Create new ECS fields to cover user login and security settings #2520
Description
Online Discussion
https://discuss.elastic.co/t/problems-using-ecs/381340
Summary
I try to use ecs to standardize various logs from different applications. I don't always manage to find a field that suits the situation, especially when it comes to user authorization/authentication. I would like to provide an example of some logs and discuss whether it is possible to store some of the information in the standard ECS schema. Examples:
User s3 logged in via SSH with MFA enabled (true), using a web terminal named ko-ko.
user.name: s3
event.action: login
user.authentication.mfa: true (e)
user.authentication.count: 1 (e)
user.login.type: web-terminal (e)
user.login.terminal: ko-ko (e)
User s3 uploaded data to preferences-api with security settings.
user.name: s3
event.action: upload
label.resource.name: preferences-api (e)
label.resource.params: security (e)
User gen-ai used 5 commands to generate images. Output: "images1.png, images2.png will be generated."
user.name: gen-ai
user.session.command_count: 5 (e)
event.action: generate images
label.output: "images1.png, images2.png will be generated" (e)