User Entity Attributes

Get Started with Attack Surface Insights
Configure Attack Surface Insights
- Restrict Entity Creation
  - Pre-Built Enrichment Rules Restricting Entity Creation
  - Restrict Entity Creation Using a Custom Enrichment Rule
- Custom Linking for User Entities
  - Apply Custom Linking Updates to an Existing User Entity
Search for Entities in Attack Surface Insights
- Build a Search in Attack Surface Insights
- Enter a Search in Attack Surface Insights
View Entities in Attack Surface Insights
Manage Entities in Attack Surface Insights
- Edit Entities in Attack Surface Insights
  - Manually Edit Entities in Attack Surface Insights
  - Automatically Edit Entities in Attack Surface Insights
- Delete Entities in Attack Surface Insights
  - Delete an Entity
  - Delete Multiple Entities
Entity Attributes
- User Entity Attributes
- Device Entity Attributes

Review all attributes available in Attack Surface Insights for user entities.

Entity Attribute	Machine Name	Definition	Example	Source
Full Name	`full_name`	The printable display name for the user, usually represented as a combination of first name, middle initial, and last name.	Barbara Salazar	Context
Source	`context_source` for entity attributes derived from context data.	The sources from where the entity attributes are derived.	Event AD EntraID	Event or Context
User Name	`user_name`	The user names associated with the user. To derive the username from an event, Attack Surface Insights considers certain event fields in a specific order: `domain_user_name`; in the format <user>@<domain> or <user> - <database name> `local_user_name`; in the format <user> - <source host or platform> `account_user_name`; in the format <account>@<domain or destination domain> `database_user_name`; in the format <user>@<domain or destination domain> `dest_domain_user_name`; in the format <user>@<destination domain> `dest_local_user_name`; in the format <user> - <source host> The first event field with a value is considered the username.	barbara.salazar	Event
Email Address	`email_address`	The email addresses associated with the user.	[email protected]	Event
First Name	`first_name`	The given name for the user.	Barbara	Context
Last Name	`last_name`	The surname or family name for the user.	Salazar	Context
Mobile Number	`mobile_number`	The primary cellular telephone number for the user.	+1 123 456 7890	Context
Security Criticality	`security_criticality`	The level of potential organizational risk if the entity becomes compromised.	High	Attack Surface Insights
Tags	`tags`	Labels or keywords you create and add to entities to categorize them or indicate they have a certain characteristic.	Privileged User	Attack Surface Insights
Badge ID	`badge_id`	The badge ID in the event associated with the user.	C102230	Event
Employee ID	`employee_id`	The code used to identify that the user works for a company.	ISED0003	Event
Phone Number	`phone_number`	The primary work phone number for the user.	+1 123 456 7890	Context
Department	`department`	Name of the department in which the user works.	Engineering	Context
Department Number	`department_number`	A number used to identify a department within an organization.	1100	Context
Title	`title`	The formal job title for the user. Not typically used to indicate occupational class, like programmer; or for titles with suffixes like Esq. or DDS.	Senior Programmer	Context
Manager	`manager`	The manager to whom a user reports.	Tu Peterson	Context
Country	`country`	Country or region where the user is located.	US	Context
City	`city`	A locality, such as a town or city, in the user's address.	Philadelphia	Context
Employee Type	`employee_type`	An employment category for an employee.	Contractor	Context
Division	`division`	The division of the company in which the user works.	R&D	Context
Lockout	`lockout_status`	Whether the user is locked out of their accounts.	Unlocked	Event
Is Active	`is_active`	Whether the user has successfully logged into an account within the last 12 hours.	True	Event
Current Logged Endpoint	`current_logged_endpoint`	The endpoint into which the user is currently logged in.	Barbaras-MacBook-Pro	Event
Last Logged Endpoint	`last_logged_endpoint`	The endpoint into which the user was most recently logged in.	src_host_name	Event
Is On VPN	`is_logged_to_vpn`	Whether the user is currently connected to VPN.	Connected	Event
Last Password Reset	`last_password_reset`	The time when the last user last reset their password.	10/26/2023, 3:37:23 PM	Event
First Seen	`first_seen`	The time when the user was first seen.	10/26/2023, 3:37:23 PM	Event
Last Seen	`last_seen`	The time when the user was last seen.	10/26/2023, 3:37:23 PM	Event
Last Badge Access	`last_badge_access`	The location and time when the user last used their badge to access a physical location.	Pune 10/26/2023, 3:37:23 PM	Context
User SID	`user_sid`	A unique security identifier for a security principal object. Calculated based on a binary value that specifies a unique security identifier for the security pricipal object.	A-1-2-34-567890123-4567890123-4567890123-456789	Event
Event ID	`event_id`	The ID of the event that created the user entity.	12a34567-b8c9-01de-2fgh-3i45i6j7k89l	Event
Account Status	`access_status`	Whether an account associated with the user is active, expired, locked out, disabled, or has an expired password.	Account Active Password Expired Account Lockout Account Disabled Account Expired	Context
Rule Name	`rule_name`	The Attack Surface Insights rule that determined the security criticality and tags for the user entity.	Privileged Users	Attack Surface Insights
Link Method	`link_method`	Added to user entity attributes when an identifier is linked to a user entity as an account. The method used to link the account with the user entity.	SID_MATCH CONTEXT_PREFIX_UPN CONTEXT_PREFIX_HYPHEN CONTEXT_DIRECT_MATCH ENTITY_STORE_PREFIX_SCAN MANUAL_LINK	Attack Surface Insights
Link Context Field	`link_context_field`	Added to user entity attributes when an identifier is linked to a user entity as an account. The context field that matched the identifying entity attribute.	u_user_name	Attack Surface Insights
Link Source Key	`link_source_key`	Added to user entity attributes when an identifier is linked to a user entity as an account. The identifying entity attribute that matched the context field.	username	Attack Surface Insights
Link Matched Value	`link_matched_value`	Added to user entity attributes when an identifier is linked to a user entity as an account. The actual value that matched in both the entity and context.	barbara	Attack Surface Insights
Link Entity ID	`link_entity_id`	Added to user entity attributes when an identifier is linked to a user entity as an account. The internal ID of the entity to which the account is linked.	sub123#UXIbarbara	Attack Surface Insights
Link Context Source	`link_context_source`	Added to user entity attributes when an identifier is linked to a user entity as an account. The context source of the context field.	AD Context Entity	Attack Surface Insights
Link Context Table Name	`link_context_table_name`	Added to user entity attributes when an identifier is linked to a user entity as an account. The name of the context table where the context field was stored.	User Entity Links	Attack Surface Insights
Link Context Table ID	`link_context_table_id`	Added to user entity attributes when an identifier is linked to a user entity as an account. The internal ID of the context table.		Attack Surface Insights
Link Timestamp	`link_timestamp`	Added to user entity attributes when an identifier is linked to a user entity as an account. When the link was created. Displayed as a date and time. The machine field value is a Unix timestamp in milliseconds.	3/9/2024, 11:00:00 AM 1710093600000	Attack Surface Insights

Attack Surface InsightsAttack Surface Insights Guide

Table of ContentsTable of Contents

User Entity Attributes