3005 - API Activity / User Access Management
OCSF Reference
CIM Data Models: All_Changes.Account_Management
OCSF Version: 1.0.0-rc.3
| CIM Field |
Mapping |
| action |
case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy", activity_id==99, "other", 1==1, "other") |
| change_type |
user |
| command |
coalesce('actor.process.cmd_line' , 'actor.process.file.name') |
| dvc |
metadata.log_provider |
| object |
user.name |
| object_id |
user.uid |
| object_category |
coalesce('user.type', "user") |
| result |
coalesce('status_code', 'status_detail', 'status') |
| result_id |
status_id |
| src |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user_name |
actor.user.name |
| src_user_type |
coalesce('actor.user.type' , 'actor.user.type_id') |
| status |
coalesce('status' , 'status_code' , 'status_id') |
| vendor_product |
coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
OCSF Version: 1.0.0
| CIM Field |
Mapping |
| action |
case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy", activity_id==99, "other", 1==1, "other") |
| change_type |
user |
| command |
coalesce('actor.process.cmd_line' , 'actor.process.file.name') |
| dvc |
metadata.log_provider |
| object |
user.name |
| object_id |
user.uid |
| object_category |
coalesce('user.type', "user") |
| result |
coalesce('status_code', 'status_detail', 'status') |
| result_id |
status_id |
| src |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user_name |
actor.user.name |
| src_user_type |
coalesce('actor.user.type' , 'actor.user.type_id') |
| status |
coalesce('status' , 'status_code' , 'status_id') |
| vendor_product |
coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
OCSF Version: 1.1.0
| CIM Field |
Mapping |
| action |
case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy", activity_id==99, "other", 1==1, "other") |
| change_type |
user |
| command |
coalesce('actor.process.cmd_line' , 'actor.process.file.name') |
| dvc |
metadata.log_provider |
| object |
user.name |
| object_id |
user.uid |
| object_category |
coalesce('user.type', "user") |
| result |
coalesce('status_code', 'status_detail', 'status') |
| result_id |
status_id |
| src |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user_name |
actor.user.name |
| src_user_type |
coalesce('actor.user.type' , 'actor.user.type_id') |
| status |
coalesce('status' , 'status_code' , 'status_id') |
| vendor_product |
coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
OCSF Version: 1.2.0
| CIM Field |
Mapping |
| action |
case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "enabled", activity_id==3, "password_change", activity_id==4, "password_reset", activity_id==5, "disabled", activity_id==6, "deleted", activity_id==7, "attach_policy", activity_id==8, "detach_policy", activity_id==99, "other", 1==1, "other") |
| change_type |
user |
| command |
coalesce('actor.process.cmd_line' , 'actor.process.file.name') |
| dvc |
metadata.log_provider |
| object |
user.name |
| object_id |
user.uid |
| object_category |
coalesce('user.type', "user") |
| result |
coalesce('status_code', 'status_detail', 'status') |
| result_id |
status_id |
| src |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user |
coalesce('actor.user.name' , 'actor.user.uid') |
| src_user_name |
actor.user.name |
| src_user_type |
coalesce('actor.user.type' , 'actor.user.type_id') |
| status |
coalesce('status' , 'status_code' , 'status_id') |
| vendor_product |
coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
OCSF Version: 1.0.0-rc.2
| CIM Field |
Mapping |
| action |
case(activity_id==0, "unknown", activity_id==1, "created", activity_id==2, "read", activity_id==3, "updated", activity_id==4, "deleted", activity_id==99, "other", 1==1, "other") |
| change_type |
api |
| command |
actor.process.cmd_line |
| dest |
coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| object |
resources{}.name |
| object_id |
resources{}.uid |
| object_category |
resources{}.type |
| result |
coalesce('status_detail', 'status', 'status_id') |
| result_id |
status_id |
| src |
coalesce('src_endpoint.hostname', 'src_endpoint.ip', 'src_endpoint.name') |
| status |
case(status_id==1, "success", status_id==2, "failure", status_id==99, "other", 1==1, "unknown") |
| user |
actor.user.uid |
| user_agent |
http_request.user_agent |
| user_name |
actor.user.uid |
| user_type |
coalesce('actor.user.type',case('actor.user.type_id'==1,"User",'actor.user.type_id'==2,"Admin",'actor.user.type_id'==3,"System",'actor.user.type_id'==99,"Other", 1==1, "Unknown")) |
| vendor_account |
cloud.account.uid |
| vendor_product |
metadata.product.name |
| vendor_region |
cloud.account.region |