Class: ManagedEntity
The Managed Entity object describes the type and version of an entity, such as
a user, device, or policy. For types in the type_id enum list, an
associated attribute should be populated. If the type of entity is not in the
type_id list, information can be put into the data
attribute, type_id should be 'Other' and the type
attribute should label the entity type.
URI: ocsf:ManagedEntity
classDiagram
class ManagedEntity
click ManagedEntity href "../ManagedEntity/"
Entity <|-- ManagedEntity
click Entity href "../Entity/"
ManagedEntity : data
ManagedEntity : device
ManagedEntity --> "0..1 _recommended_" Device : device
click Device href "../Device/"
ManagedEntity : email
ManagedEntity --> "0..1 _recommended_" Email : email
click Email href "../Email/"
ManagedEntity : group
ManagedEntity --> "0..1 _recommended_" Group : group
click Group href "../Group/"
ManagedEntity : location
ManagedEntity --> "0..1" Location : location
click Location href "../Location/"
ManagedEntity : name
ManagedEntity : org
ManagedEntity --> "0..1 _recommended_" Organization : org
click Organization href "../Organization/"
ManagedEntity : policy
ManagedEntity --> "0..1 _recommended_" Policy : policy
click Policy href "../Policy/"
ManagedEntity : type
ManagedEntity : type_id
ManagedEntity --> "0..1 _recommended_" ManagedEntityTypeIdEnum : type_id
click ManagedEntityTypeIdEnum href "../ManagedEntityTypeIdEnum/"
ManagedEntity : uid
ManagedEntity : user
ManagedEntity --> "0..1 _recommended_" User : user
click User href "../User/"
ManagedEntity : version
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| data | 0..1 String |
The managed entity content as a JSON object | direct |
| device | 0..1 recommended Device |
An addressable device, computer system or host | direct |
| 0..1 recommended |
The email object | direct | |
| group | 0..1 recommended Group |
The group object associated with an entity such as user, policy, or rule | direct |
| location | 0..1 Location |
The detailed geographical location usually associated with an IP address | direct |
| name | 0..1 recommended String |
The name of the managed entity | direct |
| org | 0..1 recommended Organization |
The Organization object containing details about the managed organizational | direct |
| policy | 0..1 recommended Policy |
Describes details of a managed policy | direct |
| type | 0..1 recommended String |
The managed entity type | direct |
| type_id | 0..1 recommended ManagedEntityTypeIdEnum |
The type of the Managed Entity | direct |
| uid | 0..1 recommended String |
The identifier of the managed entity | direct |
| user | 0..1 recommended User |
The user that pertains to the event or object | direct |
| version | 0..1 recommended String |
The version of the managed entity | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| EntityManagement | entity | range | ManagedEntity |
| EntityManagement | entity_result | range | ManagedEntity |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {}}, {'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {'device': {'required': True}}}, {'slot_conditions': {'group': {'required': True}}}, {'slot_conditions': {'org': {'required': True}}}, {'slot_conditions': {'policy': {'required': True}}}, {'slot_conditions': {'user': {'required': True}}}] |
In Subsets
Aliases
- Managed Entity
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["name", "uid", "device", "group", "org", "policy", "user"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:ManagedEntity |
| native | ocsf:ManagedEntity |
LinkML Source
Direct
name: ManagedEntity
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["name", "uid", "device", "group", "org", "policy", "user"]}'
description: 'The Managed Entity object describes the type and version of an entity,
such as
a user, device, or policy. For types in the <code>type_id</code> enum list, an
associated attribute should be populated. If the type of entity is not in the
<code>type_id</code> list, information can be put into the <code>data</code>
attribute, <code>type_id</code> should be ''Other'' and the <code>type</code>
attribute should label the entity type.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Managed Entity
is_a: Entity
slots:
- data
- device
- email
- group
- location
- name
- org
- policy
- type
- type_id
- uid
- user
- version
slot_usage:
data:
name: data
description: The managed entity content as a JSON object.
device:
name: device
recommended: true
email:
name: email
recommended: true
group:
name: group
recommended: true
name:
name: name
description: 'The name of the managed entity. It should match the name of the
specific entity
object''s name if populated, or the name of the managed entity if the
<code>type_id</code> is ''Other''.'
org:
name: org
description: 'The Organization object containing details about the managed organizational
entity. This object includes properties such as the organization name, unique
identifier, type, and other organizational metadata. This attribute should be
populated when <code>type_id</code> is <code>4</code> (Organization).'
recommended: true
policy:
name: policy
description: Describes details of a managed policy.
recommended: true
type:
name: type
description: 'The managed entity type. For example: <code>Policy</code>, <code>User</code>,
<code>Organization</code>, <code>Device</code>.'
recommended: true
type_id:
name: type_id
description: 'The type of the Managed Entity. It is recommended to also populate
the
<code>type</code> attribute with the associated label, or the source specific
name if <code>Other</code>.'
range: ManagedEntityTypeIdEnum
recommended: true
uid:
name: uid
description: 'The identifier of the managed entity. It should match the <code>uid</code>
of
the specific entity''s object UID if populated, or the source specific ID if
the
<code>type_id</code> is ''Other''.'
user:
name: user
recommended: true
version:
name: version
description: 'The version of the managed entity. For example: <code>1.2.3</code>.'
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
device:
name: device
required: true
- slot_conditions:
group:
name: group
required: true
- slot_conditions:
org:
name: org
required: true
- slot_conditions:
policy:
name: policy
required: true
- slot_conditions:
user:
name: user
required: true
description: 'OCSF at_least_one: at least one of [''name'', ''uid'', ''device'',
''group'', ''org'',
''policy'', ''user''] must be set.'
Induced
name: ManagedEntity
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["name", "uid", "device", "group", "org", "policy", "user"]}'
description: 'The Managed Entity object describes the type and version of an entity,
such as
a user, device, or policy. For types in the <code>type_id</code> enum list, an
associated attribute should be populated. If the type of entity is not in the
<code>type_id</code> list, information can be put into the <code>data</code>
attribute, <code>type_id</code> should be ''Other'' and the <code>type</code>
attribute should label the entity type.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Managed Entity
is_a: Entity
slot_usage:
data:
name: data
description: The managed entity content as a JSON object.
device:
name: device
recommended: true
email:
name: email
recommended: true
group:
name: group
recommended: true
name:
name: name
description: 'The name of the managed entity. It should match the name of the
specific entity
object''s name if populated, or the name of the managed entity if the
<code>type_id</code> is ''Other''.'
org:
name: org
description: 'The Organization object containing details about the managed organizational
entity. This object includes properties such as the organization name, unique
identifier, type, and other organizational metadata. This attribute should be
populated when <code>type_id</code> is <code>4</code> (Organization).'
recommended: true
policy:
name: policy
description: Describes details of a managed policy.
recommended: true
type:
name: type
description: 'The managed entity type. For example: <code>Policy</code>, <code>User</code>,
<code>Organization</code>, <code>Device</code>.'
recommended: true
type_id:
name: type_id
description: 'The type of the Managed Entity. It is recommended to also populate
the
<code>type</code> attribute with the associated label, or the source specific
name if <code>Other</code>.'
range: ManagedEntityTypeIdEnum
recommended: true
uid:
name: uid
description: 'The identifier of the managed entity. It should match the <code>uid</code>
of
the specific entity''s object UID if populated, or the source specific ID if
the
<code>type_id</code> is ''Other''.'
user:
name: user
recommended: true
version:
name: version
description: 'The version of the managed entity. For example: <code>1.2.3</code>.'
recommended: true
attributes:
data:
name: data
description: The managed entity content as a JSON object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data
rank: 1000
alias: data
owner: ManagedEntity
domain_of:
- Request
- Response
- TlsExtension
- Resource
- ApplicationObject
- Edge
- Enrichment
- Evidences
- ManagedEntity
- Node
- Policy
- QueryInfo
- WebResource
- RegValue
range: string
device:
name: device
description: An addressable device, computer system or host.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Device
rank: 1000
alias: device
owner: ManagedEntity
domain_of:
- AuthFactor
- Evidences
- Logger
- ManagedEntity
- HostProfile
- ConfigState
- DeviceConfigStateChange
- EvidenceInfo
- InventoryInfo
- PatchState
- SoftwareInfo
- DataSecurityFinding
- Finding
- RdpActivity
- TunnelActivity
- SystemEvent
- EventLogActvity
range: Device
recommended: true
email:
name: email
description: The email object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Email
rank: 1000
alias: email
owner: ManagedEntity
domain_of:
- Osint
- Evidences
- ManagedEntity
- EmailActivity
range: Email
recommended: true
group:
name: group
description: The group object associated with an entity such as user, policy,
or rule.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Group
rank: 1000
alias: group
owner: ManagedEntity
domain_of:
- QueryEvidence
- Api
- ApplicationObject
- Databucket
- ManagedEntity
- Policy
- ResourceDetails
- AdminGroupQuery
- AuthorizeSession
- GroupManagement
- LinuxUsersProfile
range: Group
recommended: true
location:
name: location
description: The detailed geographical location usually associated with an IP
address.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Geo Location
rank: 1000
alias: location
owner: ManagedEntity
domain_of:
- Osint
- Aircraft
- DomainContact
- Endpoint
- LdapPerson
- ManagedEntity
- UnmannedAerialSystem
- Device
range: Location
name:
name: name
description: 'The name of the managed entity. It should match the name of the
specific entity
object''s name if populated, or the name of the managed entity if the
<code>type_id</code> is ''Other''.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: ManagedEntity
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
org:
name: org
description: 'The Organization object containing details about the managed organizational
entity. This object includes properties such as the organization name, unique
identifier, type, and other organizational metadata. This attribute should be
populated when <code>type_id</code> is <code>4</code> (Organization).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Organization
rank: 1000
alias: org
owner: ManagedEntity
domain_of:
- Cloud
- ManagedEntity
- Reporter
- User
- Device
range: Organization
recommended: true
policy:
name: policy
description: Describes details of a managed policy.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
rank: 1000
alias: policy
owner: ManagedEntity
domain_of:
- PermissionAnalysisResult
- AdditionalRestriction
- Assessment
- Authorization
- DataClassification
- DataSecurity
- ManagedEntity
- SecurityControlProfile
- ScanActivity
- AccountChange
range: Policy
recommended: true
type:
name: type
description: 'The managed entity type. For example: <code>Policy</code>, <code>User</code>,
<code>Organization</code>, <code>Device</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: ManagedEntity
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
recommended: true
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: 'The type of the Managed Entity. It is recommended to also populate
the
<code>type</code> attribute with the associated label, or the source specific
name if <code>Other</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: ManagedEntity
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: ManagedEntityTypeIdEnum
recommended: true
uid:
name: uid
description: 'The identifier of the managed entity. It should match the <code>uid</code>
of
the specific entity''s object UID if populated, or the source specific ID if
the
<code>type_id</code> is ''Other''.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: ManagedEntity
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
user:
name: user
description: The user that pertains to the event or object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: ManagedEntity
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
version:
name: version
description: 'The version of the managed entity. For example: <code>1.2.3</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: ManagedEntity
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
device:
name: device
required: true
- slot_conditions:
group:
name: group
required: true
- slot_conditions:
org:
name: org
required: true
- slot_conditions:
policy:
name: policy
required: true
- slot_conditions:
user:
name: user
required: true
description: 'OCSF at_least_one: at least one of [''name'', ''uid'', ''device'',
''group'', ''org'',
''policy'', ''user''] must be set.'