[FEATURE] Add anonymous field to the event log

[yoonlees]

Is your feature request related to a problem? Please describe. There is no problem with the current Illinois app logging, but we want to enrich more.

Describe the solution you'd like In the event log, add an 'anonymous' field to indicate users without an organization.

[mihail-varbanov]

Hi @yoonlees,

The issue's description says nothing to me. Could you please explain what you mean a user to be with or "without an organization"? Could you please provide some examples of Splunk events containing this new field having different types of values that it could take?

[cschwin2]

Hi @mihail-varbanov,

This is referring to the conversation we had in Slack. Similar to how MongoDB logins_sessions has a Boolean for “anonymous”, we would like to have a field in the Splunk events that definitively identifies whether the user is anonymous vs. authenticated. We are trying to find the most accurate way to see whether a user is signed in with a NetID, and we are currently relying on logic based on icard_role. If the “anonymous” field works for this, then we would expect something as simple as:

anonymous: true

OR

anonymous: false

[mihail-varbanov]

Thanks @cschwin2, I got it!

What about if the user is logged in with phone or email? FYI, these are the different login types supported by Core BB. Here is how they are mapped to action filed values when we log the auth Splunk event.

So, we could add the boolean anonymous field that you want but you should define when it is true: when the user is OIDC logged in, or when it is just logged in in any way. Or, we can add "login_type" field, for example, that could take different values - the short list values that you get on auth.action, or the full list that represents each possible login type. What is your preference?

[cschwin2]

Thank you @mihail-varbanov, I think it would be great to have a "login_type" field. The short list would likely suffice. To make sure I am understanding it correctly, that would give us the logins that are anonymous, phone, email, username, and OIDC (netid?), correct?

[mihail-varbanov]

@cschwin2, I added user_auth_type field with the following possible values: oidc, phone, email, user_name, anonymous. You can treat oidc auth type as net_id, net_id is just particular case of oidc. This will be available in the upcoming versions 6.0.52 / 6.1.13.

[cschwin2]

This is perfect. Thank you very much, @mihail-varbanov!