Open
Description
There exists some inconsistencies on how ECS user fields are handled across different integrations.
Specifically, when usernames are formatted as email addresses (e.g., "[email protected]"), some integrations split the username and domain, while others do not. This inconsistency leads to varied results in dashboards and queries, causing confusion.
According to the ECS user fields guidelines:
Here are a few pointers to help normalize some simple cases.
- When a system provides a composite value for the user name
(e.g. DOMAINNAME\username), capture the domain name in user.domain
and the user name (without the domain) in user.name.
- When a system uses an email address as the main identifier, populate
both user.id and user.email with it.
Based on the guidelines above, the criteria to apply to all the integrations would be:
- When the user name contains an email address, this field is dissected into
<user.name>@<user.domain>. - Also the
user.emailfield is populated with the full email address. - Append
user.nameanduser.emailto related.user.
This is how most of the integrations already proceed.
Metadata
Metadata
Assignees
Labels
AWSBitDefender (Community supported)VMware Carbon Black CloudCheck PointCisco ISECisco MerakiCisco Secure EndpointCyberArk EPMCyberark Privileged Threat AnalyticsJuniper SRXMicrosoft M365 DefenderMenlo SecurityMicrosoft Defender for EndpointMongoDB AtlasMicrosoft Office 365 MetricsPingOneSalesforceSophosSwimlane Turbine (Community supported)TeleportTenable Vulnerability ManagementVectra DetectVectra RUXSecurity Service Integrations team [elastic/security-service-integrations]New feature or request