User
The user object describes the identity of a user.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Account | account |
Account[] | The user's account or the account associated with the user. |
| Account Type | account_type |
String |
The user account type, as defined by the event source.
|
| Account Type ID | account_type_id |
Integer |
The normalized user account type identifier.
|
| Account UID | account_uid |
String |
The unique identifier of the account(e.g. AWS Account ID).
|
| User Credential ID | credential_uid |
String | The unique identifier of the user's credential. For example, AWS Access Key ID. |
| Devices | devices |
Device[] | The devices related to user. |
| Domain | domain |
String | The domain where the user is defined. For example: the LDAP or Active Directory domain. |
| Email Address | email_addr |
Email Address | The user's primary email address. |
| Full Name | full_name |
String | The full name of the person, as per the LDAP Common Name attribute (cn). |
| Groups | groups |
Group[] | The administrative groups to which the user belongs. |
| MFA Assigned | has_mfa |
Boolean | The user has a multi-factor or secondary-factor device assigned. |
| Last Login | last_login_time |
Timestamp | The last time when the user logged in. |
| LDAP Person | ldap_person |
LDAP Person[] | The additional LDAP attributes that describe a person. |
| Name | name |
String |
The username. For example, janedoe1.
|
| Organization | org |
Organization[] | Organization and org unit related to the user. |
| Org ID | org_uid |
String |
The unique identifier of the organization to which the user belongs. For example, Active Directory or AWS Org ID.
|
| Telephone Number | phone_number |
String | The telephone number of the user. |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Risk Level | risk_level |
String | The risk level, normalized to the caption of the risk_level_id value. |
| Risk Level ID | risk_level_id |
Integer |
The normalized risk level id.
|
| Risk Score | risk_score |
Integer | The risk score as reported by the event source. |
| Session UID | session_uid |
String |
The unique ID of the user session, as reported by the OS. Examples:
|
| Session UUID | session_uuid |
String |
The universally unique ID of the user session, as reported by the OS. For example, in Windows this is the Login GUID.
|
| Type | type |
String | The type of the user. For example, System, AWS IAM User, etc. |
| Type ID | type_id |
Integer |
The account type identifier.
|
| Unique ID | uid |
String | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. |
| Alternate ID | uid_alt |
String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| Unique User ID | uuid |
String |
The universally unique identifier of the user. For example, AWS ARN or Windows user GUID.
|
Relationships
Inbound Relationships
These objects and events reference User in their attributes:
- Endpoint
- Network Proxy Endpoint
- Affected Code
- Actor
- Windows Evidence Artifacts
- Account Change
- Admin Group Query
- Authorize Session
- User Inventory Info
- Network Endpoint
- Group Management
- Linux Process
- Resource Details
- Incident Finding
- Tunnel Activity
- User Access Management
- User Query
- Authentication
- Device
- Managed Entity
- Job
- LDAP Person
Outbound Relationships
User references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated 6 months ago