Elastic
Start free trial Contact Sales
Loading

Group fields

Elastic Stack Serverless

The group fields are meant to represent groups that are relevant to the event.

Group field details

Field Description Level
group.domain Name of the directory the group is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword
 extended
group.id Unique identifier for the group on the system/platform.

type: keyword
 extended
group.name Name of the group.

type: keyword
 extended

Field reuse

The group fields are expected to be nested at:

  • process.attested_groups
  • process.group
  • process.real_group
  • process.saved_group
  • process.supplemental_groups
  • user.group

Note also that the group fields may be used directly at the root of the events.