# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# 	http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: user
  title: User
  group: 2
  short: Fields to describe the user relevant to the event.
  description: >
    The user fields describe information about the user that is relevant
    to the event.

    Fields can have one entry or multiple entries. If a
    user has more than one id, provide an array that includes all of
    them.
  reusable:
    top_level: true
    expected:
      - client
      - destination
      - server
      - source
      - at: user
        as: target
        short_override: Targeted user of action taken.
      - at: user
        as: effective
        short_override: User whose privileges were assumed.
      - at: user
        as: changes
        short_override: Captures changes made to a user.
      - at: process
        as: user
        short_override: The effective user (euid).
      - at: process
        as: saved_user
        short_override: The saved user (suid).
      - at: process
        as: real_user
        short_override: The real user (ruid). Identifies the real owner of the process.
      - at: process
        as: attested_user
        short_override: The externally attested user based on an external source such as the Kube API.
        beta: Reusing the `user` fields in this location is currently considered beta.

  type: group
  fields:

    - name: id
      level: core
      type: keyword
      example: S-1-5-21-202424912787-2692429404-2351956786-1000
      description: >
        Unique identifier of the user.

    - name: name
      level: core
      type: keyword
      example: a.einstein
      description: >
        Short name or login of the user.
      multi_fields:
        - type: match_only_text
          name: text

    - name: full_name
      level: extended
      type: keyword
      example: Albert Einstein
      description: >
        User's full name, if available.
      multi_fields:
        - type: match_only_text
          name: text

    - name: email
      level: extended
      type: keyword
      description: >
        User email address.

    - name: hash
      level: extended
      type: keyword
      short: Unique user hash to correlate information for a user in anonymized form.
      description: >
        Unique user hash to correlate information for a user in anonymized form.

        Useful if `user.id` or `user.name` contain confidential information and
        cannot be used.

    - name: domain
      level: extended
      type: keyword
      short: Name of the directory the user is a member of.
      description: >
          Name of the directory the user is a member of.

          For example, an LDAP or Active Directory domain name.

    - name: roles
      level: extended
      type: keyword
      normalize:
        - array
      description: >
        Array of user roles at the time of the event.
      example: '["kibana_admin", "reporting_user"]'