true,related,related.ip,ip,extended,,All of the IPs seen on your event.
+1.4.0-dev,true,related,related.user,keyword,extended,,All the user names seen on your event.
 1.4.0-dev,true,rule,rule.category,keyword,extended,Attempted Information Leak,Rule category
 1.4.0-dev,true,rule,rule.description,keyword,extended,Block requests to public DNS over HTTPS / TLS protocols,Rule description
 1.4.0-dev,true,rule,rule.id,keyword,extended,101,Rule ID

generated/csv/fields.csv

@@ -4142,6 +4142,16 @@ related.ip:
   order: 0
   short: All of the IPs seen on your event.
   type: ip
+related.user:
+  dashed_name: related-user
+  description: All the user names seen on your event.
+  flat_name: related.user
+  ignore_above: 1024
+  level: extended
+  name: user
+  order: 1
+  short: All the user names seen on your event.
+  type: keyword
 rule.category:
   dashed_name: rule-category
   description: A categorization value keyword used by the entity using the rule for

generated/ecs/ecs_flat.yml

@@ -4563,6 +4563,16 @@ related:
       order: 0
       short: All of the IPs seen on your event.
       type: ip
+    user:
+      dashed_name: related-user
+      description: All the user names seen on your event.
+      flat_name: related.user
+      ignore_above: 1024
+      level: extended
+      name: user
+      order: 1
+      short: All the user names seen on your event.
+      type: keyword
   group: 2
   name: related
   prefix: related.

generated/ecs/ecs_nested.yml

@@ -1664,6 +1664,10 @@
           "properties": {
             "ip": {
               "type": "ip"
+            }, 
+            "user": {
+              "ignore_above": 1024, 
+              "type": "keyword"
             }
           }
         }, 

generated/elasticsearch/6/template.json

@@ -1663,6 +1663,10 @@
         "properties": {
           "ip": {
             "type": "ip"
+          }, 
+          "user": {
+            "ignore_above": 1024, 
+            "type": "keyword"
           }
         }
       }, 

generated/elasticsearch/7/template.json

@@ -22,3 +22,9 @@
       type: ip
       description: >
         All of the IPs seen on your event.
+
+    - name: user
+      level: extended
+      type: keyword
+      description: >
+        All the user names seen on your event.