elastic · webmat · Jun 9, 2020 · Jun 11, 2020 · Jun 15, 2020
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -24,6 +24,8 @@ Thanks, you're awesome :-) -->
 * Added `agent.build.*` for extended agent version information. (#764)
 * Added `x509.*` field set. (#762)
 * Added more account and project cloud metadata. (#816)
+* Added `user.effective`, `user.target`, and `user.changes` to capture more details
+  when multiple users are relevant to an event. #869
 
 #### Improvements
 

diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -6526,7 +6526,7 @@ example: `albert`
 
 ==== Field Reuse
 
-The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`.
+The `user` fields are expected to be nested at: `client.user`, `destination.user`, `host.user`, `server.user`, `source.user`, `user.changes`, `user.effective`, `user.target`.
 
 Note also that the `user` fields may be used directly at the top level.
 
@@ -6543,12 +6543,30 @@ Note also that the `user` fields may be used directly at the top level.
 // ===============================================================
 
 
+| <<ecs-user,user.changes.*>>
+| Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
+| <<ecs-user,user.effective.*>>
+| Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
 | <<ecs-group,user.group.*>>
 | User's group relevant to the event.
 
 // ===============================================================
 
 
+| <<ecs-user,user.target.*>>
+| Fields to describe the user relevant to the event.
+
+// ===============================================================
+
+
 |=====
 
 [[ecs-user_agent]]

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -5200,13 +5200,157 @@
       provide an array that includes all of them.'
     type: group
     fields:
+    - name: changes.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: changes.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: changes.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: changes.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: changes.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: changes.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: changes.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: changes.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
     - name: domain
       level: extended
       type: keyword
       ignore_above: 1024
       description: 'Name of the directory the user is a member of.
 
         For example, an LDAP or Active Directory domain name.'
+    - name: effective.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: effective.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: effective.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: effective.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: effective.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: effective.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: effective.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: effective.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
     - name: email
       level: extended
       type: keyword
@@ -5265,6 +5409,78 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: target.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the user is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.email
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: User email address.
+      default_field: false
+    - name: target.full_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: User's full name, if available.
+      example: Albert Einstein
+      default_field: false
+    - name: target.group.domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the directory the group is a member of.
+
+        For example, an LDAP or Active Directory domain name.'
+      default_field: false
+    - name: target.group.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier for the group on the system/platform.
+      default_field: false
+    - name: target.group.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the group.
+      default_field: false
+    - name: target.hash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique user hash to correlate information for a user in anonymized
+        form.
+
+        Useful if `user.id` or `user.name` contain confidential information and cannot
+        be used.'
+      default_field: false
+    - name: target.id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique identifier of the user.
+      default_field: false
+    - name: target.name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: Short name or login of the user.
+      example: albert
+      default_field: false
   - name: user_agent
     title: User agent
     group: 2

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -618,7 +618,29 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url.
 1.6.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)."
 1.6.0-dev,true,url,url.username,keyword,extended,,,Username of the request.
+1.6.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.6.0-dev,true,user,user.changes.email,keyword,extended,,,User email address.
+1.6.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.6.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.6.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.6.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.6.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group.
+1.6.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.6.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user.
+1.6.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user.
+1.6.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user.
 1.6.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.6.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.6.0-dev,true,user,user.effective.email,keyword,extended,,,User email address.
+1.6.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.6.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.6.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.6.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.6.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group.
+1.6.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.6.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user.
+1.6.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user.
+1.6.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user.
 1.6.0-dev,true,user,user.email,keyword,extended,,,User email address.
 1.6.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
 1.6.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
@@ -629,6 +651,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of.
+1.6.0-dev,true,user,user.target.email,keyword,extended,,,User email address.
+1.6.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available."
+1.6.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available."
+1.6.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of.
+1.6.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
+1.6.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group.
+1.6.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form.
+1.6.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user.
+1.6.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user.
+1.6.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user.
 1.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 1.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
 1.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.