ecs
Loading

Group fields

Serverless Stack

The group fields are meant to represent groups that are relevant to the event.

Group field details

Field Description Level
group.domain Name of the directory the group is a member of.

For example, an LDAP or Active Directory domain name.

type: keyword		 extended
group.id Unique identifier for the group on the system/platform.

type: keyword		 extended
group.name Name of the group.

type: keyword		 extended

Field reuse

The group fields are expected to be nested at:

  • process.attested_groups
  • process.group
  • process.real_group
  • process.saved_group
  • process.supplemental_groups
  • user.group

Note also that the group fields may be used directly at the root of the events.