Class: IdentityActivityMetrics
The Identity Activity Metrics object captures usage patterns, authentication
activity, credential usage and other metrics for identities across cloud and
on-premises environments. Example identities include AWS IAM Users, Roles,
Azure AD Principals, GCP Service Accounts, on-premises Active Directory
accounts.
URI: ocsf:IdentityActivityMetrics
classDiagram
class IdentityActivityMetrics
click IdentityActivityMetrics href "../IdentityActivityMetrics/"
Object <|-- IdentityActivityMetrics
click Object href "../Object/"
IdentityActivityMetrics : first_seen_time
IdentityActivityMetrics : last_authentication_time
IdentityActivityMetrics : last_seen_time
IdentityActivityMetrics : password_last_used_time
IdentityActivityMetrics : programmatic_credentials
IdentityActivityMetrics --> "*" ProgrammaticCredential : programmatic_credentials
click ProgrammaticCredential href "../ProgrammaticCredential/"
Inheritance
- OcsfObject
- Object
- IdentityActivityMetrics
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| first_seen_time | 0..1 TimestampT |
The timestamp when this identity was first observed or created in the system | direct |
| last_authentication_time | 0..1 TimestampT |
The timestamp when this identity last successfully authenticated to any syste... | direct |
| last_seen_time | 0..1 recommended TimestampT |
The timestamp of the most recent activity performed by this identity, includi... | direct |
| password_last_used_time | 0..1 TimestampT |
The timestamp when password-based authentication was last used by this | direct |
| programmatic_credentials | * ProgrammaticCredential |
Details about the programmatic credentials associated with this identity, suc... | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| IamAnalysisFinding | identity_activity_metrics | range | IdentityActivityMetrics |
In Subsets
Aliases
- Identity Activity Metrics
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:IdentityActivityMetrics |
| native | ocsf:IdentityActivityMetrics |
LinkML Source
Direct
name: IdentityActivityMetrics
description: 'The Identity Activity Metrics object captures usage patterns, authentication
activity, credential usage and other metrics for identities across cloud and
on-premises environments. Example identities include AWS IAM Users, Roles,
Azure AD Principals, GCP Service Accounts, on-premises Active Directory
accounts.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Identity Activity Metrics
is_a: Object
slots:
- first_seen_time
- last_authentication_time
- last_seen_time
- password_last_used_time
- programmatic_credentials
slot_usage:
first_seen_time:
name: first_seen_time
description: 'The timestamp when this identity was first observed or created in
the system.
This helps establish the identity''s age and lifecycle stage for risk
assessment.'
last_authentication_time:
name: last_authentication_time
description: 'The timestamp when this identity last successfully authenticated
to any system
or service. This differs from <code>last_seen_time</code> as it specifically
tracks authentication events rather than all activities.'
last_seen_time:
name: last_seen_time
description: 'The timestamp of the most recent activity performed by this identity,
including
authentication, resource access, or API calls. This is the most comprehensive
indicator of identity usage recency.'
recommended: true
password_last_used_time:
name: password_last_used_time
description: 'The timestamp when password-based authentication was last used by
this
identity. This helps distinguish between password and other authentication
methods (MFA, SSO, certificates) and identify password-specific usage patterns.'
programmatic_credentials:
name: programmatic_credentials
description: 'Details about the programmatic credentials associated with this
identity, such
as API keys, service account keys, access tokens, and client certificates used
for automated access.'
Induced
name: IdentityActivityMetrics
description: 'The Identity Activity Metrics object captures usage patterns, authentication
activity, credential usage and other metrics for identities across cloud and
on-premises environments. Example identities include AWS IAM Users, Roles,
Azure AD Principals, GCP Service Accounts, on-premises Active Directory
accounts.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Identity Activity Metrics
is_a: Object
slot_usage:
first_seen_time:
name: first_seen_time
description: 'The timestamp when this identity was first observed or created in
the system.
This helps establish the identity''s age and lifecycle stage for risk
assessment.'
last_authentication_time:
name: last_authentication_time
description: 'The timestamp when this identity last successfully authenticated
to any system
or service. This differs from <code>last_seen_time</code> as it specifically
tracks authentication events rather than all activities.'
last_seen_time:
name: last_seen_time
description: 'The timestamp of the most recent activity performed by this identity,
including
authentication, resource access, or API calls. This is the most comprehensive
indicator of identity usage recency.'
recommended: true
password_last_used_time:
name: password_last_used_time
description: 'The timestamp when password-based authentication was last used by
this
identity. This helps distinguish between password and other authentication
methods (MFA, SSO, certificates) and identify password-specific usage patterns.'
programmatic_credentials:
name: programmatic_credentials
description: 'Details about the programmatic credentials associated with this
identity, such
as API keys, service account keys, access tokens, and client certificates used
for automated access.'
attributes:
first_seen_time:
name: first_seen_time
description: 'The timestamp when this identity was first observed or created in
the system.
This helps establish the identity''s age and lifecycle stage for risk
assessment.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- First Seen
rank: 1000
alias: first_seen_time
owner: IdentityActivityMetrics
domain_of:
- RelatedEvent
- Vulnerability
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
last_authentication_time:
name: last_authentication_time
description: 'The timestamp when this identity last successfully authenticated
to any system
or service. This differs from <code>last_seen_time</code> as it specifically
tracks authentication events rather than all activities.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Last Authentication Time
rank: 1000
alias: last_authentication_time
owner: IdentityActivityMetrics
domain_of:
- IdentityActivityMetrics
range: TimestampT
last_seen_time:
name: last_seen_time
description: 'The timestamp of the most recent activity performed by this identity,
including
authentication, resource access, or API calls. This is the most comprehensive
indicator of identity usage recency.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Last Seen
rank: 1000
alias: last_seen_time
owner: IdentityActivityMetrics
domain_of:
- RelatedEvent
- Vulnerability
- Whois
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
recommended: true
password_last_used_time:
name: password_last_used_time
description: 'The timestamp when password-based authentication was last used by
this
identity. This helps distinguish between password and other authentication
methods (MFA, SSO, certificates) and identify password-specific usage patterns.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Password Last Used Time
rank: 1000
alias: password_last_used_time
owner: IdentityActivityMetrics
domain_of:
- IdentityActivityMetrics
range: TimestampT
programmatic_credentials:
name: programmatic_credentials
description: 'Details about the programmatic credentials associated with this
identity, such
as API keys, service account keys, access tokens, and client certificates used
for automated access.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Programmatic Credentials
rank: 1000
alias: programmatic_credentials
owner: IdentityActivityMetrics
domain_of:
- IdentityActivityMetrics
- User
range: ProgrammaticCredential
multivalued: true