Version: 1.3.0

Username Type

Identity Analysis User Classification ASIM Compliance

Synopsis

An identity analysis processor that classifies usernames according to their format type following ASIM (Azure Sentinel Information Model) standards, supporting UPN, Windows, Distinguished Name, and Simple username formats for enhanced security analysis.

Schema

- username_type:
    description: <text>
    field: <ident>
    target_field: <ident>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
`field`	Y	-	Field containing the username to classify
`target_field`	N	`field`	Field to store the username type
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue if classification fails
`ignore_missing`	N	`false`	Continue if source field doesn't exist
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

The processor identifies username formats based on structural patterns and assigns appropriate ASIM-compliant type classifications. This enables consistent username analysis across different authentication systems and security platforms.

note

The processor follows ASIM standards for username type classification, ensuring compatibility with Azure Sentinel and other SIEM systems.

Username type detection uses pattern matching to identify format characteristics. UPN format contains "@" symbols, Windows format contains backslashes, Distinguished Names contain LDAP components, and Simple format represents basic usernames without special formatting.

The classification helps security analysts understand the authentication context and source system for better threat detection and user behavior analysis.

warning

Ensure username fields contain string values for accurate pattern matching and classification.

Examples

UPN Format Detection

Identifying User Principal Names...

{
  "user": "john.doe@company.com",
  "admin_user": "admin@domain.local"
}

- username_type:
    field: user
    target_field: user_type
- username_type:
    field: admin_user
    target_field: admin_type

classifies as UPN format:

{
  "user": "john.doe@company.com",
  "admin_user": "admin@domain.local",
  "user_type": "UPN",
  "admin_type": "UPN"
}

Windows Domain Format

Detecting Windows domain usernames...

{
  "logon_user": "DOMAIN\\jsmith",
  "service_account": "COMPANY\\svc-backup"
}

- username_type:
    field: logon_user
    target_field: logon_type
- username_type:
    field: service_account
    target_field: service_type

identifies Windows format:

{
  "logon_user": "DOMAIN\\jsmith",
  "service_account": "COMPANY\\svc-backup",
  "logon_type": "Windows",
  "service_type": "Windows"
}

Distinguished Name Format

Recognizing LDAP Distinguished Names...

{
  "ldap_user": "CN=John Smith,OU=Users,DC=company,DC=com",
  "group_dn": "CN=Administrators,OU=Groups,DC=domain,DC=local"
}

- username_type:
    field: ldap_user
    target_field: ldap_type
- username_type:
    field: group_dn
    target_field: group_type

classifies as Distinguished Name:

{
  "ldap_user": "CN=John Smith,OU=Users,DC=company,DC=com",
  "group_dn": "CN=Administrators,OU=Groups,DC=domain,DC=local",
  "ldap_type": "DN",
  "group_type": "DN"
}

Simple Username Format

Identifying simple usernames...

{
  "local_user": "administrator",
  "app_user": "api_service",
  "system_user": "root"
}

- username_type:
    field: local_user
    target_field: local_type
- username_type:
    field: app_user
    target_field: app_type
- username_type:
    field: system_user
    target_field: system_type

classifies as simple format:

{
  "local_user": "administrator",
  "app_user": "api_service",
  "system_user": "root",
  "local_type": "Simple",
  "app_type": "Simple",
  "system_type": "Simple"
}

Mixed Format Analysis

Processing various username formats...

{
  "auth_events": [
    {
      "username": "alice@company.com",
      "source": "Office365"
    },
    {
      "username": "CORP\\bob",
      "source": "ActiveDirectory"
    },
    {
      "username": "guest",
      "source": "Local"
    }
  ]
}

- foreach:
    field: auth_events
    processor:
      username_type:
        field: _ingest._value.username
        target_field: _ingest._value.username_type

adds type classification to each event:

{
  "auth_events": [
    {
      "username": "alice@company.com",
      "source": "Office365",
      "username_type": "UPN"
    },
    {
      "username": "CORP\\bob",
      "source": "ActiveDirectory",
      "username_type": "Windows"
    },
    {
      "username": "guest",
      "source": "Local",
      "username_type": "Simple"
    }
  ]
}

In-Place Classification

Replacing username with type classification...	`{ "user_identity": "CN=Service Account,OU=ServiceAccounts,DC=enterprise,DC=net" }` `- username_type: field: user_identity`
replaces with the detected type:	`{ "user_identity": "DN" }`

Synopsis​

Schema​

Configuration​

Details​

Examples​

UPN Format Detection​

Windows Domain Format​

Distinguished Name Format​

Simple Username Format​

Mixed Format Analysis​

In-Place Classification​