Skip to content

Class: UserAccount

_The User Account Object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. _

URI: attack:UserAccount

 classDiagram
    class UserAccount
    click UserAccount href "../UserAccount/"
      CyberObservableObject <|-- UserAccount
        click CyberObservableObject href "../CyberObservableObject/"

      UserAccount : account_created

      UserAccount : account_expires

      UserAccount : account_first_login

      UserAccount : account_last_login

      UserAccount : account_login

      UserAccount : account_type

      UserAccount : can_escalate_privs

      UserAccount : credential

      UserAccount : credential_last_changed

      UserAccount : defanged

      UserAccount : description

      UserAccount : display_name

      UserAccount : extensions

      UserAccount : granular_markings





        UserAccount --> "*" GranularMarking : granular_markings
        click GranularMarking href "../GranularMarking/"



      UserAccount : id

      UserAccount : is_disabled

      UserAccount : is_privileged

      UserAccount : is_service_account

      UserAccount : name

      UserAccount : object_marking_refs

      UserAccount : spec_version





        UserAccount --> "0..1" SpecVersionEnum : spec_version
        click SpecVersionEnum href "../SpecVersionEnum/"



      UserAccount : type

      UserAccount : user_id

Inheritance

Slots

Name Cardinality and Range Description Inheritance
user_id 0..1
String		 User account identifier direct
credential 0..1
String		 Account credential value direct
account_login 0..1
String		 Account login string direct
account_type 0..1
AccountTypeOv or 
String		 Account type value (account-type-ov) direct
display_name 0..1
String		 Human-friendly display name direct
is_service_account 0..1
Boolean		 Service account flag direct
is_privileged 0..1
Boolean		 Privileged account flag direct
can_escalate_privs 0..1
Boolean		 Privilege escalation capability flag direct
is_disabled 0..1
Boolean		 Disabled account flag direct
account_created 0..1
Datetime		 Account creation timestamp direct
account_expires 0..1
Datetime		 Account expiration timestamp direct
credential_last_changed 0..1
Datetime		 Credential last-changed timestamp direct
account_first_login 0..1
Datetime		 Account first-login timestamp direct
account_last_login 0..1
Datetime		 Account last-login timestamp direct
type 1
StixTypeName		 STIX object type StixEntity, CyberObservableCore
spec_version 0..1
SpecVersionEnum		 STIX specification version CyberObservableCore
id 1
StixIdentifier		 STIX object identifier StixEntity, CyberObservableCore
object_marking_refs *
StixIdentifier		 Marking definition references applied to this object CyberObservableCore
granular_markings *
GranularMarking		 Granular markings that apply to selected content CyberObservableCore
defanged 0..1
Boolean		 Defines whether or not the data contained within the object has been defanged CyberObservableCore
extensions *
String		 Open-ended extension payloads CyberObservableCore
name 0..1
String		 Human-readable name StixEntity
description 0..1
String		 Human-readable description StixEntity

In Subsets

Comments

  • jsonschema_rule: anyOf validator_hint: user-account-at-least-one-property jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/user-account.json

Notes

  • JSON Schema defines anyOf presence constraints requiring at least one key identity/account property.

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/attack

Mappings

Mapping Type Mapped Value
self attack:UserAccount
native attack:UserAccount
exact unified_cyber_ontology:UserAccount

LinkML Source

Direct

name: UserAccount
description: 'The User Account Object represents an instance of any type of user account,
  including but not limited to operating system, device, messaging service, and social
  media platform accounts. '
notes:
- JSON Schema defines anyOf presence constraints requiring at least one key identity/account
  property.
comments:
- 'jsonschema_rule: anyOf validator_hint: user-account-at-least-one-property jsonschema_source:
  https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/user-account.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:UserAccount
is_a: CyberObservableObject
slots:
- user_id
- credential
- account_login
- account_type
- display_name
- is_service_account
- is_privileged
- can_escalate_privs
- is_disabled
- account_created
- account_expires
- credential_last_changed
- account_first_login
- account_last_login
slot_usage:
  id:
    name: id
    pattern: ^user-account--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  type:
    name: type
    pattern: ^user-account$

Induced

name: UserAccount
description: 'The User Account Object represents an instance of any type of user account,
  including but not limited to operating system, device, messaging service, and social
  media platform accounts. '
notes:
- JSON Schema defines anyOf presence constraints requiring at least one key identity/account
  property.
comments:
- 'jsonschema_rule: anyOf validator_hint: user-account-at-least-one-property jsonschema_source:
  https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/user-account.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:UserAccount
is_a: CyberObservableObject
slot_usage:
  id:
    name: id
    pattern: ^user-account--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  type:
    name: type
    pattern: ^user-account$
attributes:
  user_id:
    name: user_id
    description: User account identifier.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: user_id
    owner: UserAccount
    domain_of:
    - UserAccount
    range: string
  credential:
    name: credential
    description: Account credential value.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: credential
    owner: UserAccount
    domain_of:
    - UserAccount
    range: string
  account_login:
    name: account_login
    description: Account login string.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: account_login
    owner: UserAccount
    domain_of:
    - UserAccount
    range: string
  account_type:
    name: account_type
    description: Account type value (account-type-ov).
    comments:
    - 'open_vocabulary: AccountTypeOv'
    from_schema: https://w3id.org/lmodel/attack
    exact_mappings:
    - unified_cyber_ontology:accountType
    rank: 1000
    alias: account_type
    owner: UserAccount
    domain_of:
    - UserAccount
    range: string
    any_of:
    - range: AccountTypeOv
    - range: string
  display_name:
    name: display_name
    description: Human-friendly display name.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: display_name
    owner: UserAccount
    domain_of:
    - EmailAddr
    - UserAccount
    - WindowsServiceExt
    range: string
  is_service_account:
    name: is_service_account
    description: Service account flag.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: is_service_account
    owner: UserAccount
    domain_of:
    - UserAccount
    range: boolean
  is_privileged:
    name: is_privileged
    description: Privileged account flag.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: is_privileged
    owner: UserAccount
    domain_of:
    - UserAccount
    range: boolean
  can_escalate_privs:
    name: can_escalate_privs
    description: Privilege escalation capability flag.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: can_escalate_privs
    owner: UserAccount
    domain_of:
    - UserAccount
    range: boolean
  is_disabled:
    name: is_disabled
    description: Disabled account flag.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: is_disabled
    owner: UserAccount
    domain_of:
    - UserAccount
    range: boolean
  account_created:
    name: account_created
    description: Account creation timestamp.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: account_created
    owner: UserAccount
    domain_of:
    - UserAccount
    range: datetime
  account_expires:
    name: account_expires
    description: Account expiration timestamp.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: account_expires
    owner: UserAccount
    domain_of:
    - UserAccount
    range: datetime
  credential_last_changed:
    name: credential_last_changed
    description: Credential last-changed timestamp.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: credential_last_changed
    owner: UserAccount
    domain_of:
    - UserAccount
    range: datetime
  account_first_login:
    name: account_first_login
    description: Account first-login timestamp.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: account_first_login
    owner: UserAccount
    domain_of:
    - UserAccount
    range: datetime
  account_last_login:
    name: account_last_login
    description: Account last-login timestamp.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: account_last_login
    owner: UserAccount
    domain_of:
    - UserAccount
    range: datetime
  type:
    name: type
    description: STIX object type.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:state
    rank: 1000
    alias: type
    owner: UserAccount
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_type_name
    required: true
    pattern: ^user-account$
  spec_version:
    name: spec_version
    description: STIX specification version.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:specVersion
    rank: 1000
    alias: spec_version
    owner: UserAccount
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: SpecVersionEnum
  id:
    name: id
    description: STIX object identifier.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:externalReference
    rank: 1000
    alias: id
    owner: UserAccount
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_identifier
    required: true
    pattern: ^user-account--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  object_marking_refs:
    name: object_marking_refs
    description: Marking definition references applied to this object.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:objectMarking
    rank: 1000
    alias: object_marking_refs
    owner: UserAccount
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: stix_identifier
    multivalued: true
  granular_markings:
    name: granular_markings
    description: Granular markings that apply to selected content.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    narrow_mappings:
    - unified_cyber_ontology:objectMarking
    rank: 1000
    alias: granular_markings
    owner: UserAccount
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: GranularMarking
    multivalued: true
  defanged:
    name: defanged
    description: Defines whether or not the data contained within the object has been
      defanged.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: defanged
    owner: UserAccount
    domain_of:
    - CyberObservableCore
    range: boolean
  extensions:
    name: extensions
    description: Open-ended extension payloads.
    notes:
    - JSON Schema uses patternProperties for extension keys; exact key validation
      is delegated to validator tooling.
    comments:
    - 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:hasFacet
    rank: 1000
    alias: extensions
    owner: UserAccount
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    - File
    range: string
    multivalued: true
  name:
    name: name
    description: Human-readable name.
    from_schema: https://w3id.org/lmodel/attack
    exact_mappings:
    - unified_cyber_ontology:name
    rank: 1000
    alias: name
    owner: UserAccount
    domain_of:
    - RelatedAsset
    - StixEntity
    - ExtensionDefinition
    - MarkingDefinition
    - AutonomousSystem
    - File
    range: string
  description:
    name: description
    description: Human-readable description.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:description
    rank: 1000
    alias: description
    owner: UserAccount
    domain_of:
    - RelatedAsset
    - MutableElement
    - StixEntity
    - ExtensionDefinition
    - ExternalReference
    range: string