Actor

Actor is a searchable entity at the top of Query's UI.

actor

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

Contents

Attributes

Caption Name Type Is Array Default Description
Application Name app_name String The client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present.
Application ID app_uid String The unique identifier of the client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process.pid or process.uid if present.
Authorization Information authorizations Authorization Result Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
Identity Provider idp Identity Provider This object describes details about the Identity Provider used.
Invoked by invoked_by String The name of the service that invoked the activity as described in the event.

Deprecated since 1.2.0: Use app_name, app_uid attributes instead.

Process process Linux Process The process that initiated the activity.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Session session Session The user session from which the activity was initiated.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
User user User The user that initiated the activity or the user context from which the activity was initiated.

Context

Actor

JSON

            
{
  "caption": "Actor",
  "description": "The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.",
  "name": "actor",
  "extends": "object",
  "attributes": {
    "app_name": {
      "description": "The client application or service that initiated the activity. This can be in conjunction with the <code>user</code> if present.  Note that <code>app_name</code> is distinct from the <code>process</code> if present.",
      "requirement": "optional",
      "caption": "Application Name",
      "type": "string_t"
    },
    "app_uid": {
      "description": "The unique identifier of the client application or service that initiated the activity. This can be in conjunction with the <code>user</code> if present. Note that <code>app_name</code> is distinct from the <code>process.pid</code> or <code>process.uid</code> if present.",
      "requirement": "optional",
      "caption": "Application ID",
      "type": "string_t"
    },
    "authorizations": {
      "requirement": "optional",
      "caption": "Authorization Information",
      "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
      "is_array": true,
      "type": "authorization"
    },
    "idp": {
      "requirement": "optional",
      "caption": "Identity Provider",
      "description": "This object describes details about the Identity Provider used.",
      "type": "idp"
    },
    "invoked_by": {
      "@deprecated": {
        "message": "Use <code> app_name, app_uid </code> attributes instead.",
        "since": "1.2.0"
      },
      "requirement": "optional",
      "caption": "Invoked by",
      "description": "The name of the service that invoked the activity as described in the event.",
      "type": "string_t"
    },
    "process": {
      "description": "The process that initiated the activity.",
      "requirement": "recommended",
      "caption": "Process",
      "type": "process"
    },
    "session": {
      "description": "The user session from which the activity was initiated.",
      "requirement": "optional",
      "caption": "Session",
      "type": "session"
    },
    "user": {
      "description": "The user that initiated the activity or the user context from which the activity was initiated.",
      "requirement": "recommended",
      "caption": "User",
      "type": "user"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  },
  "constraints": {
    "at_least_one": [
      "process",
      "user",
      "invoked_by",
      "session",
      "app_name",
      "app_uid"
    ]
  }
}