Managed Entity

managed_entity

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute, type_id should be 'Other' and the type attribute should label the entity type.

Attributes

Caption	Name	Type	Description
Data	`data`	JSON	The managed entity content as a JSON object.
Device	`device`	Device[]	Entity:`ENDPOINT` An addressable device, computer system or host.
Email	`email`	Email[]	Entity:`EMAIL` The email object.
Group	`group`	Group[]	The group object associated with an entity such as user, policy, or rule.
Geo Location	`location`	Geo Location[]	Entity:`GEO_LOCATION` The detailed geographical location usually associated with an IP address.
Name	`name`	String	The name of the managed entity. It should match the name of the specific entity object's name if populated, or the name of the managed entity if the type_id is 'Other'.
Organization	`org`	Organization[]	Organization and org unit relevant to the event or object.
Policy	`policy`	Policy[]	Describes details of a managed policy.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Type	`type`	String	The managed entity type. For example: Policy, User, Organization, Device.
Type ID	`type_id`	Integer	The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other. `1`: Device (`DEVICE`) `2`: User (`USER`) `3`: Group (`GROUP`) `4`: Organization (`ORGANIZATION`) `5`: Policy (`POLICY`) `6`: Email (`EMAIL`) `7`: Network Zone (`NETWORK_ZONE`) `0`: Unknown (`UNKNOWN`) `99`: Other (`OTHER`)
Unique ID	`uid`	String	The identifier of the managed entity. It should match the uid of the specific entity's object UID if populated, or the source specific ID if the type_id is 'Other'.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
User	`user`	User[]	Entity:`USER` The user that pertains to the event or object.
Version	`version`	String	The version of the managed entity. For example: 1.2.3.

Relationships

Inbound Relationships

These objects and events reference Managed Entity in their attributes:

Entity Management

Outbound Relationships

Managed Entity references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0

Updated 3 days ago