diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index a6b982ad00..e48966cc8f 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -18,12 +18,16 @@ Thanks, you're awesome :-) -->
 
 * Added `event.category` "registry". #1040
 * Added `event.category` "session". #1049
+* Added usage documentation for `user` fields. #1066
+* Added `user` fields at `user.effective.*`, `user.target.*` and `user.changes.*`. #1066
 * Added `os.type`. #1111
 
 #### Improvements
 
 #### Deprecated
 
+* Deprecated `host.user.*` fields for removal at the next major. #1066
+
 ### Tooling and Artifact Changes
 
 #### Breaking changes
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index ae14752657..c9988b460f 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -6458,6 +6458,10 @@ The user fields describe information about the user that is relevant to the even
 
 Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
 
+Find additional usage and examples in the user fields <<ecs-user-usage,usage>> section.
+
+
+
 [discrete]
 ==== User Field Details
 
@@ -6582,7 +6586,7 @@ example: `["kibana_admin", "reporting_user"]`
 [discrete]
 ==== Field Reuse
 
-The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`.
+The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`, `user.changes`, `user.effective`, `user.target`.
 
 Note also that the `user` fields may be used directly at the root of the events.
 
@@ -6600,14 +6604,39 @@ Note also that the `user` fields may be used directly at the root of the events.
 // ===============================================================
 
 
+| <<ecs-user,user.changes.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
+
+Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
+| <<ecs-user,user.effective.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
+
+Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
 | <<ecs-group,user.group.*>>
 | User's group relevant to the event.
 
 // ===============================================================
 
 
+| <<ecs-user,user.target.*>>| beta:[ Reusing the user fields in this location is currently considered beta.]
+
+Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
 |=====
 
+
+
+include::usage/user.asciidoc[]
+
 [[ecs-user_agent]]
 === User agent Fields
 
diff --git a/docs/usage/user.asciidoc b/docs/usage/user.asciidoc
new file mode 100644
index 0000000000..f1a7452af9
--- /dev/null
+++ b/docs/usage/user.asciidoc
@@ -0,0 +1,430 @@
+[[ecs-user-usage]]
+==== Usage
+
+Here are the subjects covered in this page.
+
+* <<ecs-user-usage-categorization>>
+* <<ecs-user-identifiers>>
+
+* <<ecs-user-usage-field-reuse>>, or all places user fields can appear
+** <<ecs-user-usage-user-at-root>>
+** <<ecs-user-usage-remote-logons>>
+** <<ecs-user-usage-privilege-changes>>
+** <<ecs-user-usage-iam>>
+** <<ecs-user-usage-combining>>
+** <<ecs-user-usage-reuse-subtleties>>
+
+* <<ecs-user-usage-pivoting>>
+
+* <<ecs-user-usage-mappings>>
+
+* <<ecs-user-usage-deprecations>>
+
+[discrete]
+[[ecs-user-usage-categorization]]
+===== Categorization
+
+User fields can be present in any kind of event, without affecting the event's
+categorization.
+
+However when the event is about IAM (Identity and Account Management),
+it should be categorized as follows. In this section we'll cover specifically
+`event.category` and `event.type` with regards to IAM activity. Make sure to read
+the <<ecs-category-field-values-reference, Categorization section>> to see all allowed
+values, and read more about `event.kind` and `event.outcome`.
+
+NOTE: IAM activity is a bit particular in that events are expected to be assigned 2 event types.
+One of them indicates the type of activity (creation, deletion, change, etc.),
+and the other indicates whether a user or a group is the target of the management activity.
+
+Many sections of the examples below are elided, in order to focus on the categorization
+of the events.
+
+Creation of group "test-group":
+
+```JSON
+{
+  "event": {
+    "kind": "event",
+    "category": ["iam"], <1>
+    "type": ["group", "creation"], <2>
+    "outcome": "success"
+  },
+  "group": { "name": "test-group", ... },
+  "user": { ... },
+  "related": { "user": [ ... ] }
+}
+```
+<1> Category "iam"
+<2> Both relevant event types to a group creation
+
+Adding "test-user" to "test-group":
+
+```JSON
+{
+  "event": {
+    "kind": "event",
+    "category": ["iam"], <1>
+    "type": ["user", "change"], <2>
+    "action": "user added to group", <3>
+    "outcome": "success"
+  },
+  "user": {
+    ...
+    "target": { <4>
+      "name": "test-user",
+      "group": { "name": "test-group" }
+    }
+  },
+  "related": { "user": [ ... ] }
+}
+```
+<1> Category "iam"
+<2> Both relevant event types to a user modification
+<3> `event.action` is not a categorization field, and has no mandated value. It can be populated based on source event details or by a pipeline, to ensure the event captures all subtleties of what's happening.
+<4> How to use all possible user fields is detailed below.
+
+[discrete]
+[[ecs-user-identifiers]]
+===== User identifiers
+
+Different systems use different values for user identifiers. Here are a few pointers
+to help normalize some simple cases.
+
+* When a system provides a composite value for the user name (e.g. DOMAINNAME\username),
+  capture the domain name in `user.domain` and the user name (without the domain) in `user.name`.
+* When a system uses an email address as the main identifier, populate both
+  `user.id` and `user.email` with it.
+
+[discrete]
+[[ecs-user-usage-field-reuse]]
+===== Field reuse
+
+The user fields can be reused (or appear) in many places across ECS. This makes
+it possible to capture many users relevant to a single event.
+
+Here's the full list of places where the user fields can appear:
+
+* `user.*`
+* `user.effective.*`
+* `user.target.*`
+* `user.changes.*`
+* `source.user.*`
+* `destination.user.*`
+* `client.user.*`
+* `server.user.*`
+* `host.user.*` (<<ecs-user-usage-deprecations,deprecated>>)
+
+Let's go over the meaning of each.
+
+The examples below will only populate `user.name` and sometimes `user.id` inside
+the various `user` nestings, for readability.
+However in implementations, unless otherwise noted, all `user` fields that can
+reasonably be populated in each location should be populated.
+
+[discrete]
+[[ecs-user-usage-user-at-root]]
+====== User fields at the Root of an Event
+
+The user fields at the root of an event are used to capture the user
+performing the main action described by the event. This is especially important
+when there's more than one user present on the event. `user.*` fields at the root
+of the event represent the user performing the action.
+
+In many cases, events that only mention one user should populate the user fields
+at the root of the event, even if the user is not the one performing the action.
+
+In cases where a purpose-specific user field such as `url.username` is populated,
+`user.name` should also be populated with the same user name.
+
+[source,json]
+-----------
+{
+  "url": { "username": "alice" }, <1>
+  "user": { "name": "alice" }, <2>
+  "related": { "user": ["alice"] }
+}
+-----------
+<1> Purpose-specific username field
+<2> Username copied to `user.name` to establish `user.name` as a reliable baseline.
+
+[discrete]
+[[ecs-user-usage-remote-logons]]
+====== Remote Logons
+
+When users are crossing host boundaries, the users are captured at
+`source.user` and `destination.user`.
+
+Examples of data sources where this is applicable:
+
+* Remote logons via ssh, kerberos
+* Firewalls observing network traffic
+
+In order to align with ECS' design of having `user` at the root of the event as the
+user performing the action, all `source.user` fields should be copied to `user` at the root.
+
+Here's an example where user "alice" logs on to another host as user "deus":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice"
+  },
+  "source": {
+    "user": {
+      "name": "alice"
+    },
+    "ip": "10.42.42.42"
+  },
+  "destination": {
+    "user": {
+      "name": "deus"
+    },
+    "ip": "10.42.42.43"
+  },
+  "related": { "user": ["alice", "deus"] }
+}
+-----------
+
+Whenever an event source populates the `client` and `server` fields in addition
+to `source` and `destination`, the user fields should be copied accordingly as well.
+You can review <<ecs-mapping-network-events>> to learn more about
+mapping network events.
+
+[discrete]
+[[ecs-user-usage-privilege-changes]]
+====== Privilege Changes
+
+The `user.effective` fields are relevant when there's a privilege escalation or demotion
+and it's possible to determine the user requesting/performing the escalation.
+
+Use the `user` fields at the root to capture who is requesting the privilege change,
+and `user.effective` to capture the requested privilege level, whether or not the
+privilege change was successful.
+
+Here are examples where this is applicable:
+
+* A user changing identity on a host.
+** Examples: sudo, su, Run as.
+* Running a program as a different user. Examples:
+** A trusted user runs a specific admin command as root via a mechanism such as the Posix setuid/setgid.
+** A service manager with administrator privileges starts child processes as limited
+    users, for security purposes (e.g. root runs Apache HTTPD as user "apache")
+
+In cases where the event source only gives information about the effective user
+and not who requested different privileges, the `user` fields at the root of the
+event should be used instead of `user.effective`.
+
+Here's an example of user "alice" running a command as root via sudo:
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice",
+    "id": "1001",
+    "effective": {
+      "name": "root",
+      "id": "1"
+    }
+  },
+  "related": { "user": ["alice", "root"] }
+}
+-----------
+
+When it's not possible (or it's prohibitive) to determine which user is requesting
+different privilege levels, it's acceptable to capture the effective user at the
+root of the event. Typically a privilege change event will already have happened,
+for example: bob "su" as root; and subsequent events will show the root user
+performing the actions.
+
+[discrete]
+[[ecs-user-usage-iam]]
+====== Identity and Access Management
+
+Whenever a user is performing an action that affects another user -- typically
+in IAM scenarios -- the user affected by the action is captured at
+`user.target`. The user performing the IAM activity is captured at the root
+of the event.
+
+Examples of IAM activity include:
+
+* user-a creates or deletes user-b
+* user-a modifies user-b
+
+In the create/delete scenarios, there's either no prior state (user creation)
+or no post state (user deletion). In these cases, only `user` at the root and
+`user.target` must be populated.
+
+Example where "root" creates user "bob":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "root",
+    "id": "1",
+    "target": {
+      "name": "bob",
+      "id": "1002",
+      ...
+    }
+  }
+  "related": { "user": ["bob", "root"] }
+}
+-----------
+
+When there's a change of state to an existing user, `user.target` must be used
+to capture the prior state of the user, and `user.changes` should list only
+the changes that were performed.
+
+Example where "root" renames user "bob" to "bob.barker":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "root",
+    "id": "1",
+    "target": {
+      "name": "bob",
+      "id": "1002"
+    },
+    "changes": {
+      "name": "bob.barker"
+    }
+  },
+  "related": { "user": ["bob", "bob.barker", "root"] }
+}
+-----------
+
+You'll note in the example above that unmodified attributes like the user ID are
+not repeated under `user.changes.*`, since they didn't change.
+
+[discrete]
+[[ecs-user-usage-combining]]
+====== Combining IAM and Privilege Change
+
+We've covered above how `user.target` and `user.changes` can be used at the same time.
+If privilege escalation is also present in the same IAM event, `user.effective`
+should of course be used as well.
+
+Here's the "rename" example from the IAM section above. In the following example,
+we know "alice" is escalating privileges to "root", in order to modify user "bob":
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice",
+    "id": "1001",
+    "effective": {
+      "name": "root",
+      "id": "1"
+    },
+    "target": {
+      "name": "bob",
+      "id": "1002"
+    },
+    "changes": {
+      "name": "bob.barker"
+    }
+  },
+  "related": { "user": ["alice", "bob", "bob.barker", "root"] }
+}
+-----------
+
+[discrete]
+[[ecs-user-usage-reuse-subtleties]]
+====== Subtleties around field reuse
+
+Most cases of field reuse in ECS are reusing a field set inside a different field set.
+Two examples of this are:
+
+* reusing `group` in `user`, resulting in the `user.group.*` fields, or
+* reusing `user` in `destination`, resulting in the `destination.user.*` fields,
+  which also include `destination.user.group.*`.
+
+The `user` fields can also be reused within `user` as different names,
+representing the role of each relevant user. Examples are the `user.target.*` or `user.effective.*` fields.
+
+However, it's important to note that `user` fields reused within
+`user` are _not carried around anywhere else_.
+Let's illustrate the various permutations of what's valid and what is not.
+
+[options="header"]
+|=====
+| Field  | Validity | Notes
+
+| `user.group.*` | Valid | Normal reuse.
+| `destination.user.group.*` | Valid | The `group` reuse gets carried around when `user` is reused elsewhere.
+Populate only if relevant to the event.
+
+| `user.target.group.*`, `user.effective.group.*`, `user.changes.group.*`
+| Valid
+| The `group` reuse gets carried around even when `user` is reused within itself.
+Populate only if relevant to the event.
+
+| `destination.user.target.*`, `destination.user.effective.*`, `destination.user.changes.*`
+| *Invalid*
+| The `user` fields reused within `user` are not carried around anywhere else.
+The same rule applies when `user` is reused under `source`, `client` and `server`.
+
+|=====
+
+
+[discrete]
+[[ecs-user-usage-pivoting]]
+===== Pivoting via related.user
+
+In all events in this page, we've populated the `related.user` fields.
+
+Any event that has users in it should always populate the array field `related.user`
+with all usernames seen in the event; including event names that appear in custom fields.
+Note that this field is not a nesting of all user fields,
+it's a flat array meant to contain user identifiers.
+
+Taking the example from `user.changes` again, we can see that no matter the role
+of the each user (before/after privilege escalation, affected user, username after rename), they are all present in `related.user`:
+
+[source,json]
+-----------
+{
+  "user": {
+    "name": "alice",
+    "id": "1001",
+    "effective": {
+      "name": "root",
+      "id": "1"
+    },
+    "target": {
+      "name": "bob",
+      "id": "1002"
+    },
+    "changes": {
+      "name": "bob.barker"
+    }
+  },
+  "related": { "user": ["alice", "root", "bob", "bob.barker"] }
+}
+-----------
+
+Like the other fields in the <<ecs-related,related>> field set, `related.user` is meant to facilitate
+pivoting. For example, if you have a suspicion about user "bob.barker", searching
+for this name in `related.user` will give you all events related to this user, whether
+it's the creation / rename of the user, or events where this user was active in a system.
+
+[discrete]
+[[ecs-user-usage-mappings]]
+===== Mapping Examples
+
+For examples of mapping events from various sources, you can look at
+https://github.com/elastic/ecs/blob/master/rfcs/text/0007-multiple-users.md#source-data[RFC 0007 in section Source Data].
+
+[discrete]
+[[ecs-user-usage-deprecations]]
+===== Deprecations
+
+As of ECS 1.8, `host.user.*` fields are deprecated and will be removed at the next
+major version of ECS.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index 977a5c2232..77fe5f53e4 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -10034,25 +10034,31 @@ user:
       full: source.user
     - as: target
       at: user
+      beta: Reusing the user fields in this location is currently considered beta.
       full: user.target
     - as: effective
       at: user
+      beta: Reusing the user fields in this location is currently considered beta.
       full: user.effective
     - as: changes
       at: user
+      beta: Reusing the user fields in this location is currently considered beta.
       full: user.changes
     top_level: true
   reused_here:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
-  - full: user.target
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.target
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - full: user.effective
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.effective
     schema_name: user
     short: Fields to describe the user relevant to the event.
-  - full: user.changes
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.changes
     schema_name: user
     short: Fields to describe the user relevant to the event.
   short: Fields to describe the user relevant to the event.
diff --git a/experimental/schemas/user.yml b/experimental/schemas/user.yml
index b2af27d5ab..89e182fbee 100644
--- a/experimental/schemas/user.yml
+++ b/experimental/schemas/user.yml
@@ -7,11 +7,3 @@
       type: wildcard
     - name: email
       type: wildcard
-  reusable:
-    expected:
-      - at: user
-        as: target
-      - at: user
-        as: effective
-      - at: user
-        as: changes
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 0361f97cdf..caaf2f28bd 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5488,6 +5488,85 @@
       provide an array that includes all of them.'
     type: group
     fields:
+    - name: changes.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: changes.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: changes.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: changes.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: changes.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: changes.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: changes.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: changes.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: domain
       level: extended
       type: keyword
@@ -5495,6 +5574,85 @@
       description: 'Name of the directory the user is a member of.
 
         For example, an LDAP or Active Directory domain name.'
+    - name: effective.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: effective.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: effective.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: effective.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: effective.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: effective.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: effective.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: effective.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
     - name: email
       level: extended
       type: keyword
@@ -5560,6 +5718,85 @@
       description: Array of user roles at the time of the event.
       example: '["kibana_admin", "reporting_user"]'
       default_field: false
+    - name: target.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: target.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: target.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: target.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: target.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: target.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: target.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
+    - name: target.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: user_agent
     title: User agent
     group: 2
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 784459a3cc..ed2f53c978 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -646,7 +646,31 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain.
 2.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 2.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+2.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+2.0.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+2.0.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+2.0.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+2.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+2.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+2.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+2.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+2.0.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+2.0.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
+2.0.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
+2.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 2.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+2.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+2.0.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+2.0.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+2.0.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+2.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+2.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+2.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+2.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+2.0.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+2.0.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
+2.0.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
+2.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 2.0.0-dev,true,user,user.email,keyword,extended,,,User email address.
 2.0.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 2.0.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
@@ -658,6 +682,18 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 2.0.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
 2.0.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
 2.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
+2.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+2.0.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+2.0.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+2.0.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+2.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+2.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+2.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+2.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+2.0.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+2.0.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
+2.0.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
+2.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 2.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
 2.0.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 78ef1eaec8..e97960a51e 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -8307,6 +8307,138 @@ url.username:
   normalize: []
   short: Username of the request.
   type: keyword
+user.changes.domain:
+  dashed_name: user-changes-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.changes.email:
+  dashed_name: user-changes-email
+  description: User email address.
+  flat_name: user.changes.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.changes.full_name:
+  dashed_name: user-changes-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.changes.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.changes.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+user.changes.group.domain:
+  dashed_name: user-changes-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.changes.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.changes.group.id:
+  dashed_name: user-changes-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.changes.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.changes.group.name:
+  dashed_name: user-changes-group-name
+  description: Name of the group.
+  flat_name: user.changes.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.changes.hash:
+  dashed_name: user-changes-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.changes.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.changes.id:
+  dashed_name: user-changes-id
+  description: Unique identifier of the user.
+  flat_name: user.changes.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.changes.name:
+  dashed_name: user-changes-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.changes.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.changes.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+user.changes.roles:
+  dashed_name: user-changes-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.changes.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 user.domain:
   dashed_name: user-domain
   description: 'Name of the directory the user is a member of.
@@ -8319,6 +8451,138 @@ user.domain:
   normalize: []
   short: Name of the directory the user is a member of.
   type: keyword
+user.effective.domain:
+  dashed_name: user-effective-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.effective.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.effective.email:
+  dashed_name: user-effective-email
+  description: User email address.
+  flat_name: user.effective.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.effective.full_name:
+  dashed_name: user-effective-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.effective.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.effective.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+user.effective.group.domain:
+  dashed_name: user-effective-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.effective.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.effective.group.id:
+  dashed_name: user-effective-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.effective.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.effective.group.name:
+  dashed_name: user-effective-group-name
+  description: Name of the group.
+  flat_name: user.effective.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.effective.hash:
+  dashed_name: user-effective-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.effective.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.effective.id:
+  dashed_name: user-effective-id
+  description: Unique identifier of the user.
+  flat_name: user.effective.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.effective.name:
+  dashed_name: user-effective-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.effective.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.effective.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+user.effective.roles:
+  dashed_name: user-effective-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.effective.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 user.email:
   dashed_name: user-email
   description: User email address.
@@ -8432,6 +8696,138 @@ user.roles:
   - array
   short: Array of user roles at the time of the event.
   type: keyword
+user.target.domain:
+  dashed_name: user-target-domain
+  description: 'Name of the directory the user is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.target.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: user
+  short: Name of the directory the user is a member of.
+  type: keyword
+user.target.email:
+  dashed_name: user-target-email
+  description: User email address.
+  flat_name: user.target.email
+  ignore_above: 1024
+  level: extended
+  name: email
+  normalize: []
+  original_fieldset: user
+  short: User email address.
+  type: keyword
+user.target.full_name:
+  dashed_name: user-target-full-name
+  description: User's full name, if available.
+  example: Albert Einstein
+  flat_name: user.target.full_name
+  ignore_above: 1024
+  level: extended
+  multi_fields:
+  - flat_name: user.target.full_name.text
+    name: text
+    norms: false
+    type: text
+  name: full_name
+  normalize: []
+  original_fieldset: user
+  short: User's full name, if available.
+  type: keyword
+user.target.group.domain:
+  dashed_name: user-target-group-domain
+  description: 'Name of the directory the group is a member of.
+
+    For example, an LDAP or Active Directory domain name.'
+  flat_name: user.target.group.domain
+  ignore_above: 1024
+  level: extended
+  name: domain
+  normalize: []
+  original_fieldset: group
+  short: Name of the directory the group is a member of.
+  type: keyword
+user.target.group.id:
+  dashed_name: user-target-group-id
+  description: Unique identifier for the group on the system/platform.
+  flat_name: user.target.group.id
+  ignore_above: 1024
+  level: extended
+  name: id
+  normalize: []
+  original_fieldset: group
+  short: Unique identifier for the group on the system/platform.
+  type: keyword
+user.target.group.name:
+  dashed_name: user-target-group-name
+  description: Name of the group.
+  flat_name: user.target.group.name
+  ignore_above: 1024
+  level: extended
+  name: name
+  normalize: []
+  original_fieldset: group
+  short: Name of the group.
+  type: keyword
+user.target.hash:
+  dashed_name: user-target-hash
+  description: 'Unique user hash to correlate information for a user in anonymized
+    form.
+
+    Useful if `user.id` or `user.name` contain confidential information and cannot
+    be used.'
+  flat_name: user.target.hash
+  ignore_above: 1024
+  level: extended
+  name: hash
+  normalize: []
+  original_fieldset: user
+  short: Unique user hash to correlate information for a user in anonymized form.
+  type: keyword
+user.target.id:
+  dashed_name: user-target-id
+  description: Unique identifier of the user.
+  flat_name: user.target.id
+  ignore_above: 1024
+  level: core
+  name: id
+  normalize: []
+  original_fieldset: user
+  short: Unique identifier of the user.
+  type: keyword
+user.target.name:
+  dashed_name: user-target-name
+  description: Short name or login of the user.
+  example: albert
+  flat_name: user.target.name
+  ignore_above: 1024
+  level: core
+  multi_fields:
+  - flat_name: user.target.name.text
+    name: text
+    norms: false
+    type: text
+  name: name
+  normalize: []
+  original_fieldset: user
+  short: Short name or login of the user.
+  type: keyword
+user.target.roles:
+  dashed_name: user-target-roles
+  description: Array of user roles at the time of the event.
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.target.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 user_agent.device.name:
   dashed_name: user-agent-device-name
   description: Name of the device.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 1352e844e5..eb52906f88 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9591,6 +9591,138 @@ user:
     Fields can have one entry or multiple entries. If a user has more than one id,
     provide an array that includes all of them.'
   fields:
+    user.changes.domain:
+      dashed_name: user-changes-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.changes.email:
+      dashed_name: user-changes-email
+      description: User email address.
+      flat_name: user.changes.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.changes.full_name:
+      dashed_name: user-changes-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.changes.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.changes.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    user.changes.group.domain:
+      dashed_name: user-changes-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.changes.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.changes.group.id:
+      dashed_name: user-changes-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.changes.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.changes.group.name:
+      dashed_name: user-changes-group-name
+      description: Name of the group.
+      flat_name: user.changes.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.changes.hash:
+      dashed_name: user-changes-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.changes.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.changes.id:
+      dashed_name: user-changes-id
+      description: Unique identifier of the user.
+      flat_name: user.changes.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.changes.name:
+      dashed_name: user-changes-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.changes.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.changes.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    user.changes.roles:
+      dashed_name: user-changes-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.changes.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
     user.domain:
       dashed_name: user-domain
       description: 'Name of the directory the user is a member of.
@@ -9603,6 +9735,138 @@ user:
       normalize: []
       short: Name of the directory the user is a member of.
       type: keyword
+    user.effective.domain:
+      dashed_name: user-effective-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.effective.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.effective.email:
+      dashed_name: user-effective-email
+      description: User email address.
+      flat_name: user.effective.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.effective.full_name:
+      dashed_name: user-effective-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.effective.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.effective.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    user.effective.group.domain:
+      dashed_name: user-effective-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.effective.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.effective.group.id:
+      dashed_name: user-effective-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.effective.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.effective.group.name:
+      dashed_name: user-effective-group-name
+      description: Name of the group.
+      flat_name: user.effective.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.effective.hash:
+      dashed_name: user-effective-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.effective.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.effective.id:
+      dashed_name: user-effective-id
+      description: Unique identifier of the user.
+      flat_name: user.effective.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.effective.name:
+      dashed_name: user-effective-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.effective.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.effective.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    user.effective.roles:
+      dashed_name: user-effective-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.effective.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
     user.email:
       dashed_name: user-email
       description: User email address.
@@ -9716,10 +9980,145 @@ user:
       - array
       short: Array of user roles at the time of the event.
       type: keyword
+    user.target.domain:
+      dashed_name: user-target-domain
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.target.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: user
+      short: Name of the directory the user is a member of.
+      type: keyword
+    user.target.email:
+      dashed_name: user-target-email
+      description: User email address.
+      flat_name: user.target.email
+      ignore_above: 1024
+      level: extended
+      name: email
+      normalize: []
+      original_fieldset: user
+      short: User email address.
+      type: keyword
+    user.target.full_name:
+      dashed_name: user-target-full-name
+      description: User's full name, if available.
+      example: Albert Einstein
+      flat_name: user.target.full_name
+      ignore_above: 1024
+      level: extended
+      multi_fields:
+      - flat_name: user.target.full_name.text
+        name: text
+        norms: false
+        type: text
+      name: full_name
+      normalize: []
+      original_fieldset: user
+      short: User's full name, if available.
+      type: keyword
+    user.target.group.domain:
+      dashed_name: user-target-group-domain
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      flat_name: user.target.group.domain
+      ignore_above: 1024
+      level: extended
+      name: domain
+      normalize: []
+      original_fieldset: group
+      short: Name of the directory the group is a member of.
+      type: keyword
+    user.target.group.id:
+      dashed_name: user-target-group-id
+      description: Unique identifier for the group on the system/platform.
+      flat_name: user.target.group.id
+      ignore_above: 1024
+      level: extended
+      name: id
+      normalize: []
+      original_fieldset: group
+      short: Unique identifier for the group on the system/platform.
+      type: keyword
+    user.target.group.name:
+      dashed_name: user-target-group-name
+      description: Name of the group.
+      flat_name: user.target.group.name
+      ignore_above: 1024
+      level: extended
+      name: name
+      normalize: []
+      original_fieldset: group
+      short: Name of the group.
+      type: keyword
+    user.target.hash:
+      dashed_name: user-target-hash
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      flat_name: user.target.hash
+      ignore_above: 1024
+      level: extended
+      name: hash
+      normalize: []
+      original_fieldset: user
+      short: Unique user hash to correlate information for a user in anonymized form.
+      type: keyword
+    user.target.id:
+      dashed_name: user-target-id
+      description: Unique identifier of the user.
+      flat_name: user.target.id
+      ignore_above: 1024
+      level: core
+      name: id
+      normalize: []
+      original_fieldset: user
+      short: Unique identifier of the user.
+      type: keyword
+    user.target.name:
+      dashed_name: user-target-name
+      description: Short name or login of the user.
+      example: albert
+      flat_name: user.target.name
+      ignore_above: 1024
+      level: core
+      multi_fields:
+      - flat_name: user.target.name.text
+        name: text
+        norms: false
+        type: text
+      name: name
+      normalize: []
+      original_fieldset: user
+      short: Short name or login of the user.
+      type: keyword
+    user.target.roles:
+      dashed_name: user-target-roles
+      description: Array of user roles at the time of the event.
+      example: '["kibana_admin", "reporting_user"]'
+      flat_name: user.target.roles
+      ignore_above: 1024
+      level: extended
+      name: roles
+      normalize:
+      - array
+      original_fieldset: user
+      short: Array of user roles at the time of the event.
+      type: keyword
   group: 2
   name: user
   nestings:
+  - user.changes
+  - user.effective
   - user.group
+  - user.target
   prefix: user.
   reusable:
     expected:
@@ -9738,11 +10137,35 @@ user:
     - as: user
       at: source
       full: source.user
+    - as: target
+      at: user
+      beta: Reusing the user fields in this location is currently considered beta.
+      full: user.target
+    - as: effective
+      at: user
+      beta: Reusing the user fields in this location is currently considered beta.
+      full: user.effective
+    - as: changes
+      at: user
+      beta: Reusing the user fields in this location is currently considered beta.
+      full: user.changes
     top_level: true
   reused_here:
   - full: user.group
     schema_name: group
     short: User's group relevant to the event.
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.target
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.effective
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
+  - beta: Reusing the user fields in this location is currently considered beta.
+    full: user.changes
+    schema_name: user
+    short: Fields to describe the user relevant to the event.
   short: Fields to describe the user relevant to the event.
   title: User
   type: group
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index c80ed9eab5..964e7a8a81 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -3053,10 +3053,130 @@
         },
         "user": {
           "properties": {
+            "changes": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "domain": {
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "effective": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
             "email": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -3108,6 +3228,66 @@
             "roles": {
               "ignore_above": 1024,
               "type": "keyword"
+            },
+            "target": {
+              "properties": {
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "full_name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "group": {
+                  "properties": {
+                    "domain": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "id": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "name": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
+                "hash": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "name": {
+                  "fields": {
+                    "text": {
+                      "norms": false,
+                      "type": "text"
+                    }
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "roles": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
             }
           }
         },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 2065369a1c..0ca5ddf78f 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -3052,10 +3052,130 @@
       },
       "user": {
         "properties": {
+          "changes": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "domain": {
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "effective": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
+          },
           "email": {
             "ignore_above": 1024,
             "type": "keyword"
@@ -3107,6 +3227,66 @@
           "roles": {
             "ignore_above": 1024,
             "type": "keyword"
+          },
+          "target": {
+            "properties": {
+              "domain": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "email": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "full_name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "group": {
+                "properties": {
+                  "domain": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "id": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
+              "hash": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "id": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "name": {
+                "fields": {
+                  "text": {
+                    "norms": false,
+                    "type": "text"
+                  }
+                },
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "roles": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              }
+            }
           }
         }
       },
diff --git a/rfcs/text/0007-multiple-users.md b/rfcs/text/0007-multiple-users.md
index 31e015e8b9..1ba075736d 100644
--- a/rfcs/text/0007-multiple-users.md
+++ b/rfcs/text/0007-multiple-users.md
@@ -152,7 +152,7 @@ Here's an example of user "alice" running a command as root via sudo:
     "id": "1001",
     "effective": {
       "name": "root",
-      "id": "1"
+      "id": "0"
     }
   }
 }
@@ -186,7 +186,7 @@ Example where "root" creates user "bob":
 {
   "user": {
     "name": "root",
-    "id": "1",
+    "id": "0",
     "target": {
       "name": "bob",
       "id": "1002",
@@ -206,7 +206,7 @@ Example where "root" renames user "bob" to "bob.barker":
 {
   "user": {
     "name": "root",
-    "id": "1",
+    "id": "0",
     "target": {
       "name": "bob",
       "id": "1002"
@@ -237,7 +237,7 @@ we know "alice" is escalating privileges as "root", in order to modify user "bob
     "id": "1001",
     "effective": {
       "name": "root",
-      "id": "1"
+      "id": "0"
     },
     "target": {
       "name": "bob",
@@ -266,7 +266,7 @@ the event now looks like:
     "id": "1001",
     "effective": {
       "name": "root",
-      "id": "1"
+      "id": "0"
     },
     "target": {
       "name": "bob",
diff --git a/schemas/user.yml b/schemas/user.yml
index fa50676efd..8625f05897 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -18,6 +18,15 @@
       - host
       - server
       - source
+      - at: user
+        as: target
+        beta: Reusing the user fields in this location is currently considered beta.
+      - at: user
+        as: effective
+        beta: Reusing the user fields in this location is currently considered beta.
+      - at: user
+        as: changes
+        beta: Reusing the user fields in this location is currently considered beta.
 
   type: group
   fields: