User Object
The user object describes the identity of a user, including administrative group membership.
| Name | Attribute | Requirement | Type | Description |
|---|---|---|---|---|
| Account DisabledЕxt | account_disabled | Optional | Boolean | The indication of whether the user's account is disabled. |
| Cloud Resource IDЕxt | cloud_resource_uid | Optional | String | The cloud resource unique identifier of this user. For example: the Amazon ARN. |
| Domain | domain | Recommended | String | The domain where the user is defined. For example: the LDAP or Active Directory domain. |
| External Account IDЕxt | external_account_uid | Optional | String | The user's external account unique identifier. |
| External IDЕxt | external_uid | Optional | String | The user's external unique identifier. |
| Full NameЕxt | full_name | Optional | String | The full name of the user. |
| GroupsЕxt | groups | Optional | String Array | The administrative groups to which the user belongs. |
| HomeЕxt | home | Optional | String | The user's home directory. |
| Admin Session | is_admin | Recommended | Boolean | The indication of whether the user or user session is admin/root. |
| Logon Name | logon_name | Recommended | String | The name of the authenticated principal that is associated with the event. If the event originates from a feature on a computer, the logon_name is the name of the user that the software feature is running as, for example, “root” or “admin”. If the event originates from a mobile device, the logon_name is the user name reported by the OS. |
| Name | name | Recommended | String | The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred. |
| Password ExpiresЕxt | password_expires | Optional | Boolean | The indication of whether the user's password is configured to expire. |
| ShellЕxt | shell | Optional | String | The user's login shell. |
| Security IDЕxt | sid | Optional | String | The user security identifier (SID). The SID is a unique value of variable length used to identify a trustee. Each user account has a SID issued by an authority, such as a Windows domain controller, and stored in a security database. |
| IDЕxt | uid | Recommended | String | The unique identifier of the user associated with the event. |