How to describe multiple users in ECS

Hello,

I have a use case that is not described in the Elastic ECS documentation and I am looking for best practices on how to handle this.

So, basically, I have an application where an app admin can change multiple users at once. This action generates a single log in which is displayed the list of all users impacted by the change. Something like {..., "ImpactedUsers": ["userA", "userB", "userC", ...], ... }.

Which would be the best way to handle this? Having something like the following does not represent the reality of the event:

{
  "user": {
    "target": {
      "id": ["userA", "userB", "userC", ...]
    }
  },
  "related": {
    "user": ["userA", "userB", "userC", ...]
  }
}

So I was thinking implementing something like this, but I am not sure this is supported/recommanded for the ECS normalization:

{
  "user": {
    "target": [
      {"user": {"id": "userA"}},
      {"user": {"id": "userB"}},
      {"user": {"id": "userC"}},
      ...
    ]
  },
  "related": {
    "user": ["userA", "userB", "userC", ...]
  }
}

Thank you a lot.

1 Like

can you elaborate on which ECS field(s) or elastic solution set are you trying to map to?

In my use case, the original data is an array containing identifiers of multiple users which are targetted by a configuration change. With this in mind, I thought to store this data into user.id, as recommended in the ECS documentation. More precisely in the user.target nested field. But since each identifier is related to a different user, I am not sure what would be the best practice to store the data.

If I understand your question correctly, it appears that it aligns closely with the example provided in this link: User Fields Usage and Examples | Elastic Common Schema (ECS) Reference [8.7] | Elastic.

Yes, I am already using user.target and user.changes to describe IAM events where one single user is modified (role modification, user deletion and so on...).

Question here is how can I handle a SINGLE event where MULTIPLE users are modified at once? I will have to handle an array to store each modified users but which method would be the best approach? Having user.target.id as an array where I store all the users' identifiers or having user.target as an array storing one object to describe each single user?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.