User fields

Elastic Stack Serverless

The user fields describe information about the user that is relevant to the event.

Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

User field details

Field	Description	Level
user.domain	Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. type: keyword	extended
user.email	User email address. type: keyword user.email	extended
user.full_name	User’s full name, if available. type: keyword Multi-fields: - user.full_name.text (type: match_only_text) example: `Albert Einstein` user.full_name	extended
user.hash	Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword user.hash	extended
user.id	Unique identifier of the user. type: keyword example: `S-1-5-21-202424912787-2692429404-2351956786-1000` user.id	core
user.name	Short name or login of the user. type: keyword Multi-fields: - user.name.text (type: match_only_text) example: `a.einstein` user.name	core
user.roles	Array of user roles at the time of the event. type: keyword Note: this field should contain an array of values. example: `["kibana_admin", "reporting_user"]` user.roles	extended

The user fields are expected to be nested at:

Note also that the user fields may be used directly at the root of the events.

Location	Field Set	Description
`user.changes.*`	`user`	Captures changes made to a user.
`user.effective.*`	`user`	User whose privileges were assumed.
`user.group.*`	group	User’s group relevant to the event.
`user.risk.*`	risk	Fields for describing risk score and level.
`user.target.*`	`user`	Targeted user of action taken.

For usage and examples of the user fields, please see the User Fields Usage and Examples section.