Identity Activity Metrics
identity_activity_metrics
The Identity Activity Metrics object captures usage patterns, authentication activity, credential usage and other metrics for identities across cloud and on-premises environments. Example identities include AWS IAM Users, Roles, Azure AD Principals, GCP Service Accounts, on-premises Active Directory accounts.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| First Seen | first_seen_time |
Timestamp | The timestamp when this identity was first observed or created in the system. This helps establish the identity's age and lifecycle stage for risk assessment. |
| Last Authentication Time | last_authentication_time |
Timestamp |
The timestamp when this identity last successfully authenticated to any system or service. This differs from last_seen_time as it specifically tracks authentication events rather than all activities.
|
| Last Seen | last_seen_time |
Timestamp | The timestamp of the most recent activity performed by this identity, including authentication, resource access, or API calls. This is the most comprehensive indicator of identity usage recency. |
| Password Last Used Time | password_last_used_time |
Timestamp | The timestamp when password-based authentication was last used by this identity. This helps distinguish between password and other authentication methods (MFA, SSO, certificates) and identify password-specific usage patterns. |
| Programmatic Credentials | programmatic_credentials |
Programmatic Credential[] | Details about the programmatic credentials associated with this identity, such as API keys, service account keys, access tokens, and client certificates used for automated access. |
| Raw Data | raw_data |
JSON |
Group:contextThe event data as received from the event source. |
| Record ID | record_id |
String |
Group:primaryUnique identifier for the object |
| Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference Identity Activity Metrics in their attributes:
Outbound Relationships
Identity Activity Metrics references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0
Updated about 7 hours ago