User
user
The user object describes the identity of a user.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Account | account | Account[] | The user's account or the account associated with the user. |
| User Credential ID | credential_uid | String | Entity: |
| Devices | devices | Device[] | The devices related to user. |
| Domain | domain | String | The domain where the user is defined. For example: the LDAP or Active Directory domain. |
| Email Address | email_addr | Email Address | Entity: |
| Forwarding Address | forward_addr | Email Address | Entity: |
| Full Name | full_name | String | The full name of the person, as per the LDAP Common Name attribute (cn). |
| Groups | groups | Group[] | The administrative groups to which the user belongs. |
| MFA Assigned | has_mfa | Boolean | The user has a multi-factor or secondary-factor device assigned. |
| Last Login | last_login_time | Timestamp | The last time when the user logged in. |
| LDAP Person | ldap_person | LDAP Person[] | The additional LDAP attributes that describe a person. |
| Name | name | User Name | Entity: |
| Organization | org | Organization[] | Organization and org unit related to the user. |
| Telephone Number | phone_number | String | The telephone number of the user. |
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| Risk Level | risk_level | String | The risk level, normalized to the caption of the risk_level_id value. |
| Risk Level ID | risk_level_id | Integer | The normalized risk level id.
|
| Risk Score | risk_score | Integer | The risk score as reported by the event source. |
| Type | type | String | The type of the user. For example, System, AWS IAM User, etc. |
| Type ID | type_id | Integer | The account type identifier.
|
| Unique ID | uid | String | Entity: |
| Alternate ID | uid_alt | String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference User in their attributes:
- Authorize Session
- User Inventory Info
- Detection Finding
- Evidence Artifacts
- Actor
- Device
- Vulnerability Finding
- Network Endpoint
- Linux Process
- Data Security Finding
- Tunnel Activity
- Resource Details
- Authentication
- User Access Management
- LDAP Person
- Job
- Finding
- Incident Finding
- Managed Entity
- Network Proxy Endpoint
- Drone Flights Activity
- Admin Group Query
- File
- Group Management
- Airborne Broadcast Activity
- User Query
- Databucket
- Affected Code
- Account Change
- Compliance Finding
- Endpoint
Outbound Relationships
User references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 9 days ago