Class: Account
The Account object contains details about the account that initiated or
performed a specific activity within a system or application. Additionally, the
Account object refers to logical Cloud and Software-as-a-Service (SaaS) based
containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud
Compartments, Google Cloud Projects, and otherwise.
URI: ocsf:Account
classDiagram
class Account
click Account href "../Account/"
Entity <|-- Account
click Entity href "../Entity/"
Account : is_disabled
Account : is_locked
Account : is_on_premises_sync_enabled
Account : labels
Account : name
Account : tags
Account --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
Account : type
Account : type_id
Account --> "0..1 _recommended_" AccountTypeIdEnum : type_id
click AccountTypeIdEnum href "../AccountTypeIdEnum/"
Account : uid
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| is_disabled | 0..1 Boolean |
Indicates if the account is disabled | direct |
| is_locked | 0..1 Boolean |
Indicates if the account is locked | direct |
| is_on_premises_sync_enabled | 0..1 Boolean |
Indicates whether synchronization with an on-premises directory service is | direct |
| labels | * String |
The list of labels associated to the account | direct |
| name | 0..1 recommended String |
The name of the account (e | direct |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated to the account |
direct |
| type | 0..1 String |
The account type, normalized to the caption of 'account_type_id' | direct |
| type_id | 0..1 recommended AccountTypeIdEnum |
The normalized account type identifier | direct |
| uid | 0..1 recommended String |
The unique identifier of the account (e | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Cloud | account | range | Account |
| User | account | range | Account |
In Subsets
Aliases
- Account
See Also
- https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
- https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/
Notes
- D3FEND™ Ontology d3f:UserAccount. — https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
- D3FEND™ Ontology d3f:CloudUserAccount. — https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Account |
| native | ocsf:Account |
| close | stix:UserAccount, uco_master:Account |
LinkML Source
Direct
name: Account
description: 'The Account object contains details about the account that initiated
or
performed a specific activity within a system or application. Additionally, the
Account object refers to logical Cloud and Software-as-a-Service (SaaS) based
containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud
Compartments, Google Cloud Projects, and otherwise.'
notes:
- 'D3FEND™ Ontology d3f:UserAccount. —
https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/'
- 'D3FEND™ Ontology d3f:CloudUserAccount. —
https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
- https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/
aliases:
- Account
close_mappings:
- stix:UserAccount
- uco_master:Account
is_a: Entity
slots:
- is_disabled
- is_locked
- is_on_premises_sync_enabled
- labels
- name
- tags
- type
- type_id
- uid
slot_usage:
is_disabled:
name: is_disabled
description: Indicates if the account is disabled.
is_locked:
name: is_locked
description: 'Indicates if the account is locked. For example, due to the amount
of failed
logins.'
labels:
name: labels
description: The list of labels associated to the account.
name:
name: name
description: 'The name of the account (e.g. <code> GCP Project name </code>, <code>
Linux
Account name </code> or <code> AWS Account name</code>).'
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
account.
type:
name: type
description: 'The account type, normalized to the caption of ''account_type_id''.
In the case
of ''Other'', it is defined by the event source.'
type_id:
name: type_id
description: The normalized account type identifier.
range: AccountTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique identifier of the account (e.g. <code> AWS Account ID
</code>,
<code> OCID </code>, <code> GCP Project ID </code>, <code> Azure Subscription
ID </code>, <code> Google Workspace Customer ID </code>, or <code> M365 Tenant
UID</code>).'
Induced
name: Account
description: 'The Account object contains details about the account that initiated
or
performed a specific activity within a system or application. Additionally, the
Account object refers to logical Cloud and Software-as-a-Service (SaaS) based
containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud
Compartments, Google Cloud Projects, and otherwise.'
notes:
- 'D3FEND™ Ontology d3f:UserAccount. —
https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/'
- 'D3FEND™ Ontology d3f:CloudUserAccount. —
https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
- https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/
aliases:
- Account
close_mappings:
- stix:UserAccount
- uco_master:Account
is_a: Entity
slot_usage:
is_disabled:
name: is_disabled
description: Indicates if the account is disabled.
is_locked:
name: is_locked
description: 'Indicates if the account is locked. For example, due to the amount
of failed
logins.'
labels:
name: labels
description: The list of labels associated to the account.
name:
name: name
description: 'The name of the account (e.g. <code> GCP Project name </code>, <code>
Linux
Account name </code> or <code> AWS Account name</code>).'
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
account.
type:
name: type
description: 'The account type, normalized to the caption of ''account_type_id''.
In the case
of ''Other'', it is defined by the event source.'
type_id:
name: type_id
description: The normalized account type identifier.
range: AccountTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique identifier of the account (e.g. <code> AWS Account ID
</code>,
<code> OCID </code>, <code> GCP Project ID </code>, <code> Azure Subscription
ID </code>, <code> Google Workspace Customer ID </code>, or <code> M365 Tenant
UID</code>).'
attributes:
is_disabled:
name: is_disabled
description: Indicates if the account is disabled.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disabled
rank: 1000
alias: is_disabled
owner: Account
domain_of:
- Account
range: boolean
is_locked:
name: is_locked
description: 'Indicates if the account is locked. For example, due to the amount
of failed
logins.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Locked
rank: 1000
alias: is_locked
owner: Account
domain_of:
- Account
range: boolean
is_on_premises_sync_enabled:
name: is_on_premises_sync_enabled
description: 'Indicates whether synchronization with an on-premises directory
service is
enabled. For example, Microsoft Entra Connect.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- On-Premises Sync Enabled
rank: 1000
alias: is_on_premises_sync_enabled
owner: Account
domain_of:
- Account
range: boolean
labels:
name: labels
description: The list of labels associated to the account.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Labels
rank: 1000
alias: labels
owner: Account
domain_of:
- Osint
- Resource
- Account
- ApplicationObject
- Container
- Image
- LdapPerson
- Metadata
- Service
range: string
multivalued: true
name:
name: name
description: 'The name of the account (e.g. <code> GCP Project name </code>, <code>
Linux
Account name </code> or <code> AWS Account name</code>).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Account
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
account.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: Account
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
type:
name: type
description: 'The account type, normalized to the caption of ''account_type_id''.
In the case
of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Account
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The normalized account type identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Account
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: AccountTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique identifier of the account (e.g. <code> AWS Account ID
</code>,
<code> OCID </code>, <code> GCP Project ID </code>, <code> Azure Subscription
ID </code>, <code> Google Workspace Customer ID </code>, or <code> M365 Tenant
UID</code>).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Account
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true