3006 - Group Management¶

CIM Data Models: All_Changes.Account_Management

OCSF Version: 1.0.0¶

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "assign_privileges", activity_id==2, "revoke_privileges", activity_id==3, "add_user", activity_id==4, "remove_user", true(), "other")`
change_type	`AAA`
command	`coalesce('actor.process.cmd_line' , 'actor.process.file.name')`
dvc	`metadata.log_provider`
object	`group.name`
object_category	`coalesce('group.type', "group")`
object_id	`group.uid`
result	`coalesce('status_code', 'status_detail', 'status')`
result_id	`status_id`
src	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type' , 'actor.user.type_id')`
status	`coalesce('status' , 'status_code' , 'status_id')`
user_name	`user.name`
user_type	`coalesce('user.type' , 'user.type_id')`
vendor_product	`coalesce('metadata.product.name' , 'metadata.product.vendor_name')`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "assign_privileges", activity_id==2, "revoke_privileges", activity_id==3, "add_user", activity_id==4, "remove_user", activity_id==5, "deleted", activity_id==6, "created", true(), "other")`
change_type	`AAA`
command	`coalesce('actor.process.cmd_line' , 'actor.process.file.name')`
dvc	`metadata.log_provider`
object	`group.name`
object_category	`coalesce('group.type', "group")`
object_id	`group.uid`
result	`coalesce('status_code', 'status_detail', 'status')`
result_id	`status_id`
src	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type' , 'actor.user.type_id')`
status	`coalesce('status' , 'status_code' , 'status_id')`
user_name	`user.name`
user_type	`coalesce('user.type' , 'user.type_id')`
vendor_product	`coalesce('metadata.product.name' , 'metadata.product.vendor_name')`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "assign_privileges", activity_id==2, "revoke_privileges", activity_id==3, "add_user", activity_id==4, "remove_user", activity_id==5, "deleted", activity_id==6, "created", true(), "other")`
change_type	`AAA`
command	`coalesce('actor.process.cmd_line' , 'actor.process.file.name')`
dvc	`metadata.log_provider`
object	`group.name`
object_category	`coalesce('group.type', "group")`
object_id	`group.uid`
result	`coalesce('status_code', 'status_detail', 'status')`
result_id	`status_id`
src	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type' , 'actor.user.type_id')`
status	`coalesce('status' , 'status_code' , 'status_id')`
user_name	`user.name`
user_type	`coalesce('user.type' , 'user.type_id')`
vendor_product	`coalesce('metadata.product.name' , 'metadata.product.vendor_name')`

CIM Field	Mapping
action	`case(activity_id==0, "unknown", activity_id==1, "assign_privileges", activity_id==2, "revoke_privileges", activity_id==3, "add_user", activity_id==4, "remove_user", true(), "other")`
change_type	`AAA`
command	`coalesce('actor.process.cmd_line' , 'actor.process.file.name')`
dvc	`metadata.log_provider`
object	`group.name`
object_category	`coalesce('group.type', "group")`
object_id	`group.uid`
result	`coalesce('status_code', 'status_detail', 'status')`
result_id	`status_id`
src	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user	`coalesce('actor.user.name' , 'actor.user.uid')`
src_user_name	`actor.user.name`
src_user_type	`coalesce('actor.user.type' , 'actor.user.type_id')`
status	`coalesce('status' , 'status_code' , 'status_id')`
user_name	`user.name`
user_type	`coalesce('user.type' , 'user.type_id')`
vendor_product	`coalesce('metadata.product.name' , 'metadata.product.vendor_name')`