You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/normalization-about-schemas.md
+15-2Lines changed: 15 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -99,13 +99,15 @@ Each schema explicitly defines the central entities and entity fields. The follo
99
99
100
100
Users are central to activities reported by events. The fields listed in this section are used to describe the users involved in the action. Prefixes are used to designate the role of the user in the activity. The prefixes `Src` and `Dst` are used to designate the user role in network related events, in which a source system and a destination system communicate. The prefixes 'Actor' and 'Target' are used for system oriented events such as process events.
101
101
102
-
#### The user ID
102
+
#### The user ID and scope
103
103
104
104
| Field | Class | Type | Description |
105
105
|-------|-------|------|-------------|
106
106
| <a name="userid"></a>**UserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the user. |
107
+
| <a name="userscope"></a>**UserScope** | Optional | string | The scope in which the user is defined. For example, an AAD tenant for. The scope type is tightly coupled to the user ID type, and therefore the [UserIdType](#useridtype) field represents also the type of the associated with this field. |
107
108
| <a name="useridtype"></a>**UserIdType** | Optional | UserIdType | The type of the ID stored in the [UserId](#userid) field. |
108
-
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store additional user IDs, if the original event includes multiple user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid).
109
+
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid). Populate the relevant specific ID field, in addition to [UserId](#userid), even if the event has only one ID. |
110
+
| **UserSid**, **UserAWSAccount** | Optional | String | Fields used to store specific scopes. Use the [UserScope](#userscope) field for the scope associated with the ID stored in the [UserId](#userid) field. Populate the relevant specific scope field, in addition to [UserScope](#userscope), even if the event has only one ID. |
109
111
110
112
The allowed values for a user ID type are:
111
113
@@ -117,6 +119,17 @@ The allowed values for a user ID type are:
117
119
| **OktaId** | An Okta user ID. | `00urjk4znu3BcncfY0h7` |
118
120
| **AWSId** | An AWS user ID. | `72643944673` |
119
121
122
+
#### The user scope
123
+
124
+
The user context defines the sc
125
+
126
+
| Field | Class | Type | Description |
127
+
|-------|-------|------|-------------|
128
+
| <a name="userscope"></a>**UserContext** | Optional | string | The context in which the user is defined
129
+
| <a name="usercontexttype"></a>**UserContextType** | Optional | UserContextType | The type of the ID stored in the [UserId](#userid) field. |
130
+
| **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId** | Optional | String | Fields used to store additional user IDs, if the original event includes multiple user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid).
0 commit comments