Open bmagistro opened 1 year ago
mr1716
commented
1 year ago There was also a request for RFC 36 to add authentication fields, which this could be one of them, that gets added if desired: https://github.com/elastic/ecs/blob/main/rfcs/text/0036-authentication-fields.md
Unsure where Elastic team is with implementing that though
mr1716
commented
1 year ago @kgeller any sense of when the authentication RFC could be integrated? This could be part of that
kgeller
commented
1 year ago @mr1716 The authentication RFC is still stage 0, we don't typically add the fields until stage 2 (beta) or stage 3 (GA). This has a nice overview of the stages.
mr1716
commented
1 year ago @kgeller i thought it was merged and moved part stage 0, awaiting stage 1
kgeller
commented
1 year ago That is correct, it is stage 0 (and awaiting stage 1). Once it makes it to stage 2 (merged), it would be eligible to be added to ecs as beta.
Summary At present the user aspect of the schema allows the LDAP/AD domain to be captured. For some devices multiple authentication methods/source/database (not sure what the right word to describe this is) may be supported (local, radius, ldap). It would be nice to be able to differentiate how the particular user authenticated to the system in question in the event. This would allow us to refine searches for say any local logins (with central auth local should not be used) occurring on any device.
Detailed Design:
user.source,user.db, something else (neither of those feel like a great suggestion)local,radius,tacacs,LDAPkeyword, possibly with well known list of values (enum like)