3001 - Account Change¶

CIM Data Models: All_Changes.Account_Management

OCSF Version: 1.0.0¶

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy",activity_id==9, "lock",true(), "other")`
change_type	`AAA`
command	`actor.process.cmd_line`
dvc	`metadata.log_provider`
object	`user.name`
object_id	`user.uid`
object_category	`account`
result	`status`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
user	`user.name`
user_agent	`http_request.user_agent`
user_name	`user.name`
user_type	`coalesce('user.type', 'user.type_id')`
src_user	`coalesce('actor.user.name', 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type', 'actor.user.type_id')`
vendor_product	`metadata.product.name`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy",activity_id==9, "lock",activity_id==10, "mfa_enable", activity_id==11, "mfa_disable", true(), "other")`
change_type	`AAA`
command	`actor.process.cmd_line`
dvc	`metadata.log_provider`
object	`user.name`
object_id	`user.uid`
object_category	`account`
result	`status`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
user	`user.name`
user_agent	`http_request.user_agent`
user_name	`user.name`
user_type	`coalesce('user.type', 'user.type_id')`
src_user	`coalesce('actor.user.name', 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type', 'actor.user.type_id')`
vendor_product	`metadata.product.name`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy",activity_id==9, "lock",activity_id==10, "mfa_enable", activity_id==11, "mfa_disable", true(), "other")`
change_type	`AAA`
command	`actor.process.cmd_line`
dvc	`metadata.log_provider`
object	`user.name`
object_id	`user.uid`
object_category	`account`
result	`status`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
user	`user.name`
user_agent	`http_request.user_agent`
user_name	`user.name`
user_type	`coalesce('user.type', 'user.type_id')`
src_user	`coalesce('actor.user.name', 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type', 'actor.user.type_id')`
vendor_product	`metadata.product.name`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy",activity_id==9, "lock",true(), "other")`
change_type	`AAA`
command	`actor.process.cmd_line`
dvc	`metadata.log_provider`
object	`user.name`
object_id	`user.uid`
object_category	`account`
result	`status`
result_id	`status_id`
src	`coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name')`
user	`user.name`
user_agent	`http_request.user_agent`
user_name	`user.name`
user_type	`coalesce('user.type', 'user.type_id')`
src_user	`coalesce('actor.user.name', 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type', 'actor.user.type_id')`
vendor_product	`metadata.product.name`