Skip to content

Add user.roles to the authorization audit log#5583

Merged
ramonsmits merged 2 commits into
masterfrom
audit-log-user-roles
Jul 9, 2026
Merged

Add user.roles to the authorization audit log#5583
ramonsmits merged 2 commits into
masterfrom
audit-log-user-roles

Conversation

@ramonsmits

@ramonsmits ramonsmits commented Jul 8, 2026

Copy link
Copy Markdown
Member

Fixes #5590

Emits the roles the principal held as the ECS user.roles array on each authorization decision, so SIEMs can facet and alert on roles instead of parsing the free-text reason. Omitted when the principal has no roles.

Emit the roles the principal held as the ECS user.roles array on each
authorization decision, so SIEMs can facet and alert on roles instead of
parsing them out of the free-text reason. Omitted when the principal has
no roles.

Additive output change; first shipped in 6.18.0 without it, so targets the
next patch (6.18.1) or minor (6.19.0).
@WilliamBZA WilliamBZA marked this pull request as ready for review July 9, 2026 08:42
@ramonsmits ramonsmits enabled auto-merge (squash) July 9, 2026 08:44
@ramonsmits ramonsmits merged commit 5695500 into master Jul 9, 2026
33 checks passed
@ramonsmits ramonsmits deleted the audit-log-user-roles branch July 9, 2026 08:58
WilliamBZA pushed a commit that referenced this pull request Jul 9, 2026
Add user.roles to the authorization audit log

Emit the roles the principal held as the ECS user.roles array on each
authorization decision, so SIEMs can facet and alert on roles instead of
parsing them out of the free-text reason. Omitted when the principal has
no roles.
WilliamBZA added a commit that referenced this pull request Jul 9, 2026
* Add improvements to authorization settings

* Add ecs.version to the audit log ECS documents (#5584)

The authorization and message-action audit documents omitted the
ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in
logs-*-* index template, Elastic Security, other SIEMs) use ecs.version
to select the matching field mappings, so a conformant document should
declare it. Both streams now emit "ecs": { "version": "8.11.0" } — the
latest ECS schema release, whose event.category/type/outcome and user.*
fields are what these documents already use.

Additive, non-breaking output change. First shipped in 6.18.0 without the
field, so this targets the next patch (6.18.1) or minor (6.19.0).

ECS version field: https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html
event.type allowed values (allowed/denied/change/deletion):
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html
ECS releases: https://github.com/elastic/ecs/releases

* Add user.roles to the authorization audit log (#5583)

Add user.roles to the authorization audit log

Emit the roles the principal held as the ECS user.roles array on each
authorization decision, so SIEMs can facet and alert on roles instead of
parsing them out of the free-text reason. Omitted when the principal has
no roles.

* Add improvements to authorization settings (#5588)

---------

Co-authored-by: Ramon Smits <ramon.smits@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

User roles are not emitted to the authorization audit log

2 participants