diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 35b0cd91fb..ccb700b572 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -25,6 +25,8 @@ Thanks, you're awesome :-) --> * Added `x509.*` field set. (#762) * Added more account and project cloud metadata. (#816) * Added missing field reuse of `pe` at `process.parent.pe` #868 +* Added `user.effective`, `user.target`, and `user.changes` to capture more details + when multiple users are relevant to an event. #869 #### Improvements diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index e0d33d320e..24dc6bdaf9 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6267,7 +6267,7 @@ example: `albert` ==== Field Reuse -The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`. +The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`, `user.changes`, `user.effective`, `user.target`. Note also that the `user` fields may be used directly at the top level. @@ -6284,12 +6284,30 @@ Note also that the `user` fields may be used directly at the top level. // =============================================================== +| <> +| Fields to describe the user relevant to the event. + +// =============================================================== + + +| <> +| Fields to describe the user relevant to the event. + +// =============================================================== + + | <> | User's group relevant to the event. // =============================================================== +| <> +| Fields to describe the user relevant to the event. + +// =============================================================== + + |===== [[ecs-user_agent]] diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 2a5897dec7..978faf9efd 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5254,6 +5254,78 @@ provide an array that includes all of them.' type: group fields: + - name: changes.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: changes.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: changes.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: changes.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: changes.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: changes.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: changes.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: changes.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false - name: domain level: extended type: keyword @@ -5261,6 +5333,78 @@ description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' + - name: effective.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: effective.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: effective.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: effective.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: effective.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: effective.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: effective.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: effective.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false - name: email level: extended type: keyword @@ -5319,6 +5463,78 @@ default_field: false description: Short name or login of the user. example: albert + - name: target.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + default_field: false + - name: target.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: User's full name, if available. + example: Albert Einstein + default_field: false + - name: target.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + default_field: false + - name: target.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: target.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: target.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + default_field: false + - name: target.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + default_field: false + - name: target.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Short name or login of the user. + example: albert + default_field: false - name: user_agent title: User agent group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 0e8b495bef..227086c294 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -625,7 +625,29 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. 1.6.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." 1.6.0-dev,true,url,url.username,keyword,extended,,,Username of the request. +1.6.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.6.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. +1.6.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.6.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.6.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.6.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.6.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.6.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.6.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.6.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. +1.6.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. 1.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.6.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.6.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. +1.6.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.6.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.6.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.6.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.6.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.6.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.6.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.6.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. +1.6.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. 1.6.0-dev,true,user,user.email,keyword,extended,,,User email address. 1.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." 1.6.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." @@ -636,6 +658,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. 1.6.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. 1.6.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.6.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.6.0-dev,true,user,user.target.email,keyword,extended,,,User email address. +1.6.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.6.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.6.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.6.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.6.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.6.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.6.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.6.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. +1.6.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. 1.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. 1.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. 1.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index a6571636dc..2bc1593329 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8103,6 +8103,125 @@ url.username: normalize: [] short: Username of the request. type: keyword +user.changes.domain: + dashed_name: user-changes-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.changes.email: + dashed_name: user-changes-email + description: User email address. + flat_name: user.changes.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +user.changes.full_name: + dashed_name: user-changes-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.changes.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.changes.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +user.changes.group.domain: + dashed_name: user-changes-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.changes.group.id: + dashed_name: user-changes-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.changes.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.changes.group.name: + dashed_name: user-changes-group-name + description: Name of the group. + flat_name: user.changes.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.changes.hash: + dashed_name: user-changes-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.changes.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.changes.id: + dashed_name: user-changes-id + description: Unique identifier of the user. + flat_name: user.changes.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.changes.name: + dashed_name: user-changes-name + description: Short name or login of the user. + example: albert + flat_name: user.changes.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.changes.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword user.domain: dashed_name: user-domain description: 'Name of the directory the user is a member of. @@ -8115,6 +8234,125 @@ user.domain: normalize: [] short: Name of the directory the user is a member of. type: keyword +user.effective.domain: + dashed_name: user-effective-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.effective.email: + dashed_name: user-effective-email + description: User email address. + flat_name: user.effective.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +user.effective.full_name: + dashed_name: user-effective-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.effective.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.effective.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +user.effective.group.domain: + dashed_name: user-effective-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.effective.group.id: + dashed_name: user-effective-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.effective.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.effective.group.name: + dashed_name: user-effective-group-name + description: Name of the group. + flat_name: user.effective.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.effective.hash: + dashed_name: user-effective-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.effective.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.effective.id: + dashed_name: user-effective-id + description: Unique identifier of the user. + flat_name: user.effective.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.effective.name: + dashed_name: user-effective-name + description: Short name or login of the user. + example: albert + flat_name: user.effective.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.effective.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword user.email: dashed_name: user-email description: User email address. @@ -8216,6 +8454,125 @@ user.name: normalize: [] short: Short name or login of the user. type: keyword +user.target.domain: + dashed_name: user-target-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword +user.target.email: + dashed_name: user-target-email + description: User email address. + flat_name: user.target.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword +user.target.full_name: + dashed_name: user-target-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.target.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.target.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword +user.target.group.domain: + dashed_name: user-target-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword +user.target.group.id: + dashed_name: user-target-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.target.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword +user.target.group.name: + dashed_name: user-target-group-name + description: Name of the group. + flat_name: user.target.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword +user.target.hash: + dashed_name: user-target-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.target.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword +user.target.id: + dashed_name: user-target-id + description: Unique identifier of the user. + flat_name: user.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword +user.target.name: + dashed_name: user-target-name + description: Short name or login of the user. + example: albert + flat_name: user.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.target.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword user_agent.device.name: dashed_name: user-agent-device-name description: Name of the device. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 660f8e93e9..9a82a5a183 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -9375,6 +9375,125 @@ user: Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.' fields: + user.changes.domain: + dashed_name: user-changes-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.changes.email: + dashed_name: user-changes-email + description: User email address. + flat_name: user.changes.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + user.changes.full_name: + dashed_name: user-changes-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.changes.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.changes.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + user.changes.group.domain: + dashed_name: user-changes-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.changes.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.changes.group.id: + dashed_name: user-changes-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.changes.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.changes.group.name: + dashed_name: user-changes-group-name + description: Name of the group. + flat_name: user.changes.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.changes.hash: + dashed_name: user-changes-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.changes.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.changes.id: + dashed_name: user-changes-id + description: Unique identifier of the user. + flat_name: user.changes.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.changes.name: + dashed_name: user-changes-name + description: Short name or login of the user. + example: albert + flat_name: user.changes.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.changes.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword user.domain: dashed_name: user-domain description: 'Name of the directory the user is a member of. @@ -9387,6 +9506,125 @@ user: normalize: [] short: Name of the directory the user is a member of. type: keyword + user.effective.domain: + dashed_name: user-effective-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.effective.email: + dashed_name: user-effective-email + description: User email address. + flat_name: user.effective.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + user.effective.full_name: + dashed_name: user-effective-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.effective.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.effective.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + user.effective.group.domain: + dashed_name: user-effective-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.effective.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.effective.group.id: + dashed_name: user-effective-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.effective.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.effective.group.name: + dashed_name: user-effective-group-name + description: Name of the group. + flat_name: user.effective.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.effective.hash: + dashed_name: user-effective-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.effective.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.effective.id: + dashed_name: user-effective-id + description: Unique identifier of the user. + flat_name: user.effective.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.effective.name: + dashed_name: user-effective-name + description: Short name or login of the user. + example: albert + flat_name: user.effective.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.effective.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword user.email: dashed_name: user-email description: User email address. @@ -9488,10 +9726,132 @@ user: normalize: [] short: Short name or login of the user. type: keyword + user.target.domain: + dashed_name: user-target-domain + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: user + short: Name of the directory the user is a member of. + type: keyword + user.target.email: + dashed_name: user-target-email + description: User email address. + flat_name: user.target.email + ignore_above: 1024 + level: extended + name: email + normalize: [] + original_fieldset: user + short: User email address. + type: keyword + user.target.full_name: + dashed_name: user-target-full-name + description: User's full name, if available. + example: Albert Einstein + flat_name: user.target.full_name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: user.target.full_name.text + name: text + norms: false + type: text + name: full_name + normalize: [] + original_fieldset: user + short: User's full name, if available. + type: keyword + user.target.group.domain: + dashed_name: user-target-group-domain + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + flat_name: user.target.group.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: group + short: Name of the directory the group is a member of. + type: keyword + user.target.group.id: + dashed_name: user-target-group-id + description: Unique identifier for the group on the system/platform. + flat_name: user.target.group.id + ignore_above: 1024 + level: extended + name: id + normalize: [] + original_fieldset: group + short: Unique identifier for the group on the system/platform. + type: keyword + user.target.group.name: + dashed_name: user-target-group-name + description: Name of the group. + flat_name: user.target.group.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: group + short: Name of the group. + type: keyword + user.target.hash: + dashed_name: user-target-hash + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + flat_name: user.target.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: user + short: Unique user hash to correlate information for a user in anonymized form. + type: keyword + user.target.id: + dashed_name: user-target-id + description: Unique identifier of the user. + flat_name: user.target.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: user + short: Unique identifier of the user. + type: keyword + user.target.name: + dashed_name: user-target-name + description: Short name or login of the user. + example: albert + flat_name: user.target.name + ignore_above: 1024 + level: core + multi_fields: + - flat_name: user.target.name.text + name: text + norms: false + type: text + name: name + normalize: [] + original_fieldset: user + short: Short name or login of the user. + type: keyword group: 2 name: user nestings: + - user.changes + - user.effective - user.group + - user.target prefix: user. reusable: expected: @@ -9510,11 +9870,29 @@ user: - as: user at: source full: source.user + - as: target + at: user + full: user.target + - as: effective + at: user + full: user.effective + - as: changes + at: user + full: user.changes top_level: true reused_here: - full: user.group schema_name: group short: User's group relevant to the event. + - full: user.target + schema_name: user + short: Fields to describe the user relevant to the event. + - full: user.effective + schema_name: user + short: Fields to describe the user relevant to the event. + - full: user.changes + schema_name: user + short: Fields to describe the user relevant to the event. short: Fields to describe the user relevant to the event. title: User type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 04b7a46918..54ef3bbada 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -2959,10 +2959,122 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -3010,6 +3122,62 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 5ddc91d4a4..2a1742d5f7 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -2958,10 +2958,122 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -3009,6 +3121,62 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/schemas/user.yml b/schemas/user.yml index 255e132f69..2b69dc66f5 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -18,15 +18,12 @@ - host - server - source - - # TODO Temporarily commented out to simplify initial rewrite review - - # - at: user - # as: target - # - at: user - # as: effective - # - at: user - # as: changes + - at: user + as: target + - at: user + as: effective + - at: user + as: changes type: group fields: