User
user
The user object describes the identity of a user.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Account | account |
Account[] | The user's account or the account associated with the user. |
User Credential ID | credential_uid |
String |
Entity:USER_CREDENTIAL_ID The unique identifier of the user's credential. For example, AWS Access Key ID. |
Devices | devices |
Device[] | The devices related to user. |
Domain | domain |
String | The domain where the user is defined. For example: the LDAP or Active Directory domain. |
Email Address | email_addr |
Email Address |
Entity:EMAIL_ADDRESS The user's primary email address. |
Forwarding Address | forward_addr |
Email Address |
Entity:EMAIL_ADDRESS The user's forwarding email address. |
Full Name | full_name |
String | The full name of the person, as per the LDAP Common Name attribute (cn). |
Groups | groups |
Group[] | The administrative groups to which the user belongs. |
MFA Assigned | has_mfa |
Boolean | The user has a multi-factor or secondary-factor device assigned. |
Last Login | last_login_time |
Timestamp | The last time when the user logged in. |
LDAP Person | ldap_person |
LDAP Person[] | The additional LDAP attributes that describe a person. |
Name | name |
User Name |
Entity:USER_NAME The username. For example, janedoe1 .
|
Organization | org |
Organization[] | Organization and org unit related to the user. |
Telephone Number | phone_number |
String | The telephone number of the user. |
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Risk Level | risk_level |
String | The risk level, normalized to the caption of the risk_level_id value. |
Risk Level ID | risk_level_id |
Integer |
The normalized risk level id.
|
Risk Score | risk_score |
Integer | The risk score as reported by the event source. |
Type | type |
String | The type of the user. For example, System, AWS IAM User, etc. |
Type ID | type_id |
Integer |
The account type identifier.
|
Unique ID | uid |
String |
Entity:USER_OBJECT_UID The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. |
Alternate ID | uid_alt |
String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. |
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference User in their attributes:
- Authorize Session
- User Inventory Info
- Detection Finding
- Evidence Artifacts
- Actor
- Device
- Vulnerability Finding
- Network Endpoint
- Linux Process
- Data Security Finding
- Tunnel Activity
- Resource Details
- Authentication
- User Access Management
- LDAP Person
- Job
- Finding
- Incident Finding
- Managed Entity
- Network Proxy Endpoint
- Drone Flights Activity
- Admin Group Query
- File
- Group Management
- Airborne Broadcast Activity
- User Query
- Databucket
- Affected Code
- Account Change
- Compliance Finding
- Endpoint
Outbound Relationships
User references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 3 days ago