Guides

Managed Entity

Suggest Edits

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

Attributes

CaptionNameTypeDescription
Data data JSON The managed entity content as a JSON object.
Device device Device[] An addressable device, computer system or host.
Email email Email[] The email object.
Group group Group[] The group object associated with an entity such as user, policy, or rule.
Name name String The name of the managed entity.
Organization org Organization[] Organization and org unit relevant to the event or object.
Policy policy Policy[] Describes details of a managed policy.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Type type String The managed entity type. For example: policy, user, organizational unit, device.
Type ID type_id Integer The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.
  • 0: Unknown (UNKNOWN)
  • 1: Device (DEVICE)
  • 2: User (USER)
  • 3: Group (GROUP)
  • 4: Organization (ORGANIZATION)
  • 5: Policy (POLICY)
  • 6: Email (EMAIL)
  • 99: Other (OTHER)
Unique ID uid String The identifier of the managed entity.
Unmapped Data unmapped Unmapped[] The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
User user User[] The user that pertains to the event or object.
Version version String The version of the managed entity. For example: 1.2.3.

Relationships

Managed Entity shown in context

Inbound Relationships

These objects and events reference Managed Entity in their attributes:

Outbound Relationships

Managed Entity references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0

Updated about 17 hours ago