Actor

actor

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.

Attributes

CaptionNameTypeDescription
Application Nameapp_nameStringThe client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present.
Application IDapp_uidStringThe unique identifier of the client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process.pid or process.uid if present.
Authorization InformationauthorizationsAuthorization Result[]Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
Identity ProvideridpIdentity Provider[]This object describes details about the Identity Provider used.
Invoked byinvoked_byStringThe name of the service that invoked the activity as described in the event.

🚧 WARNING: DEPRECATED

Invoked by has been deprecated since 1.2.0. Use app_name, app_uid attributes instead.

ProcessprocessLinux Process[]Entity:LINUX_PROCESS

The process that initiated the activity.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
SessionsessionSession[]The user session from which the activity was initiated.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
UseruserUser[]Entity:USER

The user that initiated the activity or the user context from which the activity was initiated.

Relationships

Actor shown in context

Inbound Relationships

These objects and events reference Actor in their attributes:

Outbound Relationships

Actor references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0


Did this page help you?