Skip to content

Standardize user name and user email fields across security integrations #14133

Closed
#14137
Closed
Standardize user name and user email fields across security integrations#14133
#14137
Assignees
chemamartinez
Labels
Integration:awsAWSIntegration:bitdefenderBitDefender (Community supported)Integration:carbon_black_cloudVMware Carbon Black CloudIntegration:checkpointCheck PointIntegration:cisco_iseCisco ISEIntegration:cisco_merakiCisco MerakiIntegration:cisco_secure_endpointCisco Secure EndpointIntegration:cyberark_epmCyberArk EPMIntegration:cyberark_ptaCyberark Privileged Threat AnalyticsIntegration:juniper_srxJuniper SRXIntegration:m365_defenderMicrosoft Defender XDRIntegration:menloMenlo SecurityIntegration:microsoft_defender_endpointMicrosoft Defender for EndpointIntegration:mongodb_atlasMongoDB AtlasIntegration:o365_metricsMicrosoft Office 365 MetricsIntegration:ping_onePingOneIntegration:salesforceSalesforceIntegration:sophosSophosIntegration:swimlaneSwimlane Turbine (Community supported)Integration:teleportTeleportIntegration:tenable_ioTenable Vulnerability ManagementIntegration:vectra_detectVectra DetectIntegration:vectra_ruxVectra RUXTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]enhancementNew feature or request
@chemamartinez

Description

@chemamartinez
chemamartinez
opened on Jun 3, 2025

There exists some inconsistencies on how ECS user fields are handled across different integrations.

Specifically, when usernames are formatted as email addresses (e.g., "test.user@domain.com"), some integrations split the username and domain, while others do not. This inconsistency leads to varied results in dashboards and queries, causing confusion.

According to the ECS user fields guidelines:

Here are a few pointers to help normalize some simple cases.
- When a system provides a composite value for the user name
  (e.g. DOMAINNAME\username), capture the domain name in user.domain
  and the user name (without the domain) in user.name.
- When a system uses an email address as the main identifier, populate
  both user.id and user.email with it.

Based on the guidelines above, the criteria to apply to all the integrations would be:

  • When the user name contains an email address, this field is dissected into <user.name>@<user.domain>.
  • Also the user.email field is populated with the full email address.
  • Append user.name and user.email to related.user.

This is how most of the integrations already proceed.

Metadata

Metadata

Assignees

Labels

Integration:awsAWSIntegration:bitdefenderBitDefender (Community supported)Integration:carbon_black_cloudVMware Carbon Black CloudIntegration:checkpointCheck PointIntegration:cisco_iseCisco ISEIntegration:cisco_merakiCisco MerakiIntegration:cisco_secure_endpointCisco Secure EndpointIntegration:cyberark_epmCyberArk EPMIntegration:cyberark_ptaCyberark Privileged Threat AnalyticsIntegration:juniper_srxJuniper SRXIntegration:m365_defenderMicrosoft Defender XDRIntegration:menloMenlo SecurityIntegration:microsoft_defender_endpointMicrosoft Defender for EndpointIntegration:mongodb_atlasMongoDB AtlasIntegration:o365_metricsMicrosoft Office 365 MetricsIntegration:ping_onePingOneIntegration:salesforceSalesforceIntegration:sophosSophosIntegration:swimlaneSwimlane Turbine (Community supported)Integration:teleportTeleportIntegration:tenable_ioTenable Vulnerability ManagementIntegration:vectra_detectVectra DetectIntegration:vectra_ruxVectra RUXTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions