Add user to .fleet-actions mapping#95935
Add user to .fleet-actions mapping#95935aleksmaus merged 3 commits intoelastic:masterfrom aleksmaus:add/fleet-actions-user
Conversation
|
Pinging @elastic/fleet (Team:Fleet) |
ruflin
left a comment
There was a problem hiding this comment.
I'm not super keen on adding too much metadata to each action event. I wonder if perhaps we could it in a different way that we only add user.id and reference to a user table? Where is user.id coming from? Is this an Elasticsearch user?
@scunningham Would be good to get your take on this one.
@aleksmaus We need to make sure these changes will also make it into the system indices.
| "email" : { | ||
| "type" : "keyword" | ||
| }, | ||
| "full_name" : { |
There was a problem hiding this comment.
Do we really need the text parts of ECS? Will we run text queries on these?
There was a problem hiding this comment.
This conforms to ECS definition of the fields.
Can add user.id only for sure.
Thought the extra user fields make the actions easier to render on UI without cross referencing between the indices.
Denormalization of the data seems pretty usual with nosql dbs
Thought the user info from .security index would be utilized here, for example the content of the user record: |
|
Thinking of the cases where you want to render a list of actions with the corresponding user and possibly email link on UI. |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
* Add user to .fleet-actions mapping * Leave only user.id, remove the rest of added fields * Flatten to user_id
Summary
Add user field mapping to .fleet-actions index mappings. The format conforms to ECS
https://www.elastic.co/guide/en/ecs/current/ecs-user.html
but doesn't include all the fields.
This allows to assign the user data to the action that can be filtered/searched and rendered in UI as needed.
What do you think?