Class: User
The User object describes the characteristics of a user/person or a security
principal.
URI: ocsf:User
classDiagram
class User
click User href "../User/"
Entity <|-- User
click Entity href "../Entity/"
User : account
User --> "0..1" Account : account
click Account href "../Account/"
User : credential_uid
User : display_name
User : domain
User : email_addr
User : forward_addr
User : full_name
User : groups
User --> "*" Group : groups
click Group href "../Group/"
User : has_mfa
User : ldap_person
User --> "0..1" LdapPerson : ldap_person
click LdapPerson href "../LdapPerson/"
User : name
User : org
User --> "0..1" Organization : org
click Organization href "../Organization/"
User : phone_number
User : programmatic_credentials
User --> "*" ProgrammaticCredential : programmatic_credentials
click ProgrammaticCredential href "../ProgrammaticCredential/"
User : risk_level
User : risk_level_id
User --> "0..1" RiskLevelIdEnum : risk_level_id
click RiskLevelIdEnum href "../RiskLevelIdEnum/"
User : risk_score
User : type
User : type_id
User --> "0..1 _recommended_" UserTypeIdEnum : type_id
click UserTypeIdEnum href "../UserTypeIdEnum/"
User : uid
User : uid_alt
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| account | 0..1 Account |
The user's account or the account associated with the user | direct |
| credential_uid | 0..1 String |
The unique identifier of the user's credential | direct |
| display_name | 0..1 String |
The display name of the user, as reported by the product | direct |
| domain | 0..1 String |
The domain where the user is defined | direct |
| email_addr | 0..1 EmailT |
The user's primary email address | direct |
| forward_addr | 0..1 EmailT |
The user's forwarding email address | direct |
| full_name | 0..1 String |
The full name of the user, as reported by the product | direct |
| groups | * Group |
The administrative groups to which the user belongs | direct |
| has_mfa | 0..1 recommended Boolean |
The user has a multi-factor or secondary-factor device assigned | direct |
| ldap_person | 0..1 LdapPerson |
The additional LDAP attributes that describe a person | direct |
| name | 0..1 recommended String |
The username | direct |
| org | 0..1 Organization |
Organization and org unit related to the user | direct |
| phone_number | 0..1 String |
The telephone number of the user | direct |
| programmatic_credentials | * ProgrammaticCredential |
Details about the programmatic credential (API keys, access tokens, | direct |
| risk_level | 0..1 String |
The risk level, normalized to the caption of the risk_level_id value | direct |
| risk_level_id | 0..1 RiskLevelIdEnum |
The normalized risk level id | direct |
| risk_score | 0..1 Integer |
The risk score as reported by the event source | direct |
| type | 0..1 String |
The type of the user | direct |
| type_id | 0..1 recommended UserTypeIdEnum |
The account type identifier | direct |
| uid | 0..1 recommended String |
The unique user identifier | direct |
| uid_alt | 0..1 String |
The alternate user identifier | direct |
Usages
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'account': {'required': True}}}, {'slot_conditions': {}}, {'slot_conditions': {'uid': {'required': True}}}] |
In Subsets
Aliases
- User
See Also
Notes
- D3FEND™ Ontology d3f:UserAccount — https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["account", "name", "uid"]} |
| observable_id | 21 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:User |
| native | ocsf:User |
| close | stix:UserAccount, uco_master:UserAccount |
LinkML Source
Direct
name: User
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["account", "name", "uid"]}'
observable_id:
tag: observable_id
value: 21
description: 'The User object describes the characteristics of a user/person or a
security
principal.'
notes:
- 'D3FEND™ Ontology d3f:UserAccount —
https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
aliases:
- User
close_mappings:
- stix:UserAccount
- uco_master:UserAccount
is_a: Entity
slots:
- account
- credential_uid
- display_name
- domain
- email_addr
- forward_addr
- full_name
- groups
- has_mfa
- ldap_person
- name
- org
- phone_number
- programmatic_credentials
- risk_level
- risk_level_id
- risk_score
- type
- type_id
- uid
- uid_alt
slot_usage:
account:
name: account
description: The user's account or the account associated with the user.
credential_uid:
name: credential_uid
deprecated: Use <code>programmatic_credentials</code> instead.
display_name:
name: display_name
description: The display name of the user, as reported by the product.
domain:
name: domain
description: 'The domain where the user is defined. For example: the LDAP or Active
Directory
domain.'
full_name:
name: full_name
description: The full name of the user, as reported by the product.
groups:
name: groups
description: The administrative groups to which the user belongs.
has_mfa:
name: has_mfa
recommended: true
ldap_person:
name: ldap_person
description: The additional LDAP attributes that describe a person.
name:
name: name
description: The username. For example, <code>janedoe1</code>.
recommended: true
org:
name: org
description: Organization and org unit related to the user.
phone_number:
name: phone_number
description: The telephone number of the user.
programmatic_credentials:
name: programmatic_credentials
description: 'Details about the programmatic credential (API keys, access tokens,
certificates, etc) associated to the user.'
type:
name: type
description: The type of the user. For example, System, AWS IAM User, etc.
type_id:
name: type_id
description: The account type identifier.
range: UserTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique user identifier. For example, the Windows user SID, ActiveDirectory
DN or AWS user ARN.'
recommended: true
uid_alt:
name: uid_alt
description: 'The alternate user identifier. For example, the Active Directory
user GUID or
AWS user Principal ID.'
rules:
- postconditions:
any_of:
- slot_conditions:
account:
name: account
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
uid:
name: uid
required: true
description: 'OCSF at_least_one: at least one of [''account'', ''name'', ''uid'']
must be set.'
Induced
name: User
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["account", "name", "uid"]}'
observable_id:
tag: observable_id
value: 21
description: 'The User object describes the characteristics of a user/person or a
security
principal.'
notes:
- 'D3FEND™ Ontology d3f:UserAccount —
https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/
aliases:
- User
close_mappings:
- stix:UserAccount
- uco_master:UserAccount
is_a: Entity
slot_usage:
account:
name: account
description: The user's account or the account associated with the user.
credential_uid:
name: credential_uid
deprecated: Use <code>programmatic_credentials</code> instead.
display_name:
name: display_name
description: The display name of the user, as reported by the product.
domain:
name: domain
description: 'The domain where the user is defined. For example: the LDAP or Active
Directory
domain.'
full_name:
name: full_name
description: The full name of the user, as reported by the product.
groups:
name: groups
description: The administrative groups to which the user belongs.
has_mfa:
name: has_mfa
recommended: true
ldap_person:
name: ldap_person
description: The additional LDAP attributes that describe a person.
name:
name: name
description: The username. For example, <code>janedoe1</code>.
recommended: true
org:
name: org
description: Organization and org unit related to the user.
phone_number:
name: phone_number
description: The telephone number of the user.
programmatic_credentials:
name: programmatic_credentials
description: 'Details about the programmatic credential (API keys, access tokens,
certificates, etc) associated to the user.'
type:
name: type
description: The type of the user. For example, System, AWS IAM User, etc.
type_id:
name: type_id
description: The account type identifier.
range: UserTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique user identifier. For example, the Windows user SID, ActiveDirectory
DN or AWS user ARN.'
recommended: true
uid_alt:
name: uid_alt
description: 'The alternate user identifier. For example, the Active Directory
user GUID or
AWS user Principal ID.'
attributes:
account:
name: account
description: The user's account or the account associated with the user.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Account
rank: 1000
alias: account
owner: User
domain_of:
- Cloud
- User
range: Account
credential_uid:
name: credential_uid
annotations:
observable_id:
tag: observable_id
value: 19
description: The unique identifier of the user's credential. For example, AWS
Access Key ID.
deprecated: Use <code>programmatic_credentials</code> instead.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User Credential ID
rank: 1000
alias: credential_uid
owner: User
domain_of:
- Session
- User
range: string
display_name:
name: display_name
description: The display name of the user, as reported by the product.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Display Name
rank: 1000
alias: display_name
owner: User
domain_of:
- LdapPerson
- User
range: string
domain:
name: domain
description: 'The domain where the user is defined. For example: the LDAP or Active
Directory
domain.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Domain
rank: 1000
alias: domain
owner: User
domain_of:
- Url
- Whois
- Endpoint
- Group
- HttpCookie
- Idp
- User
- Device
range: string
email_addr:
name: email_addr
description: The user's primary email address.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Email Address
rank: 1000
alias: email_addr
owner: User
domain_of:
- Whois
- AuthFactor
- DomainContact
- User
range: EmailT
forward_addr:
name: forward_addr
description: The user's forwarding email address.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Forwarding Address
rank: 1000
alias: forward_addr
owner: User
domain_of:
- User
range: EmailT
full_name:
name: full_name
description: The full name of the user, as reported by the product.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Full Name
rank: 1000
alias: full_name
owner: User
domain_of:
- User
range: string
groups:
name: groups
description: The administrative groups to which the user belongs.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Groups
rank: 1000
alias: groups
owner: User
domain_of:
- Database
- Databucket
- Table
- User
- Device
range: Group
multivalued: true
has_mfa:
name: has_mfa
description: The user has a multi-factor or secondary-factor device assigned.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- MFA Assigned
rank: 1000
alias: has_mfa
owner: User
domain_of:
- Idp
- User
range: boolean
recommended: true
ldap_person:
name: ldap_person
description: The additional LDAP attributes that describe a person.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- LDAP Person
rank: 1000
alias: ldap_person
owner: User
domain_of:
- User
range: LdapPerson
name:
name: name
description: The username. For example, <code>janedoe1</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: User
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
org:
name: org
description: Organization and org unit related to the user.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Organization
rank: 1000
alias: org
owner: User
domain_of:
- Cloud
- ManagedEntity
- Reporter
- User
- Device
range: Organization
phone_number:
name: phone_number
description: The telephone number of the user.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Phone Number
rank: 1000
alias: phone_number
owner: User
domain_of:
- Whois
- AuthFactor
- DomainContact
- LdapPerson
- User
range: string
programmatic_credentials:
name: programmatic_credentials
description: 'Details about the programmatic credential (API keys, access tokens,
certificates, etc) associated to the user.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Programmatic Credentials
rank: 1000
alias: programmatic_credentials
owner: User
domain_of:
- IdentityActivityMetrics
- User
range: ProgrammaticCredential
multivalued: true
risk_level:
name: risk_level
description: The risk level, normalized to the caption of the risk_level_id value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level
rank: 1000
alias: risk_level
owner: User
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: string
risk_level_id:
name: risk_level_id
annotations:
sibling:
tag: sibling
value: risk_level
suppress_checks:
tag: suppress_checks
value: enum_convention
description: The normalized risk level id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level ID
rank: 1000
alias: risk_level_id
owner: User
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: RiskLevelIdEnum
risk_score:
name: risk_score
description: The risk score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: User
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer
type:
name: type
description: The type of the user. For example, System, AWS IAM User, etc.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: User
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The account type identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: User
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: UserTypeIdEnum
recommended: true
uid:
name: uid
description: 'The unique user identifier. For example, the Windows user SID, ActiveDirectory
DN or AWS user ARN.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: User
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
uid_alt:
name: uid_alt
description: 'The alternate user identifier. For example, the Active Directory
user GUID or
AWS user Principal ID.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alternate ID
rank: 1000
alias: uid_alt
owner: User
domain_of:
- Scim
- Session
- Resource
- Agent
- Aircraft
- ApplicationObject
- FindingInfo
- Group
- UnmannedAerialSystem
- User
- Device
range: string
rules:
- postconditions:
any_of:
- slot_conditions:
account:
name: account
required: true
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
uid:
name: uid
required: true
description: 'OCSF at_least_one: at least one of [''account'', ''name'', ''uid'']
must be set.'