User
user
The user object describes the identity of a user.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Account | account | Account[] | The user's account or the account associated with the user. |
| User Credential ID | credential_uid | String | Entity:
|
| Devices | devices | Device[] | Entity: |
| Display Name | display_name | String | The display name of the user, as reported by the product. |
| Domain | domain | String | The domain where the user is defined. For example: the LDAP or Active Directory domain. |
| Email Address | email_addr | Email Address | Entity: |
| Forwarding Address | forward_addr | Email Address | Entity: |
| Full Name | full_name | String | The full name of the user, as reported by the product. |
| Groups | groups | Group[] | The administrative groups to which the user belongs. |
| MFA Assigned | has_mfa | Boolean | The user has a multi-factor or secondary-factor device assigned. |
| Last Login | last_login_time | Timestamp | The last time when the user logged in. |
| LDAP Person | ldap_person | LDAP Person[] | The additional LDAP attributes that describe a person. |
| Name | name | User Name | Entity: |
| Organization | org | Organization[] | Organization and org unit related to the user. |
| Telephone Number | phone_number | String | The telephone number of the user. |
| Programmatic Credentials | programmatic_credentials | Programmatic Credential[] | Details about the programmatic credential (API keys, access tokens, certificates, etc) associated to the user. |
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| Risk Level | risk_level | String | The risk level, normalized to the caption of the risk_level_id value. |
| Risk Level ID | risk_level_id | Integer | The normalized risk level id.
|
| Risk Score | risk_score | Integer | The risk score as reported by the event source. |
| Type | type | String | The type of the user. For example, System, AWS IAM User, etc. |
| Type ID | type_id | Integer | The account type identifier.
|
| Unique ID | uid | String | Entity: |
| Alternate ID | uid_alt | String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference User in their attributes:
- Network Proxy Endpoint
- Compliance Finding
- Job
- Query Evidence
- Authorize Session
- Account Change
- Airborne Broadcast Activity
- Endpoint
- User Access Management
- User Inventory Info
- Affected Code
- Incident Finding
- Vulnerability Finding
- Drone Flights Activity
- Admin Group Query
- RDP Activity
- Application
- File
- LDAP Person
- Device
- IAM Analysis Finding
- OSINT
- Group Management
- Databucket
- Access Analysis Result
- Authentication
- Resource Details
- Data Security Finding
- Network Endpoint
- Tunnel Activity
- Linux Process
- Detection Finding
- User Query
- Managed Entity
- Actor
- Windows Evidence Artifacts
- Application Security Posture Finding
Outbound Relationships
User references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0
Updated 3 days ago