The User object describes the characteristics of a user/person or a security principal.
- Extends:
_entity
Attributes
Section titled “Attributes”has_mfa
- Type:
boolean_t - Requirement: recommended
The user has a multi-factor or secondary-factor device assigned.
name
- Type:
username_t - Requirement: recommended
The username. For example, janedoe1.
type_id
- Type:
integer_t - Requirement: recommended
- Values:
0-Unknown: The type is unknown.1-User: Regular user account.2-Admin: Admin/root user account.3-System: System account. For example, Windows computer accounts with a trailing dollar sign ($).99-Other: The type is not mapped. See thetypeattribute, which contains a data source specific value.
The account type identifier.
uid
- Type:
string_t - Requirement: recommended
The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
account
- Type:
account - Requirement: optional
The user’s account or the account associated with the user.
credential_uid
- Type:
string_t - Requirement: optional
The unique identifier of the user’s credential. For example, AWS Access Key ID.
display_name
- Type:
string_t - Requirement: optional
The display name of the user, as reported by the product.
domain
- Type:
string_t - Requirement: optional
The domain where the user is defined. For example: the LDAP or Active Directory domain.
email_addr
- Type:
email_t - Requirement: optional
The user’s primary email address.
forward_addr
- Type:
email_t - Requirement: optional
The user’s forwarding email address.
full_name
- Type:
string_t - Requirement: optional
The full name of the user, as reported by the product.
groups
- Type:
group - Requirement: optional
The administrative groups to which the user belongs.
ldap_person
- Type:
ldap_person - Requirement: optional
The additional LDAP attributes that describe a person.
org
- Type:
organization - Requirement: optional
Organization and org unit related to the user.
phone_number
- Type:
string_t - Requirement: optional
The telephone number of the user.
risk_level
- Type:
string_t - Requirement: optional
The risk level, normalized to the caption of the risk_level_id value.
risk_level_id
- Type:
integer_t - Requirement: optional
- Values:
0-Info1-Low2-Medium3-High4-Critical99-Other: The risk level is not mapped. See therisk_levelattribute, which contains a data source specific value.
The normalized risk level id.
risk_score
- Type:
integer_t - Requirement: optional
The risk score as reported by the event source.
type
- Type:
string_t - Requirement: optional
The type of the user. For example, System, AWS IAM User, etc.
uid_alt
- Type:
string_t - Requirement: optional
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
Constraints
Section titled “Constraints”At least one of: account, name, uid
Used By
Section titled “Used By”account_changeadmin_group_queryairborne_broadcast_activityapplication_security_posture_findingauthenticationauthorize_sessioncompliance_findingdata_security_findingdetection_findingdrone_flights_activitygroup_managementincident_findingtunnel_activityuser_accessuser_inventoryuser_queryvulnerability_finding