From df9b3def9b95b4ad135dc56a6415893787a0ce9e Mon Sep 17 00:00:00 2001
From: Mathieu Martin <webmat@gmail.com>
Date: Mon, 3 Dec 2018 10:06:11 -0500
Subject: [PATCH] Add user.group (#204)

---
 CHANGELOG.md     | 1 +
 README.md        | 1 +
 fields.yml       | 7 +++++++
 schema.csv       | 1 +
 schemas/user.yml | 7 +++++++
 template.json    | 4 ++++
 6 files changed, 21 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0547ab5d42..c187e63901 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file based on the
 * Add `host.name` field and clarify usage of `host.hostname`.
 * Add `event.start` and `event.end` date fields.
 * Create new `related` field set with `related.ip`. #206
+* Add `user.groups` field. #204
 
 ### Improvements
 
diff --git a/README.md b/README.md
index e42eee9fb8..3d0c46bebe 100644
--- a/README.md
+++ b/README.md
@@ -419,6 +419,7 @@ Note also that the `user` fields may be used directly at the top level.
 | <a name="user.name"></a>user.name | Name of the user.<br/>The field is a keyword, and will not be tokenized. | core | keyword |  |
 | <a name="user.email"></a>user.email | User email address. | extended | keyword |  |
 | <a name="user.hash"></a>user.hash | Unique user hash to correlate information for a user in anonymized form.<br/>Useful if `user.id` or `user.name` contain confidential information and cannot be used. | extended | keyword |  |
+| <a name="user.group"></a>user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword |  |
 
 
 
diff --git a/fields.yml b/fields.yml
index 96e24c2e52..84c395ee6d 100644
--- a/fields.yml
+++ b/fields.yml
@@ -1271,3 +1271,10 @@
     
             Useful if `user.id` or `user.name` contain confidential information and
             cannot be used.
+    
+        - name: group
+          level: extended
+          type: keyword
+          description: >
+            Group the user is a part of. This field can contain a list of groups, if
+            necessary.
diff --git a/schema.csv b/schema.csv
index 0539d50c9e..38fa454b3b 100644
--- a/schema.csv
+++ b/schema.csv
@@ -127,6 +127,7 @@ url.query,keyword,extended,
 url.scheme,keyword,extended,https
 url.username,keyword,extended,
 user.email,keyword,extended,
+user.group,keyword,extended,
 user.hash,keyword,extended,
 user.id,keyword,core,
 user.name,keyword,core,
diff --git a/schemas/user.yml b/schemas/user.yml
index 84fd9a6013..4e50d21828 100644
--- a/schemas/user.yml
+++ b/schemas/user.yml
@@ -44,3 +44,10 @@
 
         Useful if `user.id` or `user.name` contain confidential information and
         cannot be used.
+
+    - name: group
+      level: extended
+      type: keyword
+      description: >
+        Group the user is a part of. This field can contain a list of groups, if
+        necessary.
diff --git a/template.json b/template.json
index fb669a32ea..0220be2138 100644
--- a/template.json
+++ b/template.json
@@ -618,6 +618,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "group": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "hash": {
               "ignore_above": 1024,
               "type": "keyword"