User

user

The user object describes the identity of a user.

Attributes

CaptionNameTypeDescription
AccountaccountAccount[]

The user's account or the account associated with the user.

User Credential IDcredential_uidString

Entity:USER_CREDENTIAL_ID
The unique identifier of the user's credential. For example, AWS Access Key ID.

DevicesdevicesDevice[]

The devices related to user.

DomaindomainString

The domain where the user is defined. For example: the LDAP or Active Directory domain.

Email Addressemail_addrEmail Address

Entity:EMAIL_ADDRESS
The user's primary email address.

Forwarding Addressforward_addrEmail Address

Entity:EMAIL_ADDRESS
The user's forwarding email address.

Full Namefull_nameString

The full name of the person, as per the LDAP Common Name attribute (cn).

GroupsgroupsGroup[]

The administrative groups to which the user belongs.

MFA Assignedhas_mfaBoolean

The user has a multi-factor or secondary-factor device assigned.

Last Loginlast_login_timeTimestamp

The last time when the user logged in.

LDAP Personldap_personLDAP Person[]

The additional LDAP attributes that describe a person.

NamenameUser Name

Entity:USER_NAME
The username. For example, janedoe1.

OrganizationorgOrganization[]

Organization and org unit related to the user.

Telephone Numberphone_numberString

The telephone number of the user.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

Risk Levelrisk_levelString

The risk level, normalized to the caption of the risk_level_id value.

Risk Level IDrisk_level_idInteger

The normalized risk level id.

  • 0: Info (INFO)
  • 1: Low (LOW)
  • 2: Medium (MEDIUM)
  • 3: High (HIGH)
  • 4: Critical (CRITICAL)
  • 99: Other (OTHER)
Risk Scorerisk_scoreInteger

The risk score as reported by the event source.

TypetypeString

The type of the user. For example, System, AWS IAM User, etc.

Type IDtype_idInteger

The account type identifier.

  • 0: Unknown (UNKNOWN)
  • 1: User (USER)
  • 2: Admin (ADMIN)
  • 3: System (SYSTEM)
  • 99: Other (OTHER)
Unique IDuidString

Entity:USER_OBJECT_UID
The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.

Alternate IDuid_altString

The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

Relationships

User shown in context

Inbound Relationships

These objects and events reference User in their attributes:

Outbound Relationships

User references the following objects and events in its attributes:

This page describes ocsf-1.4.0