User
Top Level Fieldset: True
This field set contains information about a user that is related to the event.
Fields from user can also be found at the following locations:
source.userdestination.useruser.targetuser.effectiveuser.changesresource.ownerresource.parent.owner
User Fields
user.domain
Required Field: False
Type: STRING
Example: example.com
Detection Supported Field: True
Domain of the user. This is usually the domain of the user's email address.
user.email
Required Field: False
Type: STRING
Example: jdoe@example.com
Detection Supported Field: True
Email address of the user.
user.full_name
Required Field: False
Type: STRING
Example: Jane Doe
Detection Supported Field: True
Full name of the user.
user.hash
Required Field: False
Type: STRING
Example: ``
Detection Supported Field: True
Hash of the user.
user.id
Required Field: False
Type: STRING
Example: ABCDEFG
Detection Supported Field: True
Unique ID of the user.
user.indicators
Required Field: False
Type: ARRAY
Example: ['malicious']
Detection Supported Field: True
Threat indicators identified through enrichment, specific to a user.
user.name
Required Field: False
Type: STRING
Example: jdoe
Detection Supported Field: True
Short name or login name of the user.
user.roles
Required Field: False
Type: ARRAY
Example: ['admin', 'case_user']
Detection Supported Field: True
The roles of the user at the time of the event.