Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define fields to allow representing multiple users in an event. #869

Closed
wants to merge 3 commits into from

Conversation

webmat
Copy link
Contributor

@webmat webmat commented Jun 11, 2020

This PR implements the proposal discussed in #809. In short, we now reuse all user fields in 3 new places, in order to allow capturing more relevant users on a given event:

  • user.effective.* is used to capture the effective user in cases of privilege escalation.
  • user.target.* is used to capture a distinct user that is affected by an action, like IAM: Alice creates/suspends/deletes Bob.
  • user.changes.* is used to capture the changes to an existing user. It's worth pointing out that only the attributes that change for the user are expected to be populated here.

For now this PR simply adds the fields. We don't yet have a good way to have either contextual definitions around field reuse, nor a place to document this via free form text, in the user page. This will come as a later addition.

I'm opening this PR in a straighforward manner, by directly introducing these fields. However I'm thinking this major addition is probably a good candidate to move through the RFC process.

What do you think @epixa @ebeahan @tsg?

Closes #809

@webmat webmat self-assigned this Jun 11, 2020
@webmat
Copy link
Contributor Author

webmat commented Jun 11, 2020

Ping all of the fine folks who chimed in on #809: @leehinman @neu5ron @janniten @willemdh @rw-access :-)

Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is great. definitely will need that future issue/PR when we can add notes to explain the nesting, since it's not immediately obvious for many of these

@ebeahan
Copy link
Member

ebeahan commented Jun 12, 2020

+1 for moving these additions through the RFC process 😃

@webmat webmat added the RFC label Jun 25, 2020
@l0x-c0d3z
Copy link

I like the approach. I've been having issues mapping IAM audit logs recently. It also sets a good precedent for stuff like 'process.target.*' (for stuff like cross-process access and code injections).

@ebeahan ebeahan added RFC:candidate and removed RFC labels Jul 21, 2020
@ebeahan ebeahan added the ready Issues we'd like to address in the future. label Aug 4, 2020
@webmat webmat added the 1.6.0 label Aug 5, 2020
@webmat webmat mentioned this pull request Aug 6, 2020
4 tasks
@webmat webmat removed the 1.6.0 label Aug 11, 2020
@webmat
Copy link
Contributor Author

webmat commented Nov 3, 2020

Closing in favor of #1066 (see also RFC 0007 stage 3 PR #1017)

@webmat webmat closed this Nov 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready Issues we'd like to address in the future.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[ECS] Multiple users in an event proposal
4 participants