User [21] object
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
| Name | Caption | Requirement | Type | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| account | Account | Optional (†) | Account | The user's account or the account associated with the user. | ||||||||||||
| credential_uid | User Credential ID O | Optional | String | The unique identifier of the user's credential. For example, AWS Access Key ID. | ||||||||||||
| domain | Domain | Optional | String | The domain where the user is defined. For example: the LDAP or Active Directory domain. | ||||||||||||
| email_addr | Email Address O | Optional | Email Address | The user's primary email address. | ||||||||||||
| full_name | Full Name | Optional | String | The full name of the person, as per the LDAP Common Name attribute (cn). | ||||||||||||
| groups | Groups | Optional | Group Array | The administrative groups to which the user belongs. | ||||||||||||
| ldap_person | LDAP Person | Optional | LDAP Person | The additional LDAP attributes that describe a person. | ||||||||||||
| name | Name O | Recommended (†) | String | The username. For example, janedoe1. |
||||||||||||
| org | Organization | Optional | Organization | Organization and org unit related to the user. | ||||||||||||
| risk_level | Risk Level | Optional | String | The risk level, normalized to the caption of the risk_level_id value. This is the string sibling of enum attribute risk_level_id. |
||||||||||||
| risk_level_id | Risk Level ID | Optional | Integer | The normalized risk level id.
This is an enum attribute; its string sibling is risk_level. |
||||||||||||
| risk_score | Risk Score | Optional | Integer | The risk score as reported by the event source. | ||||||||||||
| type | Type | Optional | String | The type of the user. For example, System, AWS IAM User, etc. This is the string sibling of enum attribute type_id. |
||||||||||||
| type_id | Type ID | Recommended | Integer | The account type identifier.
This is an enum attribute; its string sibling is type. |
||||||||||||
| uid | Unique ID | Recommended (†) | String | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | ||||||||||||
| uid_alt | Alternate ID | Optional | String | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. |
Referenced By
- Account Change Class
- Attributes: user, user_result
- Admin Group Query Class
- Attribute: users
- Authentication Class
- Attribute: user
- Authorize Session Class
- Attribute: user
- Group Management Class
- Attribute: user
- Incident Finding Class
- Attribute: assignee
- Tunnel Activity Class
- Attribute: user
- User Access Management Class
- Attribute: user
- User Inventory Info Class
- Attribute: user
- User Query Class
- Attribute: user
- Actor Object
- Attribute: user
- Affected Code Object
- Attribute: owner
- Device Object
- Attribute: owner
- Endpoint Object
- Attribute: owner
- Evidence Artifacts Object
- Attribute: user
- File Object
- Attributes: owner, modifier, accessor, creator
- Job Object
- Attribute: user
- LDAP Person Object
- Attribute: manager
- Managed Entity Object
- Attribute: user
- Network Endpoint Object
- Attribute: owner
- Network Proxy Endpoint Object
- Attribute: owner
- Process Object
- Attribute: user
- Resource Details Object
- Attribute: owner
Constraints
† At least one of these attributes must be present: account, name, uid