|
| 1 | +# 0051: Add user.is_privileged boolean field |
| 2 | + |
| 3 | +- Stage: **0 (strawperson)** |
| 4 | +- Date: **2025-07-28** |
| 5 | + |
| 6 | +This RFC proposes adding a new boolean field, `user.is_privileged`. It will explicitly flag when a user has elevated or administrative rights such as ability to grant permissions, perform `sudo`, or manage IAM roles—so analysts can more easily filter, alert on, and correlate privileged‐user activity without custom parsing. |
| 7 | + |
| 8 | +## Fields |
| 9 | + |
| 10 | +```yaml |
| 11 | +- name: user.is_privileged |
| 12 | + type: boolean |
| 13 | + level: extended |
| 14 | + description: > |
| 15 | + True if the user associated with the event has elevated or administrative privileges, |
| 16 | + such as membership in a `sudo` or `Administrators` group, use of `sudo`, or assignment |
| 17 | + of owner/admin roles in cloud IAM. |
| 18 | + example: true |
| 19 | +``` |
| 20 | +
|
| 21 | +## Usage |
| 22 | +
|
| 23 | +Treating privileged status as a first-class field (vs. a tag) lets Kibana’s Entity Store resolve the current boolean value without extra parsing. |
| 24 | +
|
| 25 | +Analysts will often want to perform more focused monitoring on privileged users, having it as a field in ECS will simplify this querying, e.g |
| 26 | +
|
| 27 | +```kql |
| 28 | +event.category:authentication and user.is_privileged:true |
| 29 | +``` |
| 30 | + |
| 31 | +## Source data |
| 32 | + |
| 33 | +The entity centric integrations such as okta entity analytics and Entra ID entity analytics could populate this field, linux and windows integrations could also annotate command executions with this. |
| 34 | + |
| 35 | +## Scope of impact |
| 36 | + |
| 37 | +<!-- |
| 38 | +Stage 2: Identifies scope of impact of changes. Are breaking changes required? Should deprecation strategies be adopted? Will significant refactoring be involved? Break the impact down into: |
| 39 | + * Ingestion mechanisms (e.g. beats/logstash) |
| 40 | + * Usage mechanisms (e.g. Kibana applications, detections) |
| 41 | + * ECS project (e.g. docs, tooling) |
| 42 | +The goal here is to research and understand the impact of these changes on users in the community and development teams across Elastic. 2-5 sentences each. |
| 43 | +--> |
| 44 | + |
| 45 | +## Concerns |
| 46 | + |
| 47 | +- Cross-platform consistency: what counts as “privileged”? |
| 48 | +<!-- |
| 49 | +Stage 1: Identify potential concerns, implementation challenges, or complexity. Spend some time on this. Play devil's advocate. Try to identify the sort of non-obvious challenges that tend to surface later. The goal here is to surface risks early, allow everyone the time to work through them, and ultimately document resolution for posterity's sake. |
| 50 | +--> |
| 51 | + |
| 52 | +<!-- |
| 53 | +Stage 2: Document new concerns or resolutions to previously listed concerns. It's not critical that all concerns have resolutions at this point, but it would be helpful if resolutions were taking shape for the most significant concerns. |
| 54 | +--> |
| 55 | + |
| 56 | +<!-- |
| 57 | +Stage 3: Document resolutions for all existing concerns. Any new concerns should be documented along with their resolution. The goal here is to eliminate risk of churn and instability by ensuring all concerns have been addressed. |
| 58 | +--> |
| 59 | + |
| 60 | +## People |
| 61 | + |
| 62 | +The following are the people that consulted on the contents of this RFC. |
| 63 | + |
| 64 | +* @hop-dev | author |
| 65 | +* @jaredburgettelastic | co-author |
| 66 | +* @MikePaquette | SME |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | +## References |
| 71 | + |
| 72 | +<!-- Insert any links appropriate to this RFC in this section. --> |
| 73 | + |
| 74 | +### RFC Pull Requests |
| 75 | + |
| 76 | +* Stage 0: https://github.com/elastic/ecs/pull/2493 |
| 77 | + |
| 78 | +<!-- |
| 79 | +* Stage 1: https://github.com/elastic/ecs/pull/NNN |
| 80 | +... |
| 81 | +--> |
0 commit comments