Class: Actor
The Actor object contains details about the user, role, application, service,
or process that initiated or performed a specific activity. Note that Actor is
not the threat actor of a campaign but may be part of a campaign.
URI: ocsf:Actor
classDiagram
class Actor
click Actor href "../Actor/"
Object <|-- Actor
click Object href "../Object/"
Actor : app_name
Actor : app_uid
Actor : authorizations
Actor --> "*" Authorization : authorizations
click Authorization href "../Authorization/"
Actor : idp
Actor --> "0..1" Idp : idp
click Idp href "../Idp/"
Actor : invoked_by
Actor : process
Actor --> "0..1 _recommended_" Process : process
click Process href "../Process/"
Actor : session
Actor --> "0..1" Session : session
click Session href "../Session/"
Actor : user
Actor --> "0..1 _recommended_" User : user
click User href "../User/"
Inheritance
- OcsfObject
- Object
- Actor
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| app_name | 0..1 String |
The client application or service that initiated the activity | direct |
| app_uid | 0..1 String |
The unique identifier of the client application or service that initiated the | direct |
| authorizations | * Authorization |
Provides details about an authorization, such as authorization outcome, and a... | direct |
| idp | 0..1 Idp |
This object describes details about the Identity Provider used | direct |
| invoked_by | 0..1 String |
The name of the service that invoked the activity as described in the event | direct |
| process | 0..1 recommended Process |
The process that initiated the activity | direct |
| session | 0..1 Session |
The user session from which the activity was initiated | direct |
| user | 0..1 recommended User |
The user that initiated the activity or the user context from which the | direct |
Usages
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'process': {'required': True}}}, {'slot_conditions': {'user': {'required': True}}}, {'slot_conditions': {'invoked_by': {'required': True}}}, {'slot_conditions': {'session': {'required': True}}}, {'slot_conditions': {'app_name': {'required': True}}}, {'slot_conditions': {'app_uid': {'required': True}}}] |
In Subsets
Aliases
- Actor
See Also
Notes
- D3FEND™ Ontology d3f:Agent. — https://next.d3fend.mitre.org/agent/d3f:Agent/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["process", "user", "invoked_by", "session", "app_name", |
| "app_uid"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Actor |
| native | ocsf:Actor |
LinkML Source
Direct
name: Actor
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["process", "user", "invoked_by", "session", "app_name",
"app_uid"]}'
description: 'The Actor object contains details about the user, role, application,
service,
or process that initiated or performed a specific activity. Note that Actor is
not the threat actor of a campaign but may be part of a campaign.'
notes:
- D3FEND™ Ontology d3f:Agent. — https://next.d3fend.mitre.org/agent/d3f:Agent/
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://next.d3fend.mitre.org/agent/d3f:Agent/
aliases:
- Actor
is_a: Object
slots:
- app_name
- app_uid
- authorizations
- idp
- invoked_by
- process
- session
- user
slot_usage:
app_name:
name: app_name
description: 'The client application or service that initiated the activity. This
can be in
conjunction with the <code>user</code> if present. Note that
<code>app_name</code> is distinct from the <code>process</code> if present.'
app_uid:
name: app_uid
description: 'The unique identifier of the client application or service that
initiated the
activity. This can be in conjunction with the <code>user</code> if present.
Note that <code>app_name</code> is distinct from the <code>process.pid</code>
or <code>process.uid</code> if present.'
invoked_by:
name: invoked_by
deprecated: Use <code> app_name, app_uid </code> attributes instead.
process:
name: process
description: The process that initiated the activity.
recommended: true
session:
name: session
description: The user session from which the activity was initiated.
user:
name: user
description: 'The user that initiated the activity or the user context from which
the
activity was initiated.'
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
user:
name: user
required: true
- slot_conditions:
invoked_by:
name: invoked_by
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
app_name:
name: app_name
required: true
- slot_conditions:
app_uid:
name: app_uid
required: true
description: 'OCSF at_least_one: at least one of [''process'', ''user'', ''invoked_by'',
''session'',
''app_name'', ''app_uid''] must be set.'
Induced
name: Actor
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["process", "user", "invoked_by", "session", "app_name",
"app_uid"]}'
description: 'The Actor object contains details about the user, role, application,
service,
or process that initiated or performed a specific activity. Note that Actor is
not the threat actor of a campaign but may be part of a campaign.'
notes:
- D3FEND™ Ontology d3f:Agent. — https://next.d3fend.mitre.org/agent/d3f:Agent/
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://next.d3fend.mitre.org/agent/d3f:Agent/
aliases:
- Actor
is_a: Object
slot_usage:
app_name:
name: app_name
description: 'The client application or service that initiated the activity. This
can be in
conjunction with the <code>user</code> if present. Note that
<code>app_name</code> is distinct from the <code>process</code> if present.'
app_uid:
name: app_uid
description: 'The unique identifier of the client application or service that
initiated the
activity. This can be in conjunction with the <code>user</code> if present.
Note that <code>app_name</code> is distinct from the <code>process.pid</code>
or <code>process.uid</code> if present.'
invoked_by:
name: invoked_by
deprecated: Use <code> app_name, app_uid </code> attributes instead.
process:
name: process
description: The process that initiated the activity.
recommended: true
session:
name: session
description: The user session from which the activity was initiated.
user:
name: user
description: 'The user that initiated the activity or the user context from which
the
activity was initiated.'
recommended: true
attributes:
app_name:
name: app_name
description: 'The client application or service that initiated the activity. This
can be in
conjunction with the <code>user</code> if present. Note that
<code>app_name</code> is distinct from the <code>process</code> if present.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Application Name
rank: 1000
alias: app_name
owner: Actor
domain_of:
- Actor
- NetworkEvent
range: string
app_uid:
name: app_uid
description: 'The unique identifier of the client application or service that
initiated the
activity. This can be in conjunction with the <code>user</code> if present.
Note that <code>app_name</code> is distinct from the <code>process.pid</code>
or <code>process.uid</code> if present.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Application ID
rank: 1000
alias: app_uid
owner: Actor
domain_of:
- Actor
range: string
authorizations:
name: authorizations
description: 'Provides details about an authorization, such as authorization outcome,
and any
associated policies related to the activity/event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authorization Information
rank: 1000
alias: authorizations
owner: Actor
domain_of:
- Actor
- SecurityControlProfile
range: Authorization
multivalued: true
idp:
name: idp
description: This object describes details about the Identity Provider used.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Identity Provider
rank: 1000
alias: idp
owner: Actor
domain_of:
- Actor
- CloudResourcesInventoryInfo
range: Idp
invoked_by:
name: invoked_by
description: The name of the service that invoked the activity as described in
the event.
deprecated: Use <code> app_name, app_uid </code> attributes instead.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Invoked by
rank: 1000
alias: invoked_by
owner: Actor
domain_of:
- Actor
range: string
process:
name: process
description: The process that initiated the activity.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: Actor
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
recommended: true
session:
name: session
description: The user session from which the activity was initiated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: Actor
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
user:
name: user
description: 'The user that initiated the activity or the user context from which
the
activity was initiated.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: Actor
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
user:
name: user
required: true
- slot_conditions:
invoked_by:
name: invoked_by
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
app_name:
name: app_name
required: true
- slot_conditions:
app_uid:
name: app_uid
required: true
description: 'OCSF at_least_one: at least one of [''process'', ''user'', ''invoked_by'',
''session'',
''app_name'', ''app_uid''] must be set.'