-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Account for Multiple Users in an Event #234
Comments
@eternalyperplxed ECS allows for information from multiple users to be included the same event. The See the user section of the readme file here. However, your use case raises an interesting follow-on question - in which user fields should we populate which user's details? Here's one way to approach it. Perhaps others will have better ideas.
|
Thanks @MikePaquette this makes sense to me and I agree with the follow on question. I believe there are some instances where an Active Directory event could have something like 6 different users contained within it, so trying to find a common ground to account for them is an interesting challenge. |
@eternalyperplxed yes, indeed, but note that the |
Thanks for submitting this question, @eternalyperplxed. I also agree that user management use cases will need a clear way to define which user is doing the change and which user(s) are affected. Right now I would say that So I do think we'll need to work on an official place to list the affected users. |
Understood @webmat Thanks for looking into this! |
@webmat I agree we need to find an official place for the affected |
I think new 2 top level fields - old/new should help in situations like changing user name and more (so new.user.name for new username, for file path new.file.path, ...). |
I would hope we could use source.user and destination AND or create a target field thus using target.user Multiple usernames in a single field I would imagine is ok, because elasticsearch handles arrays well. Now if a category has multiple distinct fields like an SMTP log that has from,to,cc, etc. |
Some events, specifically Active Directory change events (event.id 5136) may have multiple user names in the event. The user making the change, and the user being changed. Perhaps user.source and user.target could be used to differentiate?
The text was updated successfully, but these errors were encountered: