{ "$id": "../observables/user-account.json", "$schema": "http://json-schema.org/draft-06/schema#", "title": "user-account", "description": "The User Account Object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.", "type": "object", "allOf": [ { "$ref": "../common/cyber-observable-core.json" }, { "properties": { "type": { "type": "string", "description": "The value of this property MUST be `user-account`.", "const": "user-account" }, "extensions": { "$ref": "#/definitions/user-account-extensions-dictionary", "description": "The User Account Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: unix-account-ext." }, "user_id": { "type": "string", "description": "Specifies the identifier of the account." }, "account_login": { "type": "string", "description": "Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login." }, "account_type": { "type": "string", "description": "Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov vocabulary." }, "display_name": { "type": "string", "description": "Specifies the display name of the account, to be shown in user interfaces, if applicable." }, "is_service_account": { "type": "boolean", "description": "Indicates that the account is associated with a network service or system process (daemon), not a specific individual." }, "is_privileged": { "type": "boolean", "description": "Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account)." }, "can_escalate_privs": { "type": "boolean", "description": "Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account)." }, "is_disabled": { "type": "boolean", "description": "Specifies if the account is disabled." }, "account_created": { "$ref": "../common/timestamp.json", "description": "Specifies when the account was created." }, "account_expires": { "$ref": "../common/timestamp.json", "description": "Specifies the expiration date of the account." }, "password_last_changed": { "$ref": "../common/timestamp.json", "description": "Specifies when the account password was last changed." }, "account_first_login": { "$ref": "../common/timestamp.json", "description": "Specifies when the account was first accessed." }, "account_last_login": { "$ref": "../common/timestamp.json", "description": "Specifies when the account was last accessed." } } } ], "required": [ "user_id" ], "definitions": { "user-account-extensions-dictionary": { "type": "object", "patternProperties": { "^unix-account-ext$": { "type": "object", "description": "The User Account Object defines the following extensions. In addition to these, producers MAY create their own.", "allOf": [ { "properties": { "gid": { "type": "number", "description": "Specifies the primary group ID of the account." }, "groups": { "type": "array", "description": "Specifies a list of names of groups that the account is a member of.", "items": { "type": "string" }, "minItems": 1 }, "home_dir": { "type": "string", "description": "Specifies the home directory of the account." }, "shell": { "type": "string", "description": "Specifies the account’s command shell." } } }, { "anyOf": [ { "required": [ "gid" ] }, { "required": [ "groups" ] }, { "required": [ "home_dir" ] }, { "required": [ "shell" ] } ] } ] } }, "additionalProperties": { "$ref": "../common/dictionary.json", "description": "Custom file extension" } }, "account-type-ov": { "type": "string", "enum": [ "unix", "windows local", "windows domain", "ldap", "tacacs", "radius", "nis", "openid", "facebook", "skype", "twitter", "kavi" ] } } }