- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Caption | Name | Requirement | Type | Description |
---|---|---|---|---|
End Time | active | recommended | :ref:`boolean_t <boolean_t>` | | Derived from OCSF User.end_time. User.end_time: The end time of when a particular state of the user was valid. Using the ``start_time`` and ``end_time`` together bound the time when a particular user state was valid. If there is no ``end_time`` it tells the analyst that this is the current state of the user as DataBee understands it. There will ever only be a single user for which the ``end_time`` is ``null``. |
Created Time | created_time | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF User.created_time. User.created_time: The timestamp when the user was created. |
Email Address | email_addr | optional | :ref:`email_t <email_t>` | | Derived from OCSF User.email_addr. User.email_addr: The user's primary email address. For example: ``noone@nowhere.ru`` |
Email Addresses | email_addrs | optional | :ref:`email_t Array <email_t>` | | Derived from OCSF User.email_addresses. User.email_addresses: A list of additional email addresses for the user. |
Employee ID | employee_uid | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.employee_uid. User.employee_uid: The employee identifier assigned to the user by the organization. |
End Time | end_time | recommended | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF User.end_time. User.end_time: The end time of when a particular state of the user was valid. Using the ``start_time`` and ``end_time`` together bound the time when a particular user state was valid. If there is no ``end_time`` it tells the analyst that this is the current state of the user as DataBee understands it. There will ever only be a single user for which the ``end_time`` is ``null``. |
Full Name | full_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.full_name. User.full_name: The full name of the person, as per the LDAP Common Name attribute (cn). |
Given Name | given_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.given_name. User.given_name: The given or first name of the user. |
Groups Name | group_names | optional | :ref:`string_t Array <string_t>` | | Derived from OCSF User.groups.name. User.groups: The administrative groups to which the user belongs. Group.name: The group name. |
Hire Date | hire_datetime | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF User.hire_datetime. User.hire_datetime: The datetime when the user was/will be hired |
Job Title | job_title | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.job_title. User.job_title: The user's job title. |
Leave Date | leave_datetime | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF User.leave_datetime. User.leave_datetime: The datetime when the user left/will be leaving the organization |
Geo Location City | location_city | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.location.city. User.location: The detailed geographical location associated with a user. When used with the ``user_inventory`` event class, this typically documents the users usual work location. Location.city: The name of the city. For example: san diego |
Geo Location Country | location_country | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.location.country. User.location: The detailed geographical location associated with a user. When used with the ``user_inventory`` event class, this typically documents the users usual work location. Location.country: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see `ISO 3166-1 alpha-2 codes <https://www.iso.org/obp/ui/#iso:pub:PUB500001:en>`_. |
Manager | manager_id | optional | :ref:`integer_t <integer_t>` | | Derived from OCSF User.manager. User.manager: The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event. |
Modified Time | modified_time | optional | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF User.modified_time. User.modified_time: The timestamp when the user entry was last modified |
Name | name | recommended | :ref:`string_t <string_t>` | | Derived from OCSF User.name. User.name: The username. For example, ``janedoe1``. |
Office Location | office_location | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.office_location. User.office_location: The primary office location associated with the user. This could be any string and isn't a specific address. For example, ``South East Virtual``. |
Organization Name | org_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.org.name. User.org: Organization and org unit related to the user. Organization.name: The name of the organization. For example, Widget, Inc. |
Organization Org Unit Name | org_ou_name | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.org.ou_name. User.org: Organization and org unit related to the user. Organization.ou_name: The name of the organizational unit, within an organization. For example, Finance, IT, R&D |
Record Created At | record_created_at | required | :ref:`timestamp_t <timestamp_t>` | | CDPs generated timestamp when record was created. |
Record Updated At | record_updated_at | required | :ref:`timestamp_t <timestamp_t>` | | CDPs generated timestamp when record was last updated. |
Backtrace | sources | recommended | :ref:`string_t Array <string_t>` | | Derived from OCSF User.backtrace. User.backtrace: This object is a key value set that relates each field in the user to the earliest raw event that gave DataBee that particular value in the correlation. For example, ``{'email_addr': 'email_activity.key=123456'}`` |
Start Time | start_time | required | :ref:`timestamp_t <timestamp_t>` | | Derived from OCSF User.start_time. User.start_time: The start time when a particular state of the user became valid |
Surname | surname | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.surname. User.surname: The last or family name for the user. |
Type | type | optional | :ref:`string_t <string_t>` | | Derived from OCSF User.type. User.type: The type of the user. For example, System, AWS IAM User, etc. |
Type ID | type_id | recommended | :ref:`integer_t <integer_t>` | | Derived from OCSF User.type_id. User.type_id: The account type identifier. |
Unique ID | uid | recommended | :ref:`string_t <string_t>` | | Derived from OCSF User.uid. User.uid: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. |
ID | user_id | required | :ref:`integer_t <integer_t>` | | Derived from OCSF User.id. User.id: The unique identifier used by DataBee for a specific user. This will be logged as ``user_id`` in activity tables to link to a particular user in this table. This field should not be mapped manually as the DataBee product populates this field itself. |
Was this article helpful?