User
User is a searchable entity at the top of Query's UI.
user
The user object describes the identity of a user.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Account | account | Account | The user's account or the account associated with the user. | ||
| Account Type | account_type | String |
The user account type, as defined by the event source.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Account Type ID | account_type_id | Integer |
The normalized user account type identifier.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
|
||
| Account UID | account_uid | String |
The unique identifier of the account(e.g. AWS Account ID).
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| User Credential ID | credential_uid | String | The unique identifier of the user's credential. For example, AWS Access Key ID. | ||
| Devices | devices | Device | The devices related to user. | ||
| Domain | domain | String | The domain where the user is defined. For example: the LDAP or Active Directory domain. | ||
| Email Address | email_addr | Email Address | The user's primary email address. | ||
| Full Name | full_name | String | The full name of the person, as per the LDAP Common Name attribute (cn). | ||
| Groups | groups | Group | The administrative groups to which the user belongs. | ||
| MFA Assigned | has_mfa | Boolean | The user has a multi-factor or secondary-factor device assigned. | ||
| Last Login | last_login_time | Timestamp | The last time when the user logged in. | ||
| LDAP Person | ldap_person | LDAP Person | The additional LDAP attributes that describe a person. | ||
| Name | name | String |
The username. For example, janedoe1.
|
||
| Organization | org | Organization | Organization and org unit related to the user. | ||
| Org ID | org_uid | String |
The unique identifier of the organization to which the user belongs. For example, Active Directory or AWS Org ID.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Telephone Number | phone_number | String | The telephone number of the user. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Risk Level | risk_level | String | The risk level, normalized to the caption of the risk_level_id value. | ||
| Risk Level ID | risk_level_id | Integer |
The normalized risk level id.
|
||
| Risk Score | risk_score | Integer | The risk score as reported by the event source. | ||
| Session UID | session_uid | String |
The unique ID of the user session, as reported by the OS. Examples:
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Session UUID | session_uuid | String |
The universally unique ID of the user session, as reported by the OS. For example, in Windows this is the Login GUID.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Type | type | String | The type of the user. For example, System, AWS IAM User, etc. | ||
| Type ID | type_id | Integer | 0 |
The account type identifier.
|
|
| Unique ID | uid | String | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | ||
| Alternate ID | uid_alt | String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Unique User ID | uuid | String |
The universally unique identifier of the user. For example, AWS ARN or Windows user GUID.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
References
Referenced By
- Incident Finding
- Authentication
- Authorize Session
- User Access Management
- Account Change
- Account Change
- Group Management
- Tunnel Activity
- User Query
- User Inventory Info
- Network Proxy Endpoint
- Linux Process
- Network Endpoint
- Endpoint
- LDAP Person
- Windows Evidence Artifacts
- Affected Code
- Managed Entity
- Actor
- Device
- Job
- Resource Details
Context
JSON
{
"caption": "User",
"description": "The user object describes the identity of a user.",
"extends": [
null,
"user"
],
"name": "user",
"observable": 21,
"attributes": {
"account": {
"description": "The user's account or the account associated with the user.",
"requirement": "optional",
"caption": "Account",
"type": "account"
},
"credential_uid": {
"requirement": "optional",
"caption": "User Credential ID",
"description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
"type": "string_t",
"observable": 19
},
"domain": {
"description": "The domain where the user is defined. For example: the LDAP or Active Directory domain.",
"requirement": "required",
"caption": "Domain",
"type": "string_t"
},
"email_addr": {
"requirement": "optional",
"caption": "Email Address",
"description": "The user's primary email address.",
"type": "email_t"
},
"full_name": {
"requirement": "optional",
"caption": "Full Name",
"description": "The full name of the person, as per the LDAP Common Name attribute (cn).",
"type": "string_t"
},
"groups": {
"description": "The administrative groups to which the user belongs.",
"requirement": "optional",
"caption": "Groups",
"type": "group",
"is_array": true
},
"has_mfa": {
"requirement": "recommended",
"caption": "MFA Assigned",
"description": "The user has a multi-factor or secondary-factor device assigned.",
"type": "boolean_t"
},
"ldap_person": {
"description": "The additional LDAP attributes that describe a person.",
"requirement": "optional",
"caption": "LDAP Person",
"type": "ldap_person"
},
"name": {
"description": "The username. For example, <code>janedoe1</code>.",
"requirement": "recommended",
"type": "string_t",
"caption": "Name",
"name": "username_t"
},
"org": {
"description": "Organization and org unit related to the user.",
"requirement": "optional",
"caption": "Organization",
"type": "organization"
},
"phone_number": {
"caption": "Telephone Number",
"description": "The telephone number of the user.",
"requirement": "optional",
"type": "string_t"
},
"risk_level": {
"requirement": "optional",
"caption": "Risk Level",
"description": "The risk level, normalized to the caption of the risk_level_id value.",
"type": "string_t"
},
"risk_level_id": {
"requirement": "optional",
"caption": "Risk Level ID",
"description": "The normalized risk level id.",
"sibling": "risk_level",
"type": "integer_t",
"enum": {
"0": {
"caption": "Info"
},
"1": {
"caption": "Low"
},
"2": {
"caption": "Medium"
},
"3": {
"caption": "High"
},
"4": {
"caption": "Critical"
},
"99": {
"caption": "Other",
"description": "The risk level is not mapped. See the <code>risk_level</code> attribute, which contains a data source specific value."
}
}
},
"risk_score": {
"requirement": "optional",
"caption": "Risk Score",
"description": "The risk score as reported by the event source.",
"type": "integer_t"
},
"type": {
"description": "The type of the user. For example, System, AWS IAM User, etc.",
"requirement": "optional",
"caption": "Type",
"type": "string_t"
},
"type_id": {
"description": "The account type identifier.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"1": {
"caption": "User",
"description": "Regular user account."
},
"2": {
"caption": "Admin",
"description": "Admin/root user account."
},
"3": {
"caption": "System",
"description": "System account. For example, Windows computer accounts with a trailing dollar sign ($)."
},
"99": {
"caption": "Other",
"description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
}
},
"requirement": "recommended",
"caption": "Type ID",
"sibling": "type",
"type": "integer_t",
"name": "integer_t",
"default": 0
},
"uid": {
"description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
"requirement": "recommended",
"observable": 31,
"caption": "Unique ID",
"type": "string_t"
},
"uid_alt": {
"description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.",
"requirement": "optional",
"caption": "Alternate ID",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"uuid": {
"description": "The universally unique identifier of the user. For example, AWS ARN or Windows user GUID.",
"caption": "Unique User ID",
"requirement": "optional",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"org_uid": {
"requirement": "optional",
"caption": "Org ID",
"description": "The unique identifier of the organization to which the user belongs. For example, Active Directory or AWS Org ID.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"account_uid": {
"requirement": "optional",
"caption": "Account UID",
"description": "The unique identifier of the account(e.g. AWS Account ID).",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"account_type_id": {
"requirement": "optional",
"caption": "Account Type ID",
"description": "The normalized user account type identifier.",
"enum": {
"-1": {
"caption": "Other",
"description": "The user account type is not mapped."
},
"0": {
"caption": "Unknown",
"description": "The user account type is unknown."
},
"1": {
"caption": "LDAP Account"
},
"2": {
"caption": "Windows Account"
},
"3": {
"caption": "AWS IAM Account"
},
"4": {
"caption": "GCP Account"
},
"5": {
"caption": "Azure AD Account"
}
},
"sibling": "account_type",
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"session_uuid": {
"requirement": "optional",
"caption": "Session UUID",
"description": "The universally unique ID of the user session, as reported by the OS. For example, in Windows this is the Login GUID.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"account_type": {
"requirement": "optional",
"caption": "Account Type",
"description": "The user account type, as defined by the event source.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"session_uid": {
"requirement": "optional",
"caption": "Session UID",
"description": "The unique ID of the user session, as reported by the OS.<br /><br /><u>Examples:</u> <ul><li><i><b>*nix: </b><i>Aug 10 17:31:16 ip-192-168-1-1 systemd[1]: Started Session 222 of User ubuntu.</li><ul><li><b>session_uid</b> == 222</li></ul><li><b>Windows:</b> Logon ID: 0xd22e9734</li><ul><li><b>session_uid</b> == 0xd22e9734</li></ul></ul>",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"devices": {
"description": "The devices related to user.",
"requirement": "optional",
"caption": "Devices",
"type": "device",
"is_array": true
},
"last_login_time": {
"requirement": "optional",
"caption": "Last Login",
"description": "The last time when the user logged in.",
"type": "timestamp_t"
}
},
"constraints": {
"at_least_one": [
"account",
"name",
"uid"
]
}
}