The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.
Attributes
Section titled “Attributes”process
- Type:
process - Requirement: recommended
The process that initiated the activity.
user
- Type:
user - Requirement: recommended
The user that initiated the activity or the user context from which the activity was initiated.
app_name
- Type:
string_t - Requirement: optional
The client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present.
app_uid
- Type:
string_t - Requirement: optional
The unique identifier of the client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process.pid or process.uid if present.
authorizations
- Type:
authorization - Requirement: optional
Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
idp
- Type:
idp - Requirement: optional
This object describes details about the Identity Provider used.
invoked_by
- Type:
string_t - Requirement: optional
The name of the service that invoked the activity as described in the event.
session
- Type:
session - Requirement: optional
The user session from which the activity was initiated.
Constraints
Section titled “Constraints”At least one of: process, user, invoked_by, session, app_name, app_uid
Used By
Section titled “Used By”account_changeadmin_group_queryairborne_broadcast_activityapi_activityapplication_errorapplication_lifecycleauthenticationauthorize_sessionbase_eventcloud_resources_inventory_infocompliance_findingconfig_statedata_security_findingdatastore_activitydetection_findingdevice_config_state_changedhcp_activitydns_activitydrone_flights_activityemail_activityemail_file_activityemail_url_activityentity_managementevent_log_actvityfile_activityfile_hostingfile_queryfile_remediation_activityfolder_queryftp_activitygroup_managementhttp_activityincident_findinginventory_infojob_querykernel_activitykernel_extension_activitykernel_object_querymemory_activitymodule_activitymodule_querynetwork_activitynetwork_connection_querynetwork_file_activitynetwork_remediation_activitynetworks_queryntp_activityosint_inventory_infopatch_stateperipheral_device_queryprocess_activityprocess_queryprocess_remediation_activityrdp_activityremediation_activityscan_activityscheduled_job_activityscript_activitysecurity_findingservice_querysession_querysmb_activitysoftware_infossh_activitystartup_item_querytunnel_activityuser_accessuser_inventoryuser_queryvulnerability_findingweb_resource_access_activityweb_resources_activitywin/prefetch_querywin/registry_key_activitywin/registry_key_querywin/registry_value_activitywin/registry_value_querywin/windows_resource_activitywin/windows_service_activity