user

The user object describes the identity of a user.

Attributes

CaptionNameTypeDescription
Account account Account[] The user's account or the account associated with the user.
User Credential ID credential_uid String Entity:USER_CREDENTIAL_ID
The unique identifier of the user's credential. For example, AWS Access Key ID.
Devices devices Device[] The devices related to user.
Domain domain String The domain where the user is defined. For example: the LDAP or Active Directory domain.
Email Address email_addr Email Address Entity:EMAIL_ADDRESS
The user's primary email address.
Forwarding Address forward_addr Email Address Entity:EMAIL_ADDRESS
The user's forwarding email address.
Full Name full_name String The full name of the person, as per the LDAP Common Name attribute (cn).
Groups groups Group[] The administrative groups to which the user belongs.
MFA Assigned has_mfa Boolean The user has a multi-factor or secondary-factor device assigned.
Last Login last_login_time Timestamp The last time when the user logged in.
LDAP Person ldap_person LDAP Person[] The additional LDAP attributes that describe a person.
Name name User Name Entity:USER_NAME
The username. For example, janedoe1.
Organization org Organization[] Organization and org unit related to the user.
Telephone Number phone_number String The telephone number of the user.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Risk Level risk_level String The risk level, normalized to the caption of the risk_level_id value.
Risk Level ID risk_level_id Integer The normalized risk level id.
  • 0: Info (INFO)
  • 1: Low (LOW)
  • 2: Medium (MEDIUM)
  • 3: High (HIGH)
  • 4: Critical (CRITICAL)
  • 99: Other (OTHER)
Risk Score risk_score Integer The risk score as reported by the event source.
Type type String The type of the user. For example, System, AWS IAM User, etc.
Type ID type_id Integer The account type identifier.
  • 0: Unknown (UNKNOWN)
  • 1: User (USER)
  • 2: Admin (ADMIN)
  • 3: System (SYSTEM)
  • 99: Other (OTHER)
Unique ID uid String Entity:USER_OBJECT_UID
The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
Alternate ID uid_alt String The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

User shown in context

Inbound Relationships

These objects and events reference User in their attributes:

Outbound Relationships

User references the following objects and events in its attributes:

This page describes ocsf-1.4.0