Add user.roles to the authorization audit log#5583
Merged
Conversation
Emit the roles the principal held as the ECS user.roles array on each authorization decision, so SIEMs can facet and alert on roles instead of parsing them out of the free-text reason. Omitted when the principal has no roles. Additive output change; first shipped in 6.18.0 without it, so targets the next patch (6.18.1) or minor (6.19.0).
WilliamBZA
approved these changes
Jul 9, 2026
WilliamBZA
pushed a commit
that referenced
this pull request
Jul 9, 2026
Add user.roles to the authorization audit log Emit the roles the principal held as the ECS user.roles array on each authorization decision, so SIEMs can facet and alert on roles instead of parsing them out of the free-text reason. Omitted when the principal has no roles.
WilliamBZA
added a commit
that referenced
this pull request
Jul 9, 2026
* Add improvements to authorization settings * Add ecs.version to the audit log ECS documents (#5584) The authorization and message-action audit documents omitted the ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in logs-*-* index template, Elastic Security, other SIEMs) use ecs.version to select the matching field mappings, so a conformant document should declare it. Both streams now emit "ecs": { "version": "8.11.0" } — the latest ECS schema release, whose event.category/type/outcome and user.* fields are what these documents already use. Additive, non-breaking output change. First shipped in 6.18.0 without the field, so this targets the next patch (6.18.1) or minor (6.19.0). ECS version field: https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html event.type allowed values (allowed/denied/change/deletion): https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html ECS releases: https://github.com/elastic/ecs/releases * Add user.roles to the authorization audit log (#5583) Add user.roles to the authorization audit log Emit the roles the principal held as the ECS user.roles array on each authorization decision, so SIEMs can facet and alert on roles instead of parsing them out of the free-text reason. Omitted when the principal has no roles. * Add improvements to authorization settings (#5588) --------- Co-authored-by: Ramon Smits <ramon.smits@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5590
Emits the roles the principal held as the ECS
user.rolesarray on each authorization decision, so SIEMs can facet and alert on roles instead of parsing the free-textreason. Omitted when the principal has no roles.