⚠️ Outdated Version: You are viewing ECS version 1.12, which is outdated. View the latest version (9.0)

ECS Version:

User

Fields to describe the user relevant to the event.

Fields

Field Summary

Field	Type	Level	Description
`user.changes.domain`	keyword	Extended	Name of the directory the user is a member of.
`user.changes.email`	keyword	Extended	User email address.
`user.changes.full_name`	keyword	Extended	User's full name, if available.
`user.changes.full_name.text`	match_only_text	Extended	User's full name, if available.
`user.changes.group.domain`	keyword	Extended	Name of the directory the group is a member of.
`user.changes.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`user.changes.group.name`	keyword	Extended	Name of the group.
`user.changes.hash`	keyword	Extended	Unique user hash to correlate information for a user in anonymized form.
`user.changes.id`	keyword	Core	Unique identifier of the user.
`user.changes.name`	keyword	Core	Short name or login of the user.
`user.changes.name.text`	match_only_text	Core	Short name or login of the user.
`user.changes.roles`	keyword	Extended	Array of user roles at the time of the event.
`user.domain`	keyword	Extended	Name of the directory the user is a member of.
`user.effective.domain`	keyword	Extended	Name of the directory the user is a member of.
`user.effective.email`	keyword	Extended	User email address.
`user.effective.full_name`	keyword	Extended	User's full name, if available.
`user.effective.full_name.text`	match_only_text	Extended	User's full name, if available.
`user.effective.group.domain`	keyword	Extended	Name of the directory the group is a member of.
`user.effective.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`user.effective.group.name`	keyword	Extended	Name of the group.
`user.effective.hash`	keyword	Extended	Unique user hash to correlate information for a user in anonymized form.
`user.effective.id`	keyword	Core	Unique identifier of the user.
`user.effective.name`	keyword	Core	Short name or login of the user.
`user.effective.name.text`	match_only_text	Core	Short name or login of the user.
`user.effective.roles`	keyword	Extended	Array of user roles at the time of the event.
`user.email`	keyword	Extended	User email address.
`user.full_name`	keyword	Extended	User's full name, if available.
`user.full_name.text`	match_only_text	Extended	User's full name, if available.
`user.group.domain`	keyword	Extended	Name of the directory the group is a member of.
`user.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`user.group.name`	keyword	Extended	Name of the group.
`user.hash`	keyword	Extended	Unique user hash to correlate information for a user in anonymized form.
`user.id`	keyword	Core	Unique identifier of the user.
`user.name`	keyword	Core	Short name or login of the user.
`user.name.text`	match_only_text	Core	Short name or login of the user.
`user.roles`	keyword	Extended	Array of user roles at the time of the event.
`user.target.domain`	keyword	Extended	Name of the directory the user is a member of.
`user.target.email`	keyword	Extended	User email address.
`user.target.full_name`	keyword	Extended	User's full name, if available.
`user.target.full_name.text`	match_only_text	Extended	User's full name, if available.
`user.target.group.domain`	keyword	Extended	Name of the directory the group is a member of.
`user.target.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`user.target.group.name`	keyword	Extended	Name of the group.
`user.target.hash`	keyword	Extended	Unique user hash to correlate information for a user in anonymized form.
`user.target.id`	keyword	Core	Unique identifier of the user.
`user.target.name`	keyword	Core	Short name or login of the user.
`user.target.name.text`	match_only_text	Core	Short name or login of the user.
`user.target.roles`	keyword	Extended	Array of user roles at the time of the event.

Field Details

`user.changes.domain`

Type: keyword

Level: Extended

Description: Name of the directory the user is a member of.

Indexed: true

`user.changes.email`

Type: keyword

Level: Extended

Description: User email address.

Indexed: true

`user.changes.full_name`

Type: keyword

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.changes.full_name.text`

Type: match_only_text

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.changes.group.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Indexed: true

`user.changes.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`user.changes.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`user.changes.hash`

Type: keyword

Level: Extended

Description: Unique user hash to correlate information for a user in anonymized form.

Indexed: true

`user.changes.id`

Type: keyword

Level: Core

Description: Unique identifier of the user.

Example: S-1-5-21-202424912787-2692429404-2351956786-1000

Indexed: true

`user.changes.name`

Type: keyword

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.changes.name.text`

Type: match_only_text

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.changes.roles`

Type: keyword

Level: Extended

Description: Array of user roles at the time of the event.

Example: ["kibana_admin", "reporting_user"]

Normalization: array

Indexed: true

`user.domain`

Type: keyword

Level: Extended

Description: Name of the directory the user is a member of.

Indexed: true

`user.effective.domain`

Type: keyword

Level: Extended

Description: Name of the directory the user is a member of.

Indexed: true

`user.effective.email`

Type: keyword

Level: Extended

Description: User email address.

Indexed: true

`user.effective.full_name`

Type: keyword

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.effective.full_name.text`

Type: match_only_text

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.effective.group.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Indexed: true

`user.effective.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`user.effective.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`user.effective.hash`

Type: keyword

Level: Extended

Description: Unique user hash to correlate information for a user in anonymized form.

Indexed: true

`user.effective.id`

Type: keyword

Level: Core

Description: Unique identifier of the user.

Example: S-1-5-21-202424912787-2692429404-2351956786-1000

Indexed: true

`user.effective.name`

Type: keyword

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.effective.name.text`

Type: match_only_text

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.effective.roles`

Type: keyword

Level: Extended

Description: Array of user roles at the time of the event.

Example: ["kibana_admin", "reporting_user"]

Normalization: array

Indexed: true

`user.email`

Type: keyword

Level: Extended

Description: User email address.

Indexed: true

`user.full_name`

Type: keyword

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.full_name.text`

Type: match_only_text

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.group.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Indexed: true

`user.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`user.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`user.hash`

Type: keyword

Level: Extended

Description: Unique user hash to correlate information for a user in anonymized form.

Indexed: true

`user.id`

Type: keyword

Level: Core

Description: Unique identifier of the user.

Example: S-1-5-21-202424912787-2692429404-2351956786-1000

Indexed: true

`user.name`

Type: keyword

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.name.text`

Type: match_only_text

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.roles`

Type: keyword

Level: Extended

Description: Array of user roles at the time of the event.

Example: ["kibana_admin", "reporting_user"]

Normalization: array

Indexed: true

`user.target.domain`

Type: keyword

Level: Extended

Description: Name of the directory the user is a member of.

Indexed: true

`user.target.email`

Type: keyword

Level: Extended

Description: User email address.

Indexed: true

`user.target.full_name`

Type: keyword

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.target.full_name.text`

Type: match_only_text

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`user.target.group.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Indexed: true

`user.target.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`user.target.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`user.target.hash`

Type: keyword

Level: Extended

Description: Unique user hash to correlate information for a user in anonymized form.

Indexed: true

`user.target.id`

Type: keyword

Level: Core

Description: Unique identifier of the user.

Example: S-1-5-21-202424912787-2692429404-2351956786-1000

Indexed: true

`user.target.name`

Type: keyword

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.target.name.text`

Type: match_only_text

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`user.target.roles`

Type: keyword

Level: Extended

Description: Array of user roles at the time of the event.

Example: ["kibana_admin", "reporting_user"]

Normalization: array

Indexed: true

URL User agent