GIM Category: iam
The Identity and Access Management (IAM) category covers events where accounts, groups, and related objects are created, modified, enabled, disabled, or deleted. It includes administrative actions such as privilege assignment, password resets, and changes to group membership or properties.
IAM events are account-centric: each event must identify the account being acted upon (user_name), and in most cases, the initiating account (source_user_name). These events are highly security-relevant because they directly reflect changes to identities and their access capabilities.
object create
Object create events record the creation of IAM objects such as user accounts or groups. These events identify both the target account or group (user_name) and the actor that initiated the operation (source_user_name).
Mapping guidance:
- Use this subcategory when the directory, identity provider, or management API reports that an object was created. Do not use this for property changes on existing objects (see object modify).
- If a platform emits separate events for request/approval and final creation, map the final creation to 'account created' or 'group created' and map earlier workflow steps to your vendor-specific fields; do not use object create for pending states.
- Service-initiated provisioning (for example, automated sync from HRIS) should still be mapped to object create; the initiating service account should populate source_user_name.
Required Fields
source_user_nameuser_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
110000 |
iam |
iam.object create |
account created |
An account was created |
|
|
110001 |
iam |
iam.object create |
error |
An error was encountered when creating an account |
|
|
110002 |
iam |
iam.object create |
group created |
A group was created |
object delete
Object delete events record the removal of IAM objects such as user accounts or groups. These events identify both the account or group being removed (user_name) and the actor that initiated the deletion (source_user_name).
Mapping guidance: - Use this subcategory only when the directory, identity provider, or management API confirms that an object has been deleted. - Do not use this for accounts that are disabled or locked; see the object disable subcategory instead. - For platforms that support staged deletion (soft delete), map the final deletion event here. Retention, recycle-bin, or disable operations should not be mapped to object delete.
Required Fields
source_user_nameuser_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
110500 |
iam |
iam.object delete |
account deleted |
An account was deleted |
|
|
110501 |
iam |
iam.object delete |
group deleted |
A group account was deleted |
object modify
Object modify events capture changes to IAM objects such as user accounts or groups. These include updates to account properties, group properties, privilege assignments or removals, password changes or resets, and group membership changes.
Mapping guidance: - Use this subcategory for modifications that alter an account’s attributes or group relationships without creating, deleting, enabling, or disabling the object. - Privilege assignments and removals, group membership changes, and password resets should all be mapped here. - Use object enable/disable for changes to account status, and object delete for removal of objects.
Required Fields
source_user_nameuser_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
111000 |
iam |
iam.object modify |
account modified |
An account was modified |
|
|
111001 |
iam |
iam.object modify |
privileges assigned |
Privileges were assigned to an account |
|
|
111002 |
iam |
iam.object modify |
privileges removed |
Privileges were removed from an account |
|
|
111003 |
iam |
iam.object modify |
account renamed |
An account was renamed |
|
|
111004 |
iam |
iam.object modify |
password change |
An account password was changed |
|
|
111005 |
iam |
iam.object modify |
administrative password reset |
An administrative account has reset a password for another account |
|
|
111006 |
iam |
iam.object modify |
error |
An error was encountered when an attempt was made to modify an account |
|
|
111007 |
iam |
iam.object modify |
group member added |
A group member was added to a group |
|
|
111008 |
iam |
iam.object modify |
group member removed |
A group member was removed from a group |
|
|
111009 |
iam |
iam.object modify |
group properties modified |
The properties of a group were modified |
object disable
Object disable events record when IAM objects such as user accounts are made inactive. This includes temporary account locks (for example, due to repeated failed logon attempts) and administrative disablement actions performed by an operator.
Mapping guidance: - Use this subcategory for directory or identity provider events that mark an account as unusable without deleting it. - Do not use this for session termination (logoff) or for permanent account deletion; see the corresponding subcategories instead.
Required Fields
source_user_nameuser_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
111500 |
iam |
iam.object disable |
account locked |
An account was locked |
|
|
111501 |
iam |
iam.object disable |
account disabled |
An account was administratively disabled |
object enable
Object enable events record when IAM objects such as user accounts are reactivated or unlocked after being previously disabled. This includes administrative actions that enable accounts as well as system-driven unlocks.
Mapping guidance: - Use this subcategory when an existing account is made active again, either through an administrative action or an automatic unlock. - Do not use this for new account creation; see the object create subcategory instead.
Required Fields
source_user_nameuser_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
112000 |
iam |
iam.object enable |
account unlocked |
An account was unlocked |
|
|
112001 |
iam |
iam.object enable |
account enabled |
An account was administratively enabled |
|
|
112002 |
iam |
iam.object enable |
error |
An error was encountered when an attempt to enable an account was made. |
information
Information events provide context about IAM objects or directory state that do not represent a create, modify, delete, enable, or disable action. These events often reflect queries or enumerations, such as listing group memberships.
Although categorized as informational, these events can still be security-relevant. For example, group membership enumeration may indicate reconnaissance or privilege review activity.
Required Fields
user_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
119500 |
iam |
iam.information |
group membership enumerated |
A group’s members were enumerated |
default
The default subcategory is a fallback for IAM-related events that do not clearly fit into another defined subcategory. It should be used sparingly, and only when no more specific mapping is available.
Use the information subcategory (95) for events that provide context such as enumeration or queries. Use the default subcategory only for events that cannot be classified elsewhere in the IAM model.
Required Fields
user_name
Optional Fields
user_domainuser_type
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
119999 |
iam |
iam.default |
iam message |
IAM default message |
