diff --git a/CHANGELOG.md b/CHANGELOG.md
index e37142f9b4..6d87b265fb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file based on the
 * Add `host.name` field and clarify usage of `host.hostname`.
 * Add `event.start` and `event.end` date fields.
 * Create new `related` field set with `related.ip`. #206
+* Add `user.groups` field. #204
 
 ### Improvements
 * Improve and clarify the definition of Device fields #192
diff --git a/README.md b/README.md
index 2a6de62d4d..d27ee8d8aa 100644
--- a/README.md
+++ b/README.md
@@ -419,6 +419,7 @@ Note also that the `user` fields may be used directly at the top level.
 | <a name="user.name"></a>user.name | Name of the user.<br/>The field is a keyword, and will not be tokenized. | core | keyword |  |
 | <a name="user.email"></a>user.email | User email address. | extended | keyword |  |
 | <a name="user.hash"></a>user.hash | Unique user hash to correlate information for a user in anonymized form.<br/>Useful if `user.id` or `user.name` contain confidential information and cannot be used. | extended | keyword |  |
+| <a name="user.group"></a>user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword |  |
 
 
 
diff --git a/fields.yml b/fields.yml
index 1a4b053f57..fe8620a8b5 100644
--- a/fields.yml
+++ b/fields.yml
@@ -1270,3 +1270,10 @@
     
             Useful if `user.id` or `user.name` contain confidential information and
             cannot be used.
+    
+        - name: group
+          level: extended
+          type: keyword
+          description: >
+            Group the user is a part of. This field can contain a list of groups, if
+            necessary.
diff --git a/schema.csv b/schema.csv
index 0539d50c9e..38fa454b3b 100644
--- a/schema.csv
+++ b/schema.csv
@@ -127,6 +127,7 @@ url.query,keyword,extended,
 url.scheme,keyword,extended,https
 url.username,keyword,extended,
 user.email,keyword,extended,
+user.group,keyword,extended,
 user.hash,keyword,extended,
 user.id,keyword,core,
 user.name,keyword,core,
diff --git a/schemas/user.yml b/schemas/user.yml
index 84fd9a6013..4e50d21828 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -44,3 +44,10 @@
 
         Useful if `user.id` or `user.name` contain confidential information and
         cannot be used.
+
+    - name: group
+      level: extended
+      type: keyword
+      description: >
+        Group the user is a part of. This field can contain a list of groups, if
+        necessary.
diff --git a/template.json b/template.json
index fb669a32ea..0220be2138 100644
--- a/template.json
+++ b/template.json
@@ -618,6 +618,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "group": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "hash": {
               "ignore_above": 1024,
               "type": "keyword"