Managed Entity

managed_entity

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute, type_id should be 'Other' and the type attribute should label the entity type.

Attributes

CaptionNameTypeDescription
DatadataJSONThe managed entity content as a JSON object.
DevicedeviceDevice[]Entity:ENDPOINT

An addressable device, computer system or host.
EmailemailEmail[]Entity:EMAIL

The email object.
GroupgroupGroup[]The group object associated with an entity such as user, policy, or rule.
Geo LocationlocationGeo Location[]Entity:GEO_LOCATION

The detailed geographical location usually associated with an IP address.
NamenameStringThe name of the managed entity. It should match the name of the specific entity object's name if populated, or the name of the managed entity if the type_id is 'Other'.
OrganizationorgOrganization[]Organization and org unit relevant to the event or object.
PolicypolicyPolicy[]Describes details of a managed policy.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
TypetypeStringThe managed entity type. For example: Policy, User, Organization, Device.
Type IDtype_idIntegerThe type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.
  • 1: Device (DEVICE)
  • 2: User (USER)
  • 3: Group (GROUP)
  • 4: Organization (ORGANIZATION)
  • 5: Policy (POLICY)
  • 6: Email (EMAIL)
  • 7: Network Zone (NETWORK_ZONE)
  • 0: Unknown (UNKNOWN)
  • 99: Other (OTHER)
Unique IDuidStringThe identifier of the managed entity. It should match the uid of the specific entity's object UID if populated, or the source specific ID if the type_id is 'Other'.
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
UseruserUser[]Entity:USER

The user that pertains to the event or object.
VersionversionStringThe version of the managed entity. For example: 1.2.3.

Relationships

Managed Entity shown in context

Inbound Relationships

These objects and events reference Managed Entity in their attributes:

Outbound Relationships

Managed Entity references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0


Did this page help you?