User
Fields to describe the user relevant to the event.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
user.changes.domain | keyword | Extended | Name of the directory the user is a member of. |
user.changes.email | keyword | Extended | User email address. |
user.changes.full_name | keyword | Extended | User's full name, if available. |
user.changes.full_name.text | match_only_text | Extended | User's full name, if available. |
user.changes.group.domain | keyword | Extended | Name of the directory the group is a member of. |
user.changes.group.id | keyword | Extended | Unique identifier for the group on the system/platform. |
user.changes.group.name | keyword | Extended | Name of the group. |
user.changes.hash | keyword | Extended | Unique user hash to correlate information for a user in anonymized form. |
user.changes.id | keyword | Core | Unique identifier of the user. |
user.changes.name | keyword | Core | Short name or login of the user. |
user.changes.name.text | match_only_text | Core | Short name or login of the user. |
user.changes.roles | keyword | Extended | Array of user roles at the time of the event. |
user.domain | keyword | Extended | Name of the directory the user is a member of. |
user.effective.domain | keyword | Extended | Name of the directory the user is a member of. |
user.effective.email | keyword | Extended | User email address. |
user.effective.full_name | keyword | Extended | User's full name, if available. |
user.effective.full_name.text | match_only_text | Extended | User's full name, if available. |
user.effective.group.domain | keyword | Extended | Name of the directory the group is a member of. |
user.effective.group.id | keyword | Extended | Unique identifier for the group on the system/platform. |
user.effective.group.name | keyword | Extended | Name of the group. |
user.effective.hash | keyword | Extended | Unique user hash to correlate information for a user in anonymized form. |
user.effective.id | keyword | Core | Unique identifier of the user. |
user.effective.name | keyword | Core | Short name or login of the user. |
user.effective.name.text | match_only_text | Core | Short name or login of the user. |
user.effective.roles | keyword | Extended | Array of user roles at the time of the event. |
user.email | keyword | Extended | User email address. |
user.full_name | keyword | Extended | User's full name, if available. |
user.full_name.text | match_only_text | Extended | User's full name, if available. |
user.group.domain | keyword | Extended | Name of the directory the group is a member of. |
user.group.id | keyword | Extended | Unique identifier for the group on the system/platform. |
user.group.name | keyword | Extended | Name of the group. |
user.hash | keyword | Extended | Unique user hash to correlate information for a user in anonymized form. |
user.id | keyword | Core | Unique identifier of the user. |
user.name | keyword | Core | Short name or login of the user. |
user.name.text | match_only_text | Core | Short name or login of the user. |
user.risk.calculated_level | keyword | Extended | A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. |
user.risk.calculated_score | float | Extended | A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. |
user.risk.calculated_score_norm | float | Extended | A normalized risk score calculated by an internal system. |
user.risk.static_level | keyword | Extended | A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform. |
user.risk.static_score | float | Extended | A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform. |
user.risk.static_score_norm | float | Extended | A normalized risk score calculated by an external system. |
user.roles | keyword | Extended | Array of user roles at the time of the event. |
user.target.domain | keyword | Extended | Name of the directory the user is a member of. |
user.target.email | keyword | Extended | User email address. |
user.target.full_name | keyword | Extended | User's full name, if available. |
user.target.full_name.text | match_only_text | Extended | User's full name, if available. |
user.target.group.domain | keyword | Extended | Name of the directory the group is a member of. |
user.target.group.id | keyword | Extended | Unique identifier for the group on the system/platform. |
user.target.group.name | keyword | Extended | Name of the group. |
user.target.hash | keyword | Extended | Unique user hash to correlate information for a user in anonymized form. |
user.target.id | keyword | Core | Unique identifier of the user. |
user.target.name | keyword | Core | Short name or login of the user. |
user.target.name.text | match_only_text | Core | Short name or login of the user. |
user.target.roles | keyword | Extended | Array of user roles at the time of the event. |
Field Details
user.changes.domain
Type: keyword
Level: Extended
Description: Name of the directory the user is a member of.
Indexed: true
user.changes.email
Type: keyword
Level: Extended
Description: User email address.
Indexed: true
user.changes.full_name
Type: keyword
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.changes.full_name.text
Type: match_only_text
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.changes.group.domain
Type: keyword
Level: Extended
Description: Name of the directory the group is a member of.
Indexed: true
user.changes.group.id
Type: keyword
Level: Extended
Description: Unique identifier for the group on the system/platform.
Indexed: true
user.changes.group.name
Type: keyword
Level: Extended
Description: Name of the group.
Indexed: true
user.changes.hash
Type: keyword
Level: Extended
Description: Unique user hash to correlate information for a user in anonymized form.
Indexed: true
user.changes.id
Type: keyword
Level: Core
Description: Unique identifier of the user.
Example: S-1-5-21-202424912787-2692429404-2351956786-1000
Indexed: true
user.changes.name
Type: keyword
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.changes.name.text
Type: match_only_text
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.changes.roles
Type: keyword
Level: Extended
Description: Array of user roles at the time of the event.
Example: ["kibana_admin", "reporting_user"]
Normalization: array
Indexed: true
user.domain
Type: keyword
Level: Extended
Description: Name of the directory the user is a member of.
Indexed: true
user.effective.domain
Type: keyword
Level: Extended
Description: Name of the directory the user is a member of.
Indexed: true
user.effective.email
Type: keyword
Level: Extended
Description: User email address.
Indexed: true
user.effective.full_name
Type: keyword
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.effective.full_name.text
Type: match_only_text
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.effective.group.domain
Type: keyword
Level: Extended
Description: Name of the directory the group is a member of.
Indexed: true
user.effective.group.id
Type: keyword
Level: Extended
Description: Unique identifier for the group on the system/platform.
Indexed: true
user.effective.group.name
Type: keyword
Level: Extended
Description: Name of the group.
Indexed: true
user.effective.hash
Type: keyword
Level: Extended
Description: Unique user hash to correlate information for a user in anonymized form.
Indexed: true
user.effective.id
Type: keyword
Level: Core
Description: Unique identifier of the user.
Example: S-1-5-21-202424912787-2692429404-2351956786-1000
Indexed: true
user.effective.name
Type: keyword
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.effective.name.text
Type: match_only_text
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.effective.roles
Type: keyword
Level: Extended
Description: Array of user roles at the time of the event.
Example: ["kibana_admin", "reporting_user"]
Normalization: array
Indexed: true
user.email
Type: keyword
Level: Extended
Description: User email address.
Indexed: true
user.full_name
Type: keyword
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.full_name.text
Type: match_only_text
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.group.domain
Type: keyword
Level: Extended
Description: Name of the directory the group is a member of.
Indexed: true
user.group.id
Type: keyword
Level: Extended
Description: Unique identifier for the group on the system/platform.
Indexed: true
user.group.name
Type: keyword
Level: Extended
Description: Name of the group.
Indexed: true
user.hash
Type: keyword
Level: Extended
Description: Unique user hash to correlate information for a user in anonymized form.
Indexed: true
user.id
Type: keyword
Level: Core
Description: Unique identifier of the user.
Example: S-1-5-21-202424912787-2692429404-2351956786-1000
Indexed: true
user.name
Type: keyword
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.name.text
Type: match_only_text
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.risk.calculated_level
Type: keyword
Level: Extended
Description: A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
Example: High
Indexed: true
user.risk.calculated_score
Type: float
Level: Extended
Description: A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
Example: 880.73
Indexed: true
user.risk.calculated_score_norm
Type: float
Level: Extended
Description: A normalized risk score calculated by an internal system.
Example: 88.73
Indexed: true
user.risk.static_level
Type: keyword
Level: Extended
Description: A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
Example: High
Indexed: true
user.risk.static_score
Type: float
Level: Extended
Description: A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
Example: 830.0
Indexed: true
user.risk.static_score_norm
Type: float
Level: Extended
Description: A normalized risk score calculated by an external system.
Example: 83.0
Indexed: true
user.roles
Type: keyword
Level: Extended
Description: Array of user roles at the time of the event.
Example: ["kibana_admin", "reporting_user"]
Normalization: array
Indexed: true
user.target.domain
Type: keyword
Level: Extended
Description: Name of the directory the user is a member of.
Indexed: true
user.target.email
Type: keyword
Level: Extended
Description: User email address.
Indexed: true
user.target.full_name
Type: keyword
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.target.full_name.text
Type: match_only_text
Level: Extended
Description: User's full name, if available.
Example: Albert Einstein
Indexed: true
user.target.group.domain
Type: keyword
Level: Extended
Description: Name of the directory the group is a member of.
Indexed: true
user.target.group.id
Type: keyword
Level: Extended
Description: Unique identifier for the group on the system/platform.
Indexed: true
user.target.group.name
Type: keyword
Level: Extended
Description: Name of the group.
Indexed: true
user.target.hash
Type: keyword
Level: Extended
Description: Unique user hash to correlate information for a user in anonymized form.
Indexed: true
user.target.id
Type: keyword
Level: Core
Description: Unique identifier of the user.
Example: S-1-5-21-202424912787-2692429404-2351956786-1000
Indexed: true
user.target.name
Type: keyword
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.target.name.text
Type: match_only_text
Level: Core
Description: Short name or login of the user.
Example: a.einstein
Indexed: true
user.target.roles
Type: keyword
Level: Extended
Description: Array of user roles at the time of the event.
Example: ["kibana_admin", "reporting_user"]
Normalization: array
Indexed: true