Add field user.roles

docs/field-details.asciidoc

@@ -6293,6 +6293,26 @@ example: `albert`
 
 // ===============================================================
 
+| user.roles
+| Array of user roles or groups, at the time of the event.
+
+`user.group.*` fields are meant to capture one group's full details, rather than capturing an array of groups associated with a user.
+
+When it's necessary to capture a list of roles or groups assigned to the user at the time an event or audit log is recorded, use the array field `user.roles`.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `["kibana_admin", "reporting_user"]`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 ==== Field Reuse

generated/beats/fields.ecs.yml

@@ -379,6 +379,19 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of user roles or groups, at the time of the event.
+
+        `user.group.*` fields are meant to capture one group''s full details, rather
+        than capturing an array of groups associated with a user.
+
+        When it''s necessary to capture a list of roles or groups assigned to the
+        user at the time an event or audit log is recorded, use the array field `user.roles`.'
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: cloud
     title: Cloud
     group: 2
@@ -773,6 +786,19 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of user roles or groups, at the time of the event.
+
+        `user.group.*` fields are meant to capture one group''s full details, rather
+        than capturing an array of groups associated with a user.
+
+        When it''s necessary to capture a list of roles or groups assigned to the
+        user at the time an event or audit log is recorded, use the array field `user.roles`.'
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: dll
     title: DLL
     group: 2
@@ -2252,6 +2278,19 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of user roles or groups, at the time of the event.
+
+        `user.group.*` fields are meant to capture one group''s full details, rather
+        than capturing an array of groups associated with a user.
+
+        When it''s necessary to capture a list of roles or groups assigned to the
+        user at the time an event or audit log is recorded, use the array field `user.roles`.'
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: http
     title: HTTP
     group: 2
@@ -4137,6 +4176,19 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of user roles or groups, at the time of the event.
+
+        `user.group.*` fields are meant to capture one group''s full details, rather
+        than capturing an array of groups associated with a user.
+
+        When it''s necessary to capture a list of roles or groups assigned to the
+        user at the time an event or audit log is recorded, use the array field `user.roles`.'
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: service
     title: Service
     group: 2
@@ -4446,6 +4498,19 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: user.roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of user roles or groups, at the time of the event.
+
+        `user.group.*` fields are meant to capture one group''s full details, rather
+        than capturing an array of groups associated with a user.
+
+        When it''s necessary to capture a list of roles or groups assigned to the
+        user at the time an event or audit log is recorded, use the array field `user.roles`.'
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: threat
     title: Threat
     group: 2
@@ -5343,6 +5408,19 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+    - name: roles
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of user roles or groups, at the time of the event.
+
+        `user.group.*` fields are meant to capture one group''s full details, rather
+        than capturing an array of groups associated with a user.
+
+        When it''s necessary to capture a list of roles or groups assigned to the
+        user at the time an event or audit log is recorded, use the array field `user.roles`.'
+      example: '["kibana_admin", "reporting_user"]'
+      default_field: false
   - name: user_agent
     title: User agent
     group: 2

generated/csv/fields.csv

@@ -42,6 +42,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.6.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id.
 1.6.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name.
 1.6.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running.
@@ -91,6 +92,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.6.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
 1.6.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.6.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -261,6 +263,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.6.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body.
 1.6.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body.
 1.6.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body.
@@ -484,6 +487,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.6.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service.
 1.6.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service.
 1.6.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service.
@@ -524,6 +528,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.6.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 1.6.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
 1.6.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
@@ -638,6 +643,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user.
 1.6.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user.
 1.6.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user.
+1.6.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.6.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device.
 1.6.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent.
 1.6.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string.

generated/ecs/ecs_flat.yml

@@ -484,6 +484,25 @@ client.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+client.user.roles:
+  dashed_name: client-user-roles
+  description: 'Array of user roles or groups, at the time of the event.
+
+    `user.group.*` fields are meant to capture one group''s full details, rather than
+    capturing an array of groups associated with a user.
+
+    When it''s necessary to capture a list of roles or groups assigned to the user
+    at the time an event or audit log is recorded, use the array field `user.roles`.'
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: client.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 cloud.account.id:
   dashed_name: cloud-account-id
   description: 'The cloud account or organization id used to identify different entities
@@ -1048,6 +1067,25 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+destination.user.roles:
+  dashed_name: destination-user-roles
+  description: 'Array of user roles or groups, at the time of the event.
+
+    `user.group.*` fields are meant to capture one group''s full details, rather than
+    capturing an array of groups associated with a user.
+
+    When it''s necessary to capture a list of roles or groups assigned to the user
+    at the time an event or audit log is recorded, use the array field `user.roles`.'
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: destination.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 dll.code_signature.exists:
   dashed_name: dll-code-signature-exists
   description: Boolean to capture if a signature is present.
@@ -3522,6 +3560,25 @@ host.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+host.user.roles:
+  dashed_name: host-user-roles
+  description: 'Array of user roles or groups, at the time of the event.
+
+    `user.group.*` fields are meant to capture one group''s full details, rather than
+    capturing an array of groups associated with a user.
+
+    When it''s necessary to capture a list of roles or groups assigned to the user
+    at the time an event or audit log is recorded, use the array field `user.roles`.'
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: host.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 http.request.body.bytes:
   dashed_name: http-request-body-bytes
   description: Size in bytes of the request body.
@@ -6205,6 +6262,25 @@ server.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+server.user.roles:
+  dashed_name: server-user-roles
+  description: 'Array of user roles or groups, at the time of the event.
+
+    `user.group.*` fields are meant to capture one group''s full details, rather than
+    capturing an array of groups associated with a user.
+
+    When it''s necessary to capture a list of roles or groups assigned to the user
+    at the time an event or audit log is recorded, use the array field `user.roles`.'
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: server.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 service.ephemeral_id:
   dashed_name: service-ephemeral-id
   description: 'Ephemeral identifier of this service (if one exists).
@@ -6700,6 +6776,25 @@ source.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+source.user.roles:
+  dashed_name: source-user-roles
+  description: 'Array of user roles or groups, at the time of the event.
+
+    `user.group.*` fields are meant to capture one group''s full details, rather than
+    capturing an array of groups associated with a user.
+
+    When it''s necessary to capture a list of roles or groups assigned to the user
+    at the time an event or audit log is recorded, use the array field `user.roles`.'
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: source.user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  original_fieldset: user
+  short: Array of user roles at the time of the event.
+  type: keyword
 span.id:
   dashed_name: span-id
   description: 'Unique identifier of the span within the scope of its trace.
@@ -8126,6 +8221,24 @@ user.name:
   normalize: []
   short: Short name or login of the user.
   type: keyword
+user.roles:
+  dashed_name: user-roles
+  description: 'Array of user roles or groups, at the time of the event.
+
+    `user.group.*` fields are meant to capture one group''s full details, rather than
+    capturing an array of groups associated with a user.
+
+    When it''s necessary to capture a list of roles or groups assigned to the user
+    at the time an event or audit log is recorded, use the array field `user.roles`.'
+  example: '["kibana_admin", "reporting_user"]'
+  flat_name: user.roles
+  ignore_above: 1024
+  level: extended
+  name: roles
+  normalize:
+  - array
+  short: Array of user roles at the time of the event.
+  type: keyword
 user_agent.device.name:
   dashed_name: user-agent-device-name
   description: Name of the device.