I have a use case that is not described in the Elastic ECS documentation and I am looking for best practices on how to handle this.
So, basically, I have an application where an app admin can change multiple users at once. This action generates a single log in which is displayed the list of all users impacted by the change. Something like {..., "ImpactedUsers": ["userA", "userB", "userC", ...], ... }.
Which would be the best way to handle this? Having something like the following does not represent the reality of the event:
In my use case, the original data is an array containing identifiers of multiple users which are targetted by a configuration change. With this in mind, I thought to store this data into user.id, as recommended in the ECS documentation. More precisely in the user.target nested field. But since each identifier is related to a different user, I am not sure what would be the best practice to store the data.
Yes, I am already using user.target and user.changes to describe IAM events where one single user is modified (role modification, user deletion and so on...).
Question here is how can I handle a SINGLE event where MULTIPLE users are modified at once? I will have to handle an array to store each modified users but which method would be the best approach? Having user.target.id as an array where I store all the users' identifiers or having user.target as an array storing one object to describe each single user?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.