diff --git a/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecorator.java b/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecorator.java
index 951a9b8e28a..a55d7dd80fd 100644
--- a/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecorator.java
+++ b/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecorator.java
@@ -1,6 +1,7 @@
 package datadog.trace.bootstrap.instrumentation.decorator;
 
 import static datadog.trace.api.UserEventTrackingMode.DISABLED;
+import static datadog.trace.api.UserEventTrackingMode.SAFE;
 
 import datadog.trace.api.Config;
 import datadog.trace.api.UserEventTrackingMode;
@@ -9,10 +10,17 @@
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import datadog.trace.bootstrap.instrumentation.api.Tags;
 import java.util.Map;
+import java.util.regex.Pattern;
 import javax.annotation.Nonnull;
 
 public class AppSecUserEventDecorator {
 
+  private static final String NUMBER_PATTERN = "[0-9]+";
+  private static final String UUID_PATTERN =
+      "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}";
+  private static final Pattern SAFE_USER_ID_PATTERN =
+      Pattern.compile(NUMBER_PATTERN + "|" + UUID_PATTERN, Pattern.CASE_INSENSITIVE);
+
   public boolean isEnabled() {
     if (!ActiveSubsystems.APPSEC_ACTIVE) {
       return false;
@@ -41,9 +49,7 @@ public void onLoginSuccess(String userId, Map<String, String> metadata) {
       return;
     }
 
-    if (userId != null) {
-      segment.setTagTop("usr.id", userId);
-    }
+    onUserId(segment, "usr.id", userId);
     onEvent(segment, "users.login.success", metadata);
   }
 
@@ -53,10 +59,7 @@ public void onLoginFailure(String userId, Map<String, String> metadata) {
       return;
     }
 
-    if (userId != null) {
-      segment.setTagTop("appsec.events.users.login.failure.usr.id", userId);
-    }
-
+    onUserId(segment, "appsec.events.users.login.failure.usr.id", userId);
     onEvent(segment, "users.login.failure", metadata);
   }
 
@@ -66,9 +69,7 @@ public void onSignup(String userId, Map<String, String> metadata) {
       return;
     }
 
-    if (userId != null) {
-      segment.setTagTop("usr.id", userId);
-    }
+    onUserId(segment, "usr.id", userId);
     onEvent(segment, "users.signup", metadata);
   }
 
@@ -87,6 +88,18 @@ private void onEvent(@Nonnull TraceSegment segment, String eventName, Map<String
     }
   }
 
+  private void onUserId(final TraceSegment segment, final String tag, final String userId) {
+    if (userId == null) {
+      return;
+    }
+    UserEventTrackingMode mode = Config.get().getAppSecUserEventsTrackingMode();
+    if (mode == SAFE && !SAFE_USER_ID_PATTERN.matcher(userId).matches()) {
+      // do not set the user id if not numeric or UUID
+      return;
+    }
+    segment.setTagTop(tag, userId);
+  }
+
   protected TraceSegment getSegment() {
     return AgentTracer.get().getTraceSegment();
   }
diff --git a/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecoratorTest.groovy b/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecoratorTest.groovy
index 0c94c7b5cc4..97252221b05 100644
--- a/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecoratorTest.groovy
+++ b/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/AppSecUserEventDecoratorTest.groovy
@@ -1,9 +1,13 @@
 package datadog.trace.bootstrap.instrumentation.decorator
 
+import datadog.trace.api.Config
 import datadog.trace.api.internal.TraceSegment
 import datadog.trace.bootstrap.ActiveSubsystems
 import datadog.trace.test.util.DDSpecification
 
+import static datadog.trace.api.UserEventTrackingMode.DISABLED
+import static datadog.trace.api.UserEventTrackingMode.EXTENDED
+import static datadog.trace.api.UserEventTrackingMode.SAFE
 import static datadog.trace.api.config.AppSecConfig.APPSEC_AUTOMATED_USER_EVENTS_TRACKING
 
 class AppSecUserEventDecoratorTest extends DDSpecification {
@@ -27,20 +31,26 @@ class AppSecUserEventDecoratorTest extends DDSpecification {
     def decorator = newDecorator()
 
     when:
-    decorator.onSignup('user', ['key1': 'value1', 'key2': 'value2'])
+    decorator.onSignup(user, ['key1': 'value1', 'key2': 'value2'])
 
     then:
-    1 * traceSegment.setTagTop('_dd.appsec.events.users.signup.auto.mode', modeTag)
+    1 * traceSegment.setTagTop('_dd.appsec.events.users.signup.auto.mode', mode)
     1 * traceSegment.setTagTop('appsec.events.users.signup.track', true, true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('usr.id', 'user')
-    1 * traceSegment.setTagTop('appsec.events.users.signup', ['key1':'value1', 'key2':'value2'])
+    if (setUser) {
+      1 * traceSegment.setTagTop('usr.id', user)
+    }
+    1 * traceSegment.setTagTop('appsec.events.users.signup', ['key1': 'value1', 'key2': 'value2'])
     0 * _
 
     where:
-    mode        | modeTag
-    'safe'      | 'SAFE'
-    'extended'  | 'EXTENDED'
+    mode       | user                                   | setUser
+    'safe'     | 'user'                                 | false
+    'safe'     | '1234'                                 | true
+    'safe'     | '591dc126-8431-4d0f-9509-b23318d3dce4' | true
+    'extended' | 'user'                                 | true
+    'extended' | '1234'                                 | true
+    'extended' | '591dc126-8431-4d0f-9509-b23318d3dce4' | true
   }
 
   def "test onLoginSuccess [#mode]"() {
@@ -49,44 +59,54 @@ class AppSecUserEventDecoratorTest extends DDSpecification {
     def decorator = newDecorator()
 
     when:
-    decorator.onLoginSuccess('user', ['key1': 'value1', 'key2': 'value2'])
+    decorator.onLoginSuccess(user, ['key1': 'value1', 'key2': 'value2'])
 
     then:
-    1 * traceSegment.setTagTop('_dd.appsec.events.users.login.success.auto.mode', modeTag)
+    1 * traceSegment.setTagTop('_dd.appsec.events.users.login.success.auto.mode', mode)
     1 * traceSegment.setTagTop('appsec.events.users.login.success.track', true, true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('usr.id', 'user')
-    1 * traceSegment.setTagTop('appsec.events.users.login.success', ['key1':'value1', 'key2':'value2'])
+    if (setUser) {
+      1 * traceSegment.setTagTop('usr.id', user)
+    }
+    1 * traceSegment.setTagTop('appsec.events.users.login.success', ['key1': 'value1', 'key2': 'value2'])
     0 * _
 
     where:
-    mode        | modeTag
-    'safe'      | 'SAFE'
-    'extended'  | 'EXTENDED'
+    mode       | user                                   | setUser
+    'safe'     | 'user'                                 | false
+    'safe'     | '1234'                                 | true
+    'safe'     | '591dc126-8431-4d0f-9509-b23318d3dce4' | true
+    'extended' | 'user'                                 | true
+    'extended' | '1234'                                 | true
+    'extended' | '591dc126-8431-4d0f-9509-b23318d3dce4' | true
   }
 
-  def "test onLoginFailed #description [#mode]"() {
+  def "test onLoginFailed [#mode]"() {
     setup:
     injectSysConfig(APPSEC_AUTOMATED_USER_EVENTS_TRACKING, mode)
     def decorator = newDecorator()
 
     when:
-    decorator.onLoginFailure('user', ['key1': 'value1', 'key2': 'value2'])
+    decorator.onLoginFailure(user, ['key1': 'value1', 'key2': 'value2'])
 
     then:
-    1 * traceSegment.setTagTop('_dd.appsec.events.users.login.failure.auto.mode', modeTag)
+    1 * traceSegment.setTagTop('_dd.appsec.events.users.login.failure.auto.mode', mode)
     1 * traceSegment.setTagTop('appsec.events.users.login.failure.track', true, true)
     1 * traceSegment.setTagTop('asm.keep', true)
-    1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.id', 'user')
-    1 * traceSegment.setTagTop('appsec.events.users.login.failure', ['key1':'value1', 'key2':'value2'])
+    if (setUser) {
+      1 * traceSegment.setTagTop('appsec.events.users.login.failure.usr.id', user)
+    }
+    1 * traceSegment.setTagTop('appsec.events.users.login.failure', ['key1': 'value1', 'key2': 'value2'])
     0 * _
 
     where:
-    mode       | modeTag    | description
-    'safe'     | 'SAFE'     | 'with existing user'
-    'safe'     | 'SAFE'     | 'user doesn\'t exist'
-    'extended' | 'EXTENDED' | 'with existing user'
-    'extended' | 'EXTENDED' | 'user doesn\'t exist'
+    mode       | user                                   | setUser
+    'safe'     | 'user'                                 | false
+    'safe'     | '1234'                                 | true
+    'safe'     | '591dc126-8431-4d0f-9509-b23318d3dce4' | true
+    'extended' | 'user'                                 | true
+    'extended' | '1234'                                 | true
+    'extended' | '591dc126-8431-4d0f-9509-b23318d3dce4' | true
   }
 
   def "test onUserNotFound [#mode]"() {
@@ -102,9 +122,7 @@ class AppSecUserEventDecoratorTest extends DDSpecification {
     0 * _
 
     where:
-    mode       | modeTag
-    'safe'     | 'SAFE'
-    'extended' | 'EXTENDED'
+    mode << ['safe', 'extended']
   }
 
   def "test isEnabled (appsec = #appsec, mode = #mode)"() {
@@ -119,22 +137,29 @@ class AppSecUserEventDecoratorTest extends DDSpecification {
     then:
     enabled == result
 
+    and:
+    Config.get().getAppSecUserEventsTrackingMode() == expectedMode
+
     where:
-    appsec | mode       | result
-    false  | "disabled" | false
-    false  | "safe"     | false
-    false  | "extended" | false
-    true   | "disabled" | false
-    true   | "safe"     | true
-    true   | "extended" | true
+    appsec | mode       | result | expectedMode
+    false  | "disabled" | false  | DISABLED
+    false  | "safe"     | false  | SAFE
+    false  | "1"        | false  | SAFE
+    false  | "true"     | false  | SAFE
+    false  | "extended" | false  | EXTENDED
+    true   | "disabled" | false  | DISABLED
+    true   | "safe"     | true   | SAFE
+    true   | "1"        | true   | SAFE
+    true   | "true"     | true   | SAFE
+    true   | "extended" | true   | EXTENDED
   }
 
   def newDecorator() {
     return new AppSecUserEventDecorator() {
-        @Override
-        protected TraceSegment getSegment() {
-          return traceSegment
-        }
+      @Override
+      protected TraceSegment getSegment() {
+        return traceSegment
       }
+    }
   }
 }
diff --git a/dd-java-agent/instrumentation/spring-security-5/src/main/java17/datadog/trace/instrumentation/springsecurity5/SpringSecurityUserEventDecorator.java b/dd-java-agent/instrumentation/spring-security-5/src/main/java17/datadog/trace/instrumentation/springsecurity5/SpringSecurityUserEventDecorator.java
index 4ee9c0170ca..0f3590d86cf 100644
--- a/dd-java-agent/instrumentation/spring-security-5/src/main/java17/datadog/trace/instrumentation/springsecurity5/SpringSecurityUserEventDecorator.java
+++ b/dd-java-agent/instrumentation/spring-security-5/src/main/java17/datadog/trace/instrumentation/springsecurity5/SpringSecurityUserEventDecorator.java
@@ -40,12 +40,10 @@ public void onSignup(UserDetails user, Throwable throwable) {
     }
 
     UserEventTrackingMode mode = Config.get().getAppSecUserEventsTrackingMode();
-    String userId = null;
+    String userId = user.getUsername();
     Map<String, String> metadata = null;
 
-    if (mode == EXTENDED && user != null) {
-      userId = user.getUsername();
-
+    if (mode == EXTENDED) {
       metadata = new HashMap<>();
       metadata.put("enabled", String.valueOf(user.isEnabled()));
       metadata.put(
@@ -71,44 +69,36 @@ public void onLogin(Authentication authentication, Throwable throwable, Authenti
       return;
     }
 
-    String userId = null;
-
-    if (mode == EXTENDED) {
-      userId = authentication.getName();
-    }
-
-    if (mode != DISABLED) {
-      if (throwable == null && result != null && result.isAuthenticated()) {
-        Map<String, String> metadata = null;
-        Object principal = result.getPrincipal();
-        if (principal instanceof User) {
-          User user = (User) principal;
-          metadata = new HashMap<>();
-          metadata.put("enabled", String.valueOf(user.isEnabled()));
-          metadata.put(
-              "authorities",
-              user.getAuthorities().stream()
-                  .map(Object::toString)
-                  .collect(Collectors.joining(",")));
-          metadata.put("accountNonExpired", String.valueOf(user.isAccountNonExpired()));
-          metadata.put("accountNonLocked", String.valueOf(user.isAccountNonLocked()));
-          metadata.put("credentialsNonExpired", String.valueOf(user.isCredentialsNonExpired()));
-        }
-
-        onLoginSuccess(userId, metadata);
-      } else if (throwable != null) {
-        // On bad password, throwable would be
-        // org.springframework.security.authentication.BadCredentialsException,
-        // on user not found, throwable can be BadCredentials or
-        // org.springframework.security.core.userdetails.UsernameNotFoundException depending on the
-        // internal setting
-        // hideUserNotFoundExceptions (or a custom AuthenticationProvider implementation overriding
-        // this).
-        // This would be the ideal place to check whether the user exists or not, but we cannot do
-        // so reliably yet.
-        // See UsernameNotFoundExceptionInstrumentation for more details.
-        onLoginFailure(userId, null);
+    String userId = result != null ? result.getName() : authentication.getName();
+
+    if (throwable == null && result != null && result.isAuthenticated()) {
+      Map<String, String> metadata = null;
+      Object principal = result.getPrincipal();
+      if (principal instanceof User) {
+        User user = (User) principal;
+        metadata = new HashMap<>();
+        metadata.put("enabled", String.valueOf(user.isEnabled()));
+        metadata.put(
+            "authorities",
+            user.getAuthorities().stream().map(Object::toString).collect(Collectors.joining(",")));
+        metadata.put("accountNonExpired", String.valueOf(user.isAccountNonExpired()));
+        metadata.put("accountNonLocked", String.valueOf(user.isAccountNonLocked()));
+        metadata.put("credentialsNonExpired", String.valueOf(user.isCredentialsNonExpired()));
       }
+
+      onLoginSuccess(userId, metadata);
+    } else if (throwable != null) {
+      // On bad password, throwable would be
+      // org.springframework.security.authentication.BadCredentialsException,
+      // on user not found, throwable can be BadCredentials or
+      // org.springframework.security.core.userdetails.UsernameNotFoundException depending on the
+      // internal setting
+      // hideUserNotFoundExceptions (or a custom AuthenticationProvider implementation overriding
+      // this).
+      // This would be the ideal place to check whether the user exists or not, but we cannot do
+      // so reliably yet.
+      // See UsernameNotFoundExceptionInstrumentation for more details.
+      onLoginFailure(userId, null);
     }
   }
 
diff --git a/dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SpringBootBasedTest.groovy b/dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SpringBootBasedTest.groovy
index 53c2756f64d..c25ec3a0bfa 100644
--- a/dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SpringBootBasedTest.groovy
+++ b/dd-java-agent/instrumentation/spring-security-5/src/test/groovy/datadog/trace/instrumentation/springsecurity5/SpringBootBasedTest.groovy
@@ -124,7 +124,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == REGISTER.body
     !span.getTags().isEmpty()
     span.getTag("appsec.events.users.signup.track") == true
-    span.getTag("_dd.appsec.events.users.signup.auto.mode") == 'EXTENDED'
+    span.getTag("_dd.appsec.events.users.signup.auto.mode") == 'extended'
     span.getTag("usr.id") == 'admin'
     span.getTag("appsec.events.users.signup")['enabled'] == 'true'
     span.getTag("appsec.events.users.signup")['authorities'] == 'ROLE_USER'
@@ -150,7 +150,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag("appsec.events.users.login.failure.track") == true
-    span.getTag("_dd.appsec.events.users.login.failure.auto.mode") == 'EXTENDED'
+    span.getTag("_dd.appsec.events.users.login.failure.auto.mode") == 'extended'
     span.getTag("appsec.events.users.login.failure.usr.exists") == false
     span.getTag("appsec.events.users.login.failure.usr.id") == 'not_existing_user'
   }
@@ -174,7 +174,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag("appsec.events.users.login.failure.track") == true
-    span.getTag("_dd.appsec.events.users.login.failure.auto.mode") == 'EXTENDED'
+    span.getTag("_dd.appsec.events.users.login.failure.auto.mode") == 'extended'
     // TODO: Ideally should be `false` but we have no reliable method to detect it it is just absent. See APPSEC-12765.
     span.getTag("appsec.events.users.login.failure.usr.exists") == null
     span.getTag("appsec.events.users.login.failure.usr.id") == 'admin'
@@ -200,7 +200,7 @@ class SpringBootBasedTest extends AppSecHttpServerTest<ConfigurableApplicationCo
     response.body().string() == LOGIN.body
     !span.getTags().isEmpty()
     span.getTag("appsec.events.users.login.success.track") == true
-    span.getTag("_dd.appsec.events.users.login.success.auto.mode") == 'EXTENDED'
+    span.getTag("_dd.appsec.events.users.login.success.auto.mode") == 'extended'
     span.getTag("usr.id") == 'admin'
     span.getTag("appsec.events.users.login.success")['credentialsNonExpired'] == 'true'
     span.getTag("appsec.events.users.login.success")['accountNonExpired'] == 'true'
diff --git a/internal-api/src/main/java/datadog/trace/api/UserEventTrackingMode.java b/internal-api/src/main/java/datadog/trace/api/UserEventTrackingMode.java
index cb21c257e00..070bbe76a61 100644
--- a/internal-api/src/main/java/datadog/trace/api/UserEventTrackingMode.java
+++ b/internal-api/src/main/java/datadog/trace/api/UserEventTrackingMode.java
@@ -1,17 +1,39 @@
 package datadog.trace.api;
 
 public enum UserEventTrackingMode {
-  DISABLED,
-  SAFE,
-  EXTENDED;
+  DISABLED("disabled"),
+  SAFE("safe", "true", "1"),
+  EXTENDED("extended");
+
+  private final String value;
+  private final String[] modes;
+
+  UserEventTrackingMode(final String... modes) {
+    value = modes[0];
+    this.modes = modes;
+  }
+
+  private boolean matches(final String mode) {
+    for (final String value : modes) {
+      if (value.equalsIgnoreCase(mode)) {
+        return true;
+      }
+    }
+    return false;
+  }
 
   public static UserEventTrackingMode fromString(String s) {
-    if ("true".equalsIgnoreCase(s) || "1".equals(s) || "safe".equalsIgnoreCase(s)) {
+    if (SAFE.matches(s)) {
       return SAFE;
     }
-    if ("extended".equalsIgnoreCase(s)) {
+    if (EXTENDED.matches(s)) {
       return EXTENDED;
     }
     return DISABLED;
   }
+
+  @Override
+  public String toString() {
+    return value;
+  }
 }