Skip to content

Cherry-pick for release 6.18.1#5591

Merged
WilliamBZA merged 4 commits into
release-6.18from
cherry-pick-6.18.1
Jul 9, 2026
Merged

Cherry-pick for release 6.18.1#5591
WilliamBZA merged 4 commits into
release-6.18from
cherry-pick-6.18.1

Conversation

@WilliamBZA

@WilliamBZA WilliamBZA commented Jul 9, 2026

Copy link
Copy Markdown
Member

@WilliamBZA WilliamBZA changed the title Add improvements to authorization settings Cherry-pick for release 6.18.1 Jul 9, 2026
ramonsmits and others added 3 commits July 9, 2026 11:07
The authorization and message-action audit documents omitted the
ecs.version field. ECS-consuming pipelines (Elasticsearch's built-in
logs-*-* index template, Elastic Security, other SIEMs) use ecs.version
to select the matching field mappings, so a conformant document should
declare it. Both streams now emit "ecs": { "version": "8.11.0" } — the
latest ECS schema release, whose event.category/type/outcome and user.*
fields are what these documents already use.

Additive, non-breaking output change. First shipped in 6.18.0 without the
field, so this targets the next patch (6.18.1) or minor (6.19.0).

ECS version field: https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html
event.type allowed values (allowed/denied/change/deletion):
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html
ECS releases: https://github.com/elastic/ecs/releases
Add user.roles to the authorization audit log

Emit the roles the principal held as the ECS user.roles array on each
authorization decision, so SIEMs can facet and alert on roles instead of
parsing them out of the free-text reason. Omitted when the principal has
no roles.
@WilliamBZA WilliamBZA enabled auto-merge (squash) July 9, 2026 09:10
@WilliamBZA WilliamBZA merged commit add215a into release-6.18 Jul 9, 2026
33 checks passed
@WilliamBZA WilliamBZA deleted the cherry-pick-6.18.1 branch July 9, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants