User Fields
Overview
The user fields describe the account, identity, or principal associated with activity recorded in an event. They represent identifiers, naming attributes, and contextual information used to determine which user initiated, executed, or was otherwise involved in an action. The entity provides a normalized structure for referencing user information across heterogeneous platforms and identity systems.
Design and Usage
The user entity models conceptual properties of an account or identity without relying on platform-specific naming conventions or authentication mechanisms. Its fields capture identifiers, domains, and contextual details that support correlation across operating systems, directory services, applications, and cloud environments. As a top-level entity, user may be referenced by events that describe authentication, authorization, process execution, resource access, or other interactions involving an identity.
Common Use Cases
- Associating system or application activity with the identity responsible for initiating it
- Normalizing user information from diverse identity providers and account models
- Supporting investigations, access reviews, and behavioral analytics that rely on user context
Implementation Notes
As a top-level entity, user represents the complete object describing a principal or account involved in an event. Its fields should remain platform-neutral to ensure consistent interpretation across sources that emit identity-related telemetry. If a related identity or account context is implied but not explicitly provided, corresponding fields may be included to clarify event semantics and preserve relational integrity.
| field | field_type | description | example_values |
|---|---|---|---|
|
user_command |
keyword |
Command invoked by the user as part of the recorded activity. |
|
|
user_command_path |
keyword |
File system path or location of the command executed by the user. |
|
|
user_domain |
keyword |
Domain or namespace associated with the user account. |
mycorp.internal |
|
user_email |
keyword |
Email address associated with the user account. |
user@mycorp.internal |
|
user_id |
keyword |
Unique identifier associated with the user, such as a system-assigned UID or security identifier. |
|
|
user_name |
keyword/lowercase |
Name of the user account, represented in lowercase. |
|
|
user_session_id |
keyword |
Identifier representing the user session in which the activity occurred. |
0x534, 1055 |
