User
user
The user object describes the identity of a user.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Account | account |
Account[] | The user's account or the account associated with the user. |
| User Credential ID | credential_uid |
String |
Entity:USER_CREDENTIAL_IDThe unique identifier of the user's credential. For example, AWS Access Key ID. |
| Devices | devices |
Device[] | The devices related to user. |
| Domain | domain |
String | The domain where the user is defined. For example: the LDAP or Active Directory domain. |
| Email Address | email_addr |
Email Address |
Entity:EMAIL_ADDRESSThe user's primary email address. |
| Forwarding Address | forward_addr |
Email Address |
Entity:EMAIL_ADDRESSThe user's forwarding email address. |
| Full Name | full_name |
String | The full name of the person, as per the LDAP Common Name attribute (cn). |
| Groups | groups |
Group[] | The administrative groups to which the user belongs. |
| MFA Assigned | has_mfa |
Boolean | The user has a multi-factor or secondary-factor device assigned. |
| Last Login | last_login_time |
Timestamp | The last time when the user logged in. |
| LDAP Person | ldap_person |
LDAP Person[] | The additional LDAP attributes that describe a person. |
| Name | name |
User Name |
Entity:USER_NAMEThe username. For example, janedoe1.
|
| Organization | org |
Organization[] | Organization and org unit related to the user. |
| Telephone Number | phone_number |
String | The telephone number of the user. |
| Raw Data | raw_data |
JSON |
Group:contextThe event data as received from the event source. |
| Record ID | record_id |
String |
Group:primaryUnique identifier for the object |
| Risk Level | risk_level |
String | The risk level, normalized to the caption of the risk_level_id value. |
| Risk Level ID | risk_level_id |
Integer |
The normalized risk level id.
|
| Risk Score | risk_score |
Integer | The risk score as reported by the event source. |
| Type | type |
String | The type of the user. For example, System, AWS IAM User, etc. |
| Type ID | type_id |
Integer |
The account type identifier.
|
| Unique ID | uid |
String |
Entity:USER_OBJECT_UIDThe unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. |
| Alternate ID | uid_alt |
String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. |
| Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference User in their attributes:
- Authorize Session
- User Inventory Info
- Detection Finding
- Evidence Artifacts
- Actor
- Device
- Vulnerability Finding
- Network Endpoint
- Linux Process
- Data Security Finding
- Tunnel Activity
- Resource Details
- Authentication
- User Access Management
- LDAP Person
- Job
- Finding
- Incident Finding
- Managed Entity
- Network Proxy Endpoint
- Drone Flights Activity
- Admin Group Query
- File
- Group Management
- Airborne Broadcast Activity
- User Query
- Databucket
- Affected Code
- Account Change
- Compliance Finding
- Endpoint
Outbound Relationships
User references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 3 days ago