User Account
The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object.
Properties
Required Common Properties
typeid
Optional Common Properties
spec_versionobject_marking_refsgranular_markingsdefangedextensions
Not Applicable
created_by_refrevokedlabelsconfidencelangexternal_references
User Account Specific
extensionsuser_idcredentialaccount_loginaccount_typedisplay_nameis_service_accountis_privilegedcan_escalate_privsis_disabledaccount_createdaccount_expirescredential_last_changedaccount_first_loginaccount_last_login
| Property | Type | Description |
|---|---|---|
typeoptional | string | The value of this property MUST be `user-account`. |
extensionsoptional | | The User Account Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: unix-account-ext. |
user_idoptional | string | Specifies the identifier of the account. |
credentialoptional | string | Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain administrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII. |
account_loginoptional | string | Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. |
account_typeoptional | string | Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov vocabulary. |
display_nameoptional | string | Specifies the display name of the account, to be shown in user interfaces, if applicable. |
is_service_accountoptional | boolean | Indicates that the account is associated with a network service or system process (daemon), not a specific individual. |
is_privilegedoptional | boolean | Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account). |
can_escalate_privsoptional | boolean | Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). |
is_disabledoptional | boolean | Specifies if the account is disabled. |
account_createdoptional | string | Specifies when the account was created. |
account_expiresoptional | string | Specifies the expiration date of the account. |
credential_last_changedoptional | string | Specifies when the account credential was last changed. |
account_first_loginoptional | string | Specifies when the account was first accessed. |
account_last_loginoptional | string | Specifies when the account was last accessed. |
Examples
Basic UNIX Account
{
"type": "user-account",
"spec_version": "2.1",
"id": "user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c",
"user_id": "1001",
"account_login": "jdoe",
"account_type": "unix",
"display_name": "John Doe",
"is_service_account": false,
"is_privileged": false,
"can_escalate_privs": true,
"account_created": "2016-01-20T12:31:12Z",
"credential_last_changed": "2016-01-20T14:27:43Z",
"account_first_login": "2016-01-20T14:26:07Z",
"account_last_login": "2016-07-22T16:08:28Z"
}Basic Twitter Account
{
"type": "user-account",
"spec_version": "2.1",
"id": "user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba",
"user_id": "thegrugq_ebooks",
"account_login": "thegrugq_ebooks",
"account_type": "twitter",
"display_name": "the grugq"
}