Managed Entity

managed_entity

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

Attributes

CaptionNameTypeDescription
Data data JSON The managed entity content as a JSON object.
Device device Device[] An addressable device, computer system or host.
Email email Email[] Entity:EMAIL
The email object.
Group group Group[] The group object associated with an entity such as user, policy, or rule.
Geo Location location Geo Location[] Entity:GEO_LOCATION
The detailed geographical location usually associated with an IP address.
Name name String The name of the managed entity.
Organization org Organization[] Organization and org unit relevant to the event or object.
Policy policy Policy[] Describes details of a managed policy.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Type type String The managed entity type. For example: policy, user, organizational unit, device.
Type ID type_id Integer The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.
  • 0: Unknown (UNKNOWN)
  • 1: Device (DEVICE)
  • 2: User (USER)
  • 3: Group (GROUP)
  • 4: Organization (ORGANIZATION)
  • 5: Policy (POLICY)
  • 6: Email (EMAIL)
  • 99: Other (OTHER)
Unique ID uid String The identifier of the managed entity.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.
User user User[] Entity:USER
The user that pertains to the event or object.
Version version String The version of the managed entity. For example: 1.2.3.

Relationships

Managed Entity shown in context

Inbound Relationships

These objects and events reference Managed Entity in their attributes:

Outbound Relationships

Managed Entity references the following objects and events in its attributes:

This page describes ocsf-1.4.0