From b9dc0a5a4b61b6d18341aec93bb7f06cc1b9489a Mon Sep 17 00:00:00 2001
From: santiago The time when the logging system collected and logged the event. The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. A timespan may also be defined by its time interval boundaries, cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.","caption":"Back Ups Configured","type_name":"Boolean"},"keyboard_subtype":{"type":"integer_t","description":"The keyboard numeric code.","caption":"Keyboard Subtype","type_name":"Integer"},"udid":{"type":"string_t","description":"The Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS, tvOS, watchOS and visionOS devices, this is the UDID. For macOS devices, it is the Provisioning UDID. For example: 00008020-008D4548007B4F26","references":[{"description":"Apple Wiki","url":"https://theapplewiki.com/wiki/UDID"}],"caption":"Unique Device Identifier","type_name":"String"},"flag_history":{"type":"string_t","description":"The Connection Flag History summarizes events in a network connection. For example flags ShAD representing SYN, SYN/ACK, ACK and Data exchange.","references":[{"description":"Zeek History","url":"https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html#detailed-interface:~:text=Records%20the%20state%20history%20of%20connections%20as%20a%20string%20of%20letters.%20The%20meaning%20of%20those%20letters%20is"}],"caption":"Connection Flag History","type_name":"String"},"developer_uid":{"type":"string_t","description":"The developer ID on the certificate that signed the file.","caption":"Developer UID","type_name":"String"},"state_id":{"type":"integer_t","enum":{"0":{"description":"The state is unknown.","caption":"Unknown"},"99":{"description":"The state is not mapped. See the state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized state ID of the event or object. See specific usage.","caption":"State ID","sibling":"state","type_name":"Integer"},"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like severity_id.
The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.","object_type":"vendor_attributes","caption":"Vendor Attributes","object_name":"Vendor Attributes"},"egid":{"type":"integer_t","description":"The effective group under which this process is running.","caption":"Effective Group ID","type_name":"Integer"},"privilege_attack_info_list":{"type":"object_t","description":"A list of privilege-to-attack mappings.","is_array":true,"object_type":"privilege_attack_info","caption":"Privilege Attack Info List","object_name":"Privilege Attack Info"},"physical_width":{"type":"integer_t","description":"The numeric physical width of display.","caption":"Physical Width","type_name":"Integer"},"logout_endpoint":{"type":"url_t","description":"URL for initiating a logout request. See specific usage.","caption":"Logout Endpoint","type_name":"URL String"},"modified_time":{"type":"timestamp_t","description":"The time when the object was last modified. See specific usage.","caption":"Modified Time","type_name":"Timestamp"},"encoding":{"type":"string_t","description":"The encoding method, normalized to the caption of the encoding_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"Encoding","type_name":"String"},"http_headers":{"type":"object_t","description":"Additional HTTP headers of an HTTP request or response.","is_array":true,"object_type":"http_header","caption":"HTTP Headers","object_name":"HTTP Header"},"is_src_dst_assignment_known":{"type":"boolean_t","description":"true denotes that src_endpoint and dst_endpoint correctly identify the initiator and responder respectively. false denotes that the event source has arbitrarily assigned one peer to src_endpoint and the other to dst_endpoint, in other words that initiator and responder are not being asserted. This can occur, for example, when the event source is a network appliance that has not observed the initiation of a given connection. In the absence of this attribute, interpretation of the initiator and responder is implementation-specific.","caption":"Source/Destination Assignment Known","type_name":"Boolean"},"ext":{"type":"string_t","description":"The extension. See specific usage.","caption":"Extension","type_name":"String"},"dispersion":{"type":"integer_t","description":"The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.","caption":"Root Dispersion","type_name":"Integer"},"ja3s_hash":{"type":"object_t","description":"The MD5 hash of a JA3S string.","object_type":"fingerprint","caption":"JA3S Hash","object_name":"Fingerprint"},"win/service_dll_file":{"type":"object_t","description":"For a shared user mode service (service_type_id is 4) this is the DLL that gets loaded by the generic service host process (e.g. svchost.exe) to implement the service.","extension":"win","extension_id":2,"object_type":"file","caption":"Service DLL","object_name":"File"},"cc_mailboxes":{"type":"string_t","description":"The human-readable email header Cc Mailbox values. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"caption":"Cc Mailboxes","type_name":"String"},"app_protocol_name":{"type":"string_t","description":"The application protocol name. See specific usage.","caption":"Application Protocol Name","type_name":"String"},"cvss":{"type":"object_t","description":"The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability.","is_array":true,"object_type":"cvss","caption":"CVSS Score","object_name":"CVSS Score"},"query_string":{"type":"string_t","description":"The query portion of the URL. For example: the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date.","caption":"HTTP Query String","type_name":"String"},"role_id":{"type":"integer_t","enum":{"0":{"description":"The role is unknown.","caption":"Unknown"},"99":{"description":"The role is not mapped. See the role attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of an entity's role in the context of the event or finding. See specific usage.","caption":"Role ID","sibling":"role","type_name":"Integer"},"environment_variables":{"type":"object_t","description":"An array of environment variables.","is_array":true,"object_type":"environment_variable","caption":"Environment Variables","object_name":"Environment Variable"},"permission":{"type":"string_t","description":"The IAM permission related to an event","caption":"Permission","type_name":"String"},"win/load_order_group":{"type":"string_t","description":"The name of the load ordering group of which this service is a member.","extension":"win","extension_id":2,"caption":"Load Order Group","type_name":"String"},"vulnerabilities":{"type":"object_t","description":"This object describes vulnerabilities reported in a security finding.","is_array":true,"object_type":"vulnerability","caption":"Vulnerabilities","object_name":"Vulnerability Details"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"kernel_release":{"type":"string_t","description":"The kernel release of the operating system. On Unix-based systems, this is determined from the uname -r command output, for example \"5.15.0-122-generic\".","caption":"Kernel Release","type_name":"String"},"percentile":{"type":"float_t","description":"The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset.","caption":"EPSS Percentile","type_name":"Float"},"last_authentication_time_dt":{"type":"datetime_t","description":"The timestamp when this identity last successfully authenticated to any system or service. See specific usage.","caption":"Last Authentication Time","type_name":"Datetime"},"is_shared":{"type":"boolean_t","description":"The event occurred on a shared device.","caption":"Shared Device","type_name":"Boolean"},"related_component":{"type":"string_t","description":"The package URL (PURL) of the component that this software component has a relationship with.","caption":"Related Component","type_name":"String"},"boot_time":{"type":"timestamp_t","description":"The time when the system was booted.","caption":"Boot Time","type_name":"Timestamp"},"num_volumes":{"type":"integer_t","description":"The number of volumes in the storage device. See specific usage.","caption":"Number of Volumes","type_name":"Integer"},"logged_time_dt":{"type":"datetime_t","description":"service_type attribute, which contains an event source specific value.","caption":"Other"},"4":{"description":"A user mode service that shares a process with other services.","caption":"Share Process"}},"description":"The normalized identifier of the service type.","extension":"win","extension_id":2,"caption":"Service Type ID","sibling":"service_type","type_name":"Integer"},"ai_model":{"type":"object_t","description":"The AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.","object_type":"ai_model","caption":"AI Model","object_name":"AI Model"},"processed_time":{"type":"timestamp_t","description":"The event processed time, such as an ETL operation.","caption":"Processed Time","type_name":"Timestamp"},"title":{"type":"string_t","description":"The title of an entity. See specific usage.","caption":"Title","type_name":"String"},"zone":{"type":"string_t","description":"The network zone or LAN segment. See specific usage.","caption":"Network Zone","type_name":"String"},"package_manager_url":{"type":"url_t","description":"The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as AWS CodeArtifact or Artifactory.","caption":"Package Manager URL","type_name":"URL String"},"ptid":{"type":"long_t","description":"The identifier of the process thread associated with the event, as returned by the operating system.","caption":"Process Thread ID","type_name":"Long"},"sans":{"type":"object_t","description":"The list of subject alternative names that are secured by a specific certificate.","is_array":true,"object_type":"san","caption":"Subject Alternative Names","object_name":"Subject Alternative Name"},"cis_benchmark":{"type":"object_t","description":"The CIS Benchmark describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security (CIS).","object_type":"cis_benchmark","caption":"CIS Benchmark","@deprecated":{"message":"Use Compliance object with Check object instead.","since":"1.5.0"},"object_name":"CIS Benchmark"},"start_column":{"type":"integer_t","description":"The start column number. See specific usage.","caption":"Start Column","type_name":"Integer"},"uid":{"type":"string_t","description":"The unique identifier. See specific usage.","caption":"Unique ID","type_name":"String"},"tag":{"type":"string_t","description":"The image tag. For example: 1.11-alpine.","caption":"Image Tag","type_name":"String","@deprecated":{"message":"Use the labels or tags attribute instead.","since":"1.4.0"}},"continent":{"type":"string_t","description":"The name of the continent.","caption":"Continent","type_name":"String"},"phase":{"type":"string_t","description":"The cyber kill chain phase.","caption":"Kill Chain Phase","type_name":"String"},"observation_point_id":{"type":"integer_t","enum":{"0":{"caption":"Unknown"},"99":{"caption":"Other"}},"description":"The normalized identifier of the observation point. See specific usage.","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"win/reg_key":{"type":"object_t","description":"The registry key.","extension":"win","extension_id":2,"object_type":"win/reg_key","caption":"Registry Key","object_name":"Registry Key"},"threat_actor":{"type":"object_t","description":"A threat actor is an individual or group that conducts malicious cyber activities, often with financial, political, or ideological motives.","references":[{"description":"STIX Threat Actor definition","url":"https://stixproject.github.io/data-model/1.2/ta/ThreatActorType/"}],"object_type":"threat_actor","caption":"Threat Actor","object_name":"Threat Actor"},"rdata":{"type":"string_t","description":"The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.","caption":"DNS RData","type_name":"String"},"tenant_uid":{"type":"string_t","description":"The unique tenant identifier.","caption":"Tenant UID","type_name":"String"},"scan":{"type":"object_t","description":"The Scan object describes characteristics of a scan. See specific usage.","object_type":"scan","caption":"Scan","object_name":"Scan"},"query_language_id":{"type":"integer_t","enum":{"0":{"description":"The Query Language is unknown.","caption":"Unknown"},"99":{"description":"The Query Language is not mapped. See the query_language attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the query language. See specific usage.","caption":"Query Language ID","sibling":"query_language","type_name":"Integer"},"working_directory":{"type":"string_t","description":"The working directory of a process.","caption":"Working Directory","type_name":"String"},"cmd_line":{"type":"string_t","description":"The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.","caption":"Command Line","type_name":"String","observable":13},"parent_folder":{"type":"string_t","description":"The parent folder in which the file resides. For example: c:\\windows\\system32","caption":"Parent Folder","type_name":"String"},"policies":{"type":"object_t","description":"An array of Policy objects.","is_array":true,"object_type":"policy","caption":"Policies","object_name":"Policy"},"section_a":{"type":"string_t","description":"The 'a' section of the JA4 fingerprint.","caption":"JA4 Section A","type_name":"String"},"from_mailbox":{"type":"string_t","description":"The human-readable email header From Mailbox value. For example 'Example User <example.user@usersdomain.com>'.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"caption":"From Mailbox","type_name":"String"},"response_time_dt":{"type":"datetime_t","description":"The Domain Name System (DNS) response time.","caption":"Response Time","type_name":"Datetime"},"folder":{"type":"object_t","description":"The folder that pertains to the event.","object_type":"file","caption":"Folder","object_name":"File"},"last_login_time":{"type":"timestamp_t","description":"The last time when the user logged in.","caption":"Last Login","type_name":"Timestamp"},"is_read":{"type":"boolean_t","description":"The indication of whether the email has been read.","caption":"Read","type_name":"Boolean"},"security_level_id":{"type":"integer_t","enum":{"3":{"caption":"Compromised"},"0":{"caption":"Unknown"},"1":{"caption":"Secure"},"2":{"caption":"At Risk"},"99":{"description":"The security level is not mapped. See the security_level attribute, which contains data source specific values.","caption":"Other"}},"description":"The current security level of the entity","caption":"Security Level ID","sibling":"security_level","type_name":"Integer"},"product_uid":{"type":"string_t","description":"Unique Identifier of a product.","caption":"Product Identifier","type_name":"String","@deprecated":{"message":"Use the uid attribute in the product object instead. See specific usage.","since":"1.4.0"}},"win/hosted_services":{"type":"object_t","description":"The Windows services that this process is hosting.","extension":"win","is_array":true,"extension_id":2,"object_type":"win/win_service","caption":"Hosted Services","object_name":"Windows Service"},"os":{"type":"object_t","description":"The endpoint operating system.","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"cpu_count":{"type":"integer_t","description":"The number of physical processors on a system. For example: 1.","caption":"CPU Count","type_name":"Integer"},"file_diff":{"type":"string_t","description":"File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.","caption":"File Diff","type_name":"String"},"query_type_id":{"type":"integer_t","enum":{"3":{"description":"A query about folder attributes, metadata, content, or structure.","caption":"Folder"},"6":{"description":"A query about loaded modules, their base addresses, load types, or function entry points.","caption":"Module"},"0":{"description":"The query type was unknown or not specified.","caption":"Unknown"},"1":{"description":"A query about kernel resources including system calls, shared mutex, or other kernel components.","caption":"Kernel"},"2":{"description":"A query about file attributes, metadata, content, hash values, or properties.","caption":"File"},"99":{"description":"The query type was not mapped to a standard category. See the query_type attribute for source-specific value.","caption":"Other"},"4":{"description":"A query about group membership, privileges, domain, or group properties.","caption":"Admin Group"},"5":{"description":"A query about scheduled jobs, their command lines, run states, or execution times.","caption":"Job"},"7":{"description":"A query about active network connections, boundaries, protocols, or TCP states.","caption":"Network Connection"},"8":{"description":"A query about physical or virtual network interfaces, their IP/MAC addresses, or types.","caption":"Network Interfaces"},"9":{"description":"A query about attached peripheral devices, their classes, models, or vendor information.","caption":"Peripheral Device"},"10":{"description":"A query about running processes, command lines, ancestry, loaded modules, or execution context.","caption":"Process"},"11":{"description":"A query about system services, their names, versions, labels, or properties.","caption":"Service"},"12":{"description":"A query about authenticated user or service sessions, their creation times, or issuer details.","caption":"Session"},"14":{"description":"A query about multiple users belonging to an administrative group.","caption":"Users"},"15":{"description":"A query about startup configuration items, their run modes, start types, or current states.","caption":"Startup Item"},"16":{"description":"A Windows-specific query about registry keys, their paths, security descriptors, or modification times.","caption":"Registry Key"},"17":{"description":"A Windows-specific query about registry values, their data types, content, or names.","caption":"Registry Value"},"18":{"description":"A Windows-specific query about prefetch files, their run counts, last execution times, or existence.","caption":"Prefetch"},"13":{"description":"A query about user accounts, their properties, credentials, or domain information.","caption":"User"}},"description":"The normalized type of system query performed against a device or system component.","caption":"Query Type ID","sibling":"query_type","type_name":"Integer"},"script_content":{"type":"object_t","description":"The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.","object_type":"long_string","caption":"Script Content","object_name":"Long String","observable":36},"run_mode_ids":{"type":"integer_t","enum":{"0":{"description":"The run mode is unknown.","caption":"Unknown"},"99":{"description":"The run mode is not mapped. See the run_modes attribute, which contains data source specific values.","caption":"Other"}},"description":"The list of normalized identifiers that describe application attributes when it is running. See specific usage.","is_array":true,"caption":"Run Mode IDs","sibling":"run_modes","type_name":"Integer"},"app":{"type":"object_t","description":"The application that reported the event.","object_type":"product","caption":"Application","object_name":"Product"},"compliance":{"type":"object_t","description":"The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.","object_type":"compliance","caption":"Compliance","object_name":"Compliance"},"vpc_uid":{"type":"string_t","description":"The unique identifier of the Virtual Private Cloud (VPC).","caption":"VPC UID","type_name":"String"},"chunks_out":{"type":"long_t","description":"A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the chunks sent from the source to the destination.","caption":"Chunks Out","type_name":"Long"},"state":{"type":"string_t","description":"The state of the event or object, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"State","type_name":"String"},"is_public":{"type":"boolean_t","description":"Determination of the public accessibility. See specific usage.","caption":"Public","type_name":"Boolean"},"win/hosting_process":{"type":"object_t","description":"The process that is hosting this service.","extension":"win","extension_id":2,"object_type":"process_entity","caption":"Hosting Process","object_name":"Process Entity"},"is_superseded":{"type":"boolean_t","description":"The vendor patch has been replaced by another.","caption":"The patch is superseded.","type_name":"Boolean"},"classification_ids":{"type":"integer_t","enum":{"0":{"description":"The classification is unknown.","caption":"Unknown"},"99":{"description":"The classification is not mapped. See the classifications attribute, which contains a data source specific value.","caption":"Other"}},"description":"The list of normalized classification identifiers. See specific usage.","is_array":true,"caption":"Classification IDs","sibling":"classifications","type_name":"Integer"},"expiration_time":{"type":"timestamp_t","description":"The expiration time. See specific usage.","caption":"Expiration Time","type_name":"Timestamp"},"driver":{"type":"object_t","description":"The driver that was loaded/unloaded into the kernel","object_type":"kernel_driver","caption":"Kernel Driver","object_name":"Kernel Extension"},"ou_name":{"type":"string_t","description":"The name of the organizational unit, within an organization. For example, Finance, IT, R&D","caption":"Org Unit Name","type_name":"String"},"job_title":{"type":"string_t","description":"The user's job title.","caption":"Job Title","type_name":"String"},"cves":{"type":"object_t","description":"List of Common Vulnerabilities and Exposures (CVE).","is_array":true,"object_type":"cve","caption":"CVE List","object_name":"CVE"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","caption":"Event Time","type_name":"Timestamp"},"employee_uid":{"type":"string_t","description":"The employee identifier assigned to the user by the organization.","caption":"Employee ID","type_name":"String"},"category":{"type":"string_t","description":"The object category, normalized to the caption of category_id. See specific usage.","caption":"Category","type_name":"String"},"num_detections":{"type":"integer_t","description":"The number of detections.","caption":"Detections","type_name":"Integer"},"untruncated_size":{"type":"integer_t","description":"The size in bytes of an attribute before truncation. See specific usage.","caption":"Untruncated Size","type_name":"Integer"},"ram_size":{"type":"integer_t","description":"The total amount of installed RAM, in Megabytes. For example: 2048.","caption":"RAM Size","type_name":"Integer"},"email":{"type":"object_t","description":"The email object.","object_type":"email","caption":"Email","object_name":"Email"},"prev_security_level":{"type":"string_t","description":"The previous security level of the entity","caption":"Previous Security Level","type_name":"String"},"banner":{"type":"string_t","description":"The initial connection response that a messaging server receives after it connects to an email server.","caption":"Protocol Banner","type_name":"String"},"transaction_uid":{"type":"string_t","description":"The unique identifier of the transaction.","caption":"Transaction UID","type_name":"String"},"dmarc_override":{"type":"string_t","description":"The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.","caption":"DMARC Override","type_name":"String"},"service_privilege_analysis_list":{"type":"object_t","description":"A list of privilege analysis results grouped by cloud service or namespace.","is_array":true,"object_type":"service_privilege_analysis","caption":"Service Privilege Analysis List","object_name":"Service Privilege Analysis"},"speed":{"type":"string_t","description":"Ground speed of flight. This value is provided in meters per second with a minimum resolution of 0.25 m/s. Special Values: Invalid, No Value, or Unknown: 255 m/s.","caption":"Speed","type_name":"String"},"firewall_rule":{"type":"object_t","description":"The firewall rule that triggered the event.","object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"containers":{"type":"object_t","description":"When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.","is_array":true,"object_type":"container","caption":"Containers","object_name":"Container"},"is_deleted":{"type":"boolean_t","description":"Indicates if the entity was deleted. See specific usage.","caption":"Deleted","type_name":"Boolean"},"traits":{"type":"object_t","description":"The traits that describe characteristics, features of an entity. See specific usage.","is_array":true,"object_type":"trait","caption":"Traits","object_name":"Trait"},"startup_item":{"type":"object_t","description":"The startup item object describes an application component that has associated startup criteria and configurations.","object_type":"startup_item","caption":"Startup Item","object_name":"Startup Item"},"log_format":{"type":"string_t","description":"The format of data in the log. See specific usage.","caption":"Log Format","type_name":"String"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"kill_chain":{"type":"object_t","description":"The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.","is_array":true,"object_type":"kill_chain_phase","caption":"Kill Chain","object_name":"Kill Chain Phase"},"total_tokens":{"type":"integer_t","description":"Total number of tokens used for this message (prompt + completion).","caption":"Total Tokens","type_name":"Integer"},"resources":{"type":"object_t","description":"Describes details about resources that were affected by the activity/event.","is_array":true,"object_type":"resource_details","caption":"Resources Array","object_name":"Resource Details"},"dce_rpc":{"type":"object_t","description":"The DCE/RPC object describes the remote procedure call system for distributed computing environments.","object_type":"dce_rpc","caption":"Distributed Computing Environment/Remote Procedure Call (DCE/RPC)","object_name":"DCE/RPC"},"cores":{"type":"integer_t","description":"The number of processing cores or compute units for the component.","caption":"Cores","type_name":"Integer"},"embedding_model":{"type":"string_t","description":"Model used for creating embeddings in AI retrieval systems.","caption":"Embedding Model","type_name":"String"},"depth":{"type":"string_t","enum":{"Base":{"caption":"Base"},"Environmental":{"caption":"Environmental"},"Temporal":{"caption":"Temporal"}},"description":"The CVSS depth represents a depth of the equation used to calculate CVSS score.","caption":"CVSS Depth","type_name":"String"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","is_array":true,"object_type":"malware","caption":"Malware","object_name":"Malware"},"kerberos_flags":{"type":"string_t","description":"A bitmask, either in hexadecimal or decimal form, which encodes various attributes or permissions associated with a Kerberos ticket. These flags delineate specific characteristics of the ticket, such as its renewability or forwardability.","references":[{"description":"RFC 4120: 5.2.8. KerberosFlags","url":"https://www.rfc-editor.org/rfc/rfc4120#section-5.2.8"},{"description":"Microsoft Windows Security 4769 (see 'Ticket Options')","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769"}],"caption":"Kerberos Flags","type_name":"String"},"target":{"type":"string_t","description":"The target of the event or object. See specific usage.","caption":"Target","type_name":"String"},"occurrence_details":{"type":"object_t","description":"Details about where in the target entity the specified information was discovered. See specific usage.","object_type":"occurrence_details","caption":"Occurrence Details","object_name":"Occurrence Details"},"boundary_id":{"type":"integer_t","enum":{"3":{"description":"External network traffic between two endpoints on the Internet or outside the network.","caption":"External"},"6":{"description":"Through a virtual private gateway","caption":"Virtual Private Gateway"},"0":{"description":"The connection boundary is unknown.","caption":"Unknown"},"1":{"description":"Local network traffic on the same endpoint.","caption":"Localhost"},"2":{"description":"Internal network traffic between two endpoints inside network.","caption":"Internal"},"99":{"description":"The boundary is not mapped. See the boundary attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Through another resource in the same VPC","caption":"Same VPC"},"5":{"description":"Through an Internet gateway or a gateway VPC endpoint","caption":"Internet/VPC Gateway"},"7":{"description":"Through an intra-region VPC peering connection","caption":"Intra-region VPC"},"8":{"description":"Through an inter-region VPC peering connection","caption":"Inter-region VPC"},"9":{"description":"Through a local gateway","caption":"Local Gateway"},"10":{"description":"Through a gateway VPC endpoint (Nitro-based instances only)","caption":"Gateway VPC"},"11":{"description":"Through an Internet gateway (Nitro-based instances only)","caption":"Internet Gateway"}},"description":"service_type_id 3 or 4) this is the executable program that the SCM launches as the service process.
For a kernel mode driver (service_type_id 1 or 2) this is the driver file loaded into the kernel at the request of the SCM. ","extension":"win","extension_id":2,"object_type":"file","caption":"Service File","object_name":"File"},"script":{"type":"object_t","description":"The script object.","object_type":"script","caption":"Script","object_name":"Script"},"port":{"type":"port_t","description":"The TCP/UDP port number associated with a connection. See specific usage.","caption":"Port","type_name":"Port"},"network_scope_id":{"type":"integer_t","enum":{"0":{"description":"Unknown whether this endpoint resides within the customer’s network.","caption":"Unknown"},"1":{"description":"The endpoint resides inside the customer’s network.","caption":"Internal"},"2":{"description":"The endpoint is on the Internet or otherwise external to the customer’s network.","caption":"External"},"99":{"description":"The network scope is not mapped. See the network_scope attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the endpoint’s network scope. The normalized network scope identifier indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined.","caption":"Network Scope ID","sibling":"network_scope","type_name":"Integer"},"is_renewal":{"type":"boolean_t","description":"The indication of whether the event or object represents a renewal. See specific usage.","caption":"Renewal","type_name":"Boolean"},"namespace":{"type":"string_t","description":"The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate.","caption":"Namespace","type_name":"String"},"client_hassh":{"type":"object_t","description":"The Client HASSH fingerprinting object.","object_type":"hassh","caption":"Client HASSH","object_name":"HASSH"},"launch_type_id":{"type":"integer_t","enum":{"3":{"description":"Denotes that the Launch event represents the \"exec\" step of Unix process creation, where a process replaces its executable image, command line, and environment. WSL1 pico processes on Windows also use the 2-step Unix model.","caption":"Exec"},"0":{"description":"The launch type is unknown or not specified.","caption":"Unknown"},"1":{"description":"Denotes that the Launch event represents atomic creation of a new process on Windows. This launch type ID may also be used to represent both steps of Unix process creation in a single Launch event.","caption":"Spawn"},"2":{"description":"Denotes that the Launch event represents the \"fork\" step of Unix process creation, where a process creates a clone of itself in a parent-child relationship. WSL1 pico processes on Windows also use the 2-step Unix model.","caption":"Fork"},"99":{"description":"The launch type is not mapped. See the launch_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier for the specific type of Launch activity.","references":[{"description":"fork() man page","url":"https://www.man7.org/linux/man-pages/man2/fork.2.html"},{"description":"execve() man page","url":"https://www.man7.org/linux/man-pages/man2/execve.2.html"}],"caption":"Launch Type ID","sibling":"launch_type","type_name":"Integer"},"format":{"type":"string_t","description":"The format, normalized to the caption of the format_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"Format","type_name":"String"},"privilege_info":{"type":"object_t","description":"Information about a specific privilege, action, or permission.","object_type":"privilege_info","caption":"Privilege Info","object_name":"Privilege Info"},"section_d":{"type":"string_t","description":"The 'd' section of the JA4 fingerprint.","caption":"JA4 Section D","type_name":"String"},"mime_type":{"type":"string_t","description":"The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.","caption":"MIME type","type_name":"String"},"priority":{"type":"string_t","description":"The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.","caption":"Priority","type_name":"String"},"http_response":{"type":"object_t","description":"The HTTP Response from a web server to a requester.","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"fingerprints":{"type":"object_t","description":"An array of digital fingerprint objects.","is_array":true,"object_type":"fingerprint","caption":"Fingerprints","object_name":"Fingerprint"},"verdict_id":{"type":"integer_t","enum":{"3":{"description":"The incident can be disregarded as it is unimportant, an error or accident.","caption":"Disregard"},"6":{"description":"The incident is a test.","caption":"Test"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"The incident is a false positive.","caption":"False Positive"},"2":{"description":"The incident is a true positive.","caption":"True Positive"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"smtp_from":{"type":"email_t","description":"The value of the SMTP MAIL FROM command.","caption":"SMTP From","type_name":"Email Address","@deprecated":{"message":"Use the from attribute instead.","since":"1.4.0"}},"owner":{"type":"object_t","description":"The user that owns the file/object.","object_type":"user","caption":"Owner","object_name":"User"},"end_line":{"type":"integer_t","description":"The line number of the last line of code block identified as vulnerable.","caption":"End Line","type_name":"Integer"},"assessments":{"type":"object_t","description":"A list of assessment objects. See specific usage.","is_array":true,"object_type":"assessment","caption":"Assessments","object_name":"Assessment"},"full_name":{"type":"string_t","description":"The full name. See specific usage.","caption":"Full Name","type_name":"String"},"license_url":{"type":"url_t","description":"The URL pointing to the license applied on package or software. This is typically a LICENSE.md file within a repository.","caption":"Software License URL","type_name":"URL String"},"is_system":{"type":"boolean_t","description":"The indication of whether the object is part of the operating system.","caption":"System","type_name":"Boolean"},"group_name":{"type":"string_t","description":"The name of the group that the resource belongs to.","caption":"Group Name","type_name":"String","@deprecated":{"message":"Use the group.name attribute instead.","since":"1.1.0"}},"class_uid":{"type":"integer_t","description":"The unique identifier of a class. A class describes the attributes available in an event.","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"content_type":{"type":"string_t","description":"The request header that identifies the original media type of the resource (prior to any content encoding applied for sending).","caption":"HTTP Content Type","type_name":"String"},"win/reg_binary_data":{"type":"bytestring_t","description":"The data of the registry value when type_id is REG_BINARY or REG_NONE.","extension":"win","extension_id":2,"caption":"Registry Binary Data","type_name":"Byte String"},"query_time_dt":{"type":"datetime_t","description":"The Domain Name System (DNS) query time.","caption":"Query Time","type_name":"Datetime"},"data_security":{"type":"object_t","description":"The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).","object_type":"data_security","caption":"Data Security","object_name":"Data Security"},"timespan":{"type":"object_t","description":"The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may be populated since each member is of integral type. In that case type_id if present should be set to Other.start_time and end_time.","object_type":"timespan","caption":"Time Span","object_name":"Time Span"},"user":{"type":"object_t","description":"The user that pertains to the event or object.","object_type":"user","caption":"User","object_name":"User"},"extensions":{"type":"object_t","description":"The schema extensions used to create the event.","is_array":true,"object_type":"extension","caption":"Schema Extensions","object_name":"Schema Extension"},"login_endpoint":{"type":"url_t","description":"URL for initiating a login request. See specific usage.","caption":"Login Endpoint","type_name":"URL String"},"anomaly_analyses":{"type":"object_t","description":"A list of anomaly analysis results that examine and characterize patterns of activity or usage over time to identify normal vs abnormal activities. See specific usage.","is_array":true,"object_type":"anomaly_analysis","caption":"Anomaly Analyses","object_name":"Anomaly Analysis"},"files":{"type":"object_t","description":"The files that are part of the event or object.","is_array":true,"object_type":"file","caption":"Files","object_name":"File"},"account_switch_type":{"type":"string_t","description":"The account switch method, normalized to the caption of the account_switch_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Account Switch Type","type_name":"String"},"serial_number":{"type":"string_t","description":"The serial number that pertains to the object. See specific usage.","caption":"Serial Number","type_name":"String","observable":37},"subnet":{"type":"subnet_t","description":"The subnet mask.","caption":"Subnet","type_name":"Subnet"},"logon_type_id":{"type":"integer_t","enum":{"3":{"description":"A user or device logged onto this device from the network.","caption":"Network"},"0":{"description":"The logon type is unknown.","caption":"Unknown"},"1":{"description":"Used only by the System account, for example at system startup.","caption":"System"},"2":{"description":"A local logon to device console.","caption":"Interactive"},"99":{"description":"The logon type is not mapped. See the logon_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A batch server logon, where processes may be executing on behalf of a user without their direct intervention.","caption":"Batch"},"5":{"description":"A logon by a service or daemon that was started by the OS.","caption":"OS Service"},"7":{"description":"A user unlocked the device.","caption":"Unlock"},"8":{"description":"A user logged on to this device from the network. The user's password in the authentication package was not hashed.","caption":"Network Cleartext"},"9":{"description":"A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.","caption":"New Credentials"},"10":{"description":"A remote logon using Terminal Services or remote desktop application.","caption":"Remote Interactive"},"11":{"description":"A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials.","caption":"Cached Interactive"},"12":{"description":"Same as Remote Interactive. This is used for internal auditing.","caption":"Cached Remote Interactive"},"13":{"description":"Workstation logon.","caption":"Cached Unlock"}},"description":"The normalized logon type identifier.","caption":"Logon Type ID","sibling":"logon_type","type_name":"Integer"},"sso":{"type":"object_t","description":"The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.","object_type":"sso","caption":"SSO","object_name":"SSO"},"load_type":{"type":"string_t","description":"The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Load Type","type_name":"String"},"all_privileges_unused":{"type":"boolean_t","description":"Indicates whether all privileges in a set, list, collection or group are unused. See specific usage.","caption":"All Privileges Unused","type_name":"Boolean"},"categories":{"type":"string_t","description":"The Website categorization names, as defined by category_ids enum values.","is_array":true,"caption":"Website Categorization","type_name":"String"},"occurrences":{"type":"object_t","description":"A list of occurrence_details objects, each describing where in the target entity the specified information was discovered. See specific usage.","is_array":true,"object_type":"occurrence_details","caption":"Occurrences","object_name":"Occurrence Details"},"duration_years":{"type":"integer_t","description":"Represents the duration of the activity in years. See specific usage.","caption":"Duration Years","type_name":"Integer"},"prev_security_level_id":{"type":"integer_t","enum":{"3":{"caption":"Compromised"},"0":{"caption":"Unknown"},"1":{"caption":"Secure"},"2":{"caption":"At Risk"},"99":{"description":"The security level is not mapped. See the prev_security_level attribute, which contains data source specific values.","caption":"Other"}},"description":"The previous security level of the entity","caption":"Previous Security Level ID","sibling":"prev_security_level","type_name":"Integer"},"win/service_start_name":{"type":"string_t","description":"For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.","extension":"win","extension_id":2,"caption":"Service Start Name","type_name":"String"},"type":{"type":"string_t","description":"The type of an object or value, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"Type","type_name":"String"},"num_network_items":{"type":"integer_t","description":"The number of network items scanned.","caption":"Scanned Network Items","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"loggers":{"type":"object_t","description":"An array of Logger objects that describe the pipeline of devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow and/or to track the chain of custody of the data.","is_array":true,"object_type":"logger","caption":"Loggers","object_name":"Logger"},"entity_result":{"type":"object_t","description":"The updated managed entity.","object_type":"managed_entity","caption":"Entity Result","object_name":"Managed Entity"},"is_compliant":{"type":"boolean_t","description":"The event occurred on a compliant device.","caption":"Compliant Device","type_name":"Boolean"},"cpu_architecture_id":{"type":"integer_t","enum":{"3":{"description":"CPU uses the RISC-V ISA. For bitness, refer to cpu_bits.","caption":"RISC-V"},"0":{"description":"The CPU architecture is unknown.","caption":"Unknown"},"1":{"description":"CPU uses the x86 ISA. For bitness, refer to cpu_bits.","caption":"x86"},"2":{"description":"CPU uses the ARM ISA. For bitness, refer to cpu_bits.","caption":"ARM"},"99":{"description":"The CPU architecture is not mapped. See the cpu_architecture attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the CPU architecture.","caption":"CPU Architecture ID","sibling":"cpu_architecture","type_name":"Integer"},"function_keys":{"type":"integer_t","description":"The number of function keys on client keyboard.","caption":"Function Keys","type_name":"Integer"},"imei":{"type":"string_t","description":"The International Mobile Equipment Identity that is associated with the device.","caption":"IMEI","type_name":"String","@deprecated":{"message":"Use the imei_list attribute instead.","since":"1.4.0"}},"fix_coverage_id":{"type":"integer_t","enum":{"0":{"description":"The fix coverage is unknown.","caption":"Unknown"},"99":{"description":"The fix coverage is not mapped. See the fix_coverage attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier for fix coverage. See specific usage.","caption":"Fix Coverage ID","sibling":"fix_coverage","type_name":"Integer"},"message_context":{"type":"object_t","description":"Communication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.","object_type":"message_context","caption":"Message Context","object_name":"Message Context"},"network_scope":{"type":"string_t","description":"Indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the network_scope_id.","caption":"Network Scope","type_name":"String"},"ldap_cn":{"type":"string_t","description":"The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe.","caption":"LDAP Common Name","type_name":"String"},"win/service_error_control":{"type":"string_t","description":"The service error control, normalized to the caption of the service_error_control_id value. In the case of 'Other', it is defined by the event source.","extension":"win","extension_id":2,"caption":"Service Error Control","type_name":"String"},"granted_privileges":{"type":"string_t","description":"The Privileges that were granted to the user via an IAM policy or otherwise. See specific usage.","is_array":true,"caption":"Granted Privileges","type_name":"String"},"bios_ver":{"type":"string_t","description":"The BIOS version. For example: LENOVO G5ETA2WW (2.62).","caption":"BIOS Version","type_name":"String"},"security_states":{"type":"object_t","description":"The current security states. See specific usage.","is_array":true,"object_type":"security_state","caption":"Security States","object_name":"Security State"},"signature":{"type":"object_t","description":"The digital signature of the file.","object_type":"digital_signature","caption":"Digital Signature","object_name":"Digital Signature"},"container":{"type":"object_t","description":"The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","object_type":"container","caption":"Container","object_name":"Container"},"invoked_by":{"type":"string_t","description":"The name of the service that invoked the activity as described in the event.","caption":"Invoked by","type_name":"String"},"mitigation":{"type":"object_t","description":"The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"object_type":"mitigation","caption":"MITRE Mitigation","object_name":"MITRE Mitigation"},"factor_type":{"type":"string_t","description":"The type of authentication factor used in an authentication attempt.","caption":"Factor Type","type_name":"String"},"bytes_missed":{"type":"long_t","description":"Indicates the number of bytes missed, which is representative of packet loss.","caption":"Bytes Missed","type_name":"Long"},"scale_factor":{"type":"integer_t","description":"The numeric scale factor of display.","caption":"Scale Factor","type_name":"Integer"},"category_ids":{"type":"integer_t","enum":{"30":{"caption":"Art/Culture"},"97":{"caption":"Content Servers"},"57":{"caption":"Remote Access Tools"},"38":{"caption":"Technology/Internet"},"63":{"caption":"Personal Sites"},"29":{"caption":"Charitable Organizations"},"83":{"caption":"Peer-to-Peer (P2P)"},"45":{"caption":"Job Search/Careers"},"40":{"caption":"Search Engines/Portals"},"112":{"caption":"Media Sharing"},"22":{"caption":"Alternative Spirituality/Belief"},"56":{"caption":"File Storage/Sharing"},"51":{"caption":"Chat (IM)/SMS"},"61":{"caption":"Society/Daily Living"},"101":{"caption":"Spam"},"47":{"caption":"Personals/Dating"},"96":{"caption":"Non-Viewable/Infrastructure"},"33":{"caption":"Games"},"59":{"caption":"Auctions"},"53":{"caption":"Newsgroups/Forums"},"1":{"caption":"Adult/Mature Content"},"99":{"description":"The Domain/URL category is not mapped. See the categories attribute, which contains a data source specific value.","caption":"Other"},"68":{"caption":"Humor/Jokes"},"92":{"caption":"Suspicious"},"20":{"caption":"Entertainment"},"54":{"caption":"Religion"},"107":{"caption":"Informational"},"3":{"caption":"Pornography"},"15":{"caption":"Weapons"},"34":{"caption":"Government/Legal"},"103":{"caption":"Dynamic DNS Host"},"50":{"caption":"Mixed Content/Potentially Adult"},"110":{"caption":"Internet Telephony"},"106":{"caption":"E-Card/Invitations"},"93":{"caption":"Sexual Expression"},"64":{"caption":"Restaurants/Dining/Food"},"25":{"caption":"Controlled Substances"},"86":{"caption":"Proxy Avoidance"},"87":{"caption":"For Kids"},"71":{"caption":"Software Downloads"},"49":{"caption":"Reference"},"37":{"caption":"Health"},"114":{"caption":"TV/Video Streams"},"121":{"caption":"Marijuana"},"118":{"caption":"Piracy/Copyright Concerns"},"98":{"caption":"Placeholders"},"16":{"caption":"Abortion"},"27":{"caption":"Education"},"7":{"caption":"Extreme"},"23":{"caption":"Alcohol"},"32":{"caption":"Brokerage/Trading"},"18":{"caption":"Phishing"},"36":{"caption":"Political/Social Advocacy"},"113":{"caption":"Radio/Audio Streams"},"90":{"caption":"Uncategorized"},"84":{"caption":"Audio/Video Clips"},"17":{"caption":"Hacking"},"26":{"caption":"Child Pornography"},"35":{"caption":"Military"},"4":{"caption":"Sex Education"},"65":{"caption":"Sports/Recreation"},"95":{"caption":"Translation"},"43":{"caption":"Malicious Sources/Malnets"},"21":{"caption":"Business/Economy"},"67":{"caption":"Vehicles"},"52":{"caption":"Email"},"14":{"caption":"Violence/Hate/Racism"},"85":{"caption":"Office/Business Applications"},"55":{"caption":"Social Networking"},"6":{"caption":"Nudity"},"0":{"description":"The Domain/URL category is unknown.","caption":"Unknown"},"44":{"caption":"Malicious Outbound Data/Botnets"},"11":{"caption":"Gambling"},"109":{"caption":"Internet Connected Devices"},"88":{"caption":"Web Ads/Analytics"},"9":{"caption":"Scam/Questionable/Illegal"},"5":{"caption":"Intimate Apparel/Swimsuit"},"31":{"caption":"Financial Services"},"60":{"caption":"Real Estate"},"89":{"caption":"Web Hosting"},"24":{"caption":"Tobacco"},"66":{"caption":"Travel"},"111":{"caption":"Online Meetings"},"102":{"caption":"Potentially Unwanted Software"},"46":{"caption":"News/Media"},"108":{"caption":"Computer/Information Security"},"58":{"caption":"Shopping"}},"description":"The Website categorization identifiers.","is_array":true,"caption":"Website Categorization IDs","sibling":"categories","type_name":"Integer"},"imei_list":{"type":"string_t","description":"The International Mobile Equipment Identity values that are associated with the device.","is_array":true,"caption":"IMEI List","type_name":"String"},"flag_ids":{"type":"integer_t","enum":{"0":{"description":"The flag is unknown.","caption":"Unknown"},"99":{"description":"The flag is not mapped. See the flags attribute, which contains a data source specific value.","caption":"Other"}},"description":"The list of normalized identifiers of the communication flag IDs. See specific usage.","is_array":true,"caption":"Communication Flag IDs","sibling":"flags","type_name":"Integer"},"section_c":{"type":"string_t","description":"The 'c' section of the JA4 fingerprint.","caption":"JA4 Section C","type_name":"String"},"return_value":{"type":"string_t","description":"The value returned from a function.","caption":"Return Value","type_name":"String"},"network_driver":{"type":"string_t","description":"The network driver used by the container. For example, bridge, overlay, host, none, etc.","caption":"Network Driver","type_name":"String"},"exploit_last_seen_time_dt":{"type":"datetime_t","description":"The time when the exploit was most recently observed.","caption":"Exploit Last Seen Time","type_name":"Datetime"},"injection_type_id":{"type":"integer_t","enum":{"3":{"caption":"Queue APC"},"0":{"description":"The injection type is unknown.","caption":"Unknown"},"1":{"caption":"Remote Thread"},"2":{"caption":"Load Library"},"99":{"description":"The injection type is not mapped. See the injection_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the process injection method.","caption":"Injection Type ID","sibling":"injection_type","type_name":"Integer"},"http_method":{"type":"string_t","description":"The HTTP request method indicates the desired action to be performed for a given resource. Expected values:
","caption":"HTTP Method","type_name":"String"},"baselines":{"type":"object_t","description":"A list of baseline measurements or normal behavior patterns used as reference points for comparison and anomaly detection. See specific usage.","is_array":true,"object_type":"baseline","caption":"Baselines","object_name":"Baseline"},"start_offset":{"type":"long_t","description":"The starting offset. See specific usage.","caption":"Start Offset","type_name":"Long"},"attributes":{"type":"integer_t","description":"The bitmask value that represents the file attributes.","caption":"Attributes","type_name":"Integer"},"last_login_time_dt":{"type":"datetime_t","description":"The last time when the user logged in.","caption":"Last Login","type_name":"Datetime"},"query_time":{"type":"timestamp_t","description":"The Domain Name System (DNS) query time.","caption":"Query Time","type_name":"Timestamp"},"open_type":{"type":"string_t","description":"The file open type.","caption":"Open Type","type_name":"String"},"start_line":{"type":"integer_t","description":"The line number of the first line of code block identified as vulnerable.","caption":"Start Line","type_name":"Integer"},"subgroup":{"type":"object_t","description":"A subgroup that was added to or removed from the group.","object_type":"group","caption":"Subgroup","object_name":"Group"},"duration_hours":{"type":"integer_t","description":"Represents the duration of the activity in hours. See specific usage.","caption":"Duration Hours","type_name":"Integer"},"observations":{"type":"object_t","description":"A list of individual observations or measurements collected during analysis. Each observation captures a specific data point. See specific usage.","is_array":true,"object_type":"observation","caption":"Observations","object_name":"Observation"},"uri":{"type":"url_t","description":"A Uniform Resource Identifier (URI) is a string of characters that identifies a resource on the Internet. URIs can identify physical resources, like webpages and documents. See specific usage.","references":[{"description":"RFC 3986","url":"https://datatracker.ietf.org/doc/html/rfc3986"}],"caption":"URI","type_name":"URL String"},"lat":{"type":"float_t","description":"The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: 42.361145.","caption":"Latitude","type_name":"Float"},"cipher":{"type":"string_t","description":"The negotiated cipher suite.","caption":"Cipher Suite","type_name":"String"},"spf":{"type":"string_t","description":"The Sender Policy Framework (SPF) status of the email.","caption":"SPF Status","type_name":"String"},"cost_center":{"type":"string_t","description":"The cost center associated with the user.","caption":"Cost Center","type_name":"String"},"encoding_id":{"type":"integer_t","enum":{"0":{"description":"The encoding method is unknown.","caption":"Unknown"},"99":{"description":"The encoding method is not mapped. See the encoding attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the encoding method. See specific usage.","caption":"Encoding ID","sibling":"encoding","type_name":"Integer"},"tunnel_interface":{"type":"object_t","description":"The information about the tunnel interface. See specific usage.","object_type":"network_interface","caption":"Interface","object_name":"Network Interface"},"devices":{"type":"object_t","description":"The object describes details related to the list of devices.","is_array":true,"object_type":"device","caption":"Devices","object_name":"Device"},"cpu_type":{"type":"string_t","description":"The processor type. For example: x86 Family 6 Model 37 Stepping 5.","caption":"Processor Type","type_name":"String"},"given_name":{"type":"string_t","description":"The given or first name of the user.","caption":"Given Name","type_name":"String"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"type_id":{"type":"integer_t","enum":{"0":{"description":"The type is unknown.","caption":"Unknown"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized type identifier of an object. See specific usage.","caption":"Type ID","sibling":"type","type_name":"Integer"},"altitude_ceiling":{"type":"string_t","description":"Maximum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: Invalid, No Value, or Unknown: -1000 m.","caption":"Altitude Ceiling","type_name":"String"},"control":{"type":"string_t","description":"A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.","caption":"Security Control","type_name":"String"},"section_b":{"type":"string_t","description":"The 'b' section of the JA4 fingerprint.","caption":"JA4 Section B","type_name":"String"},"idp":{"type":"object_t","description":"This object describes details about the Identity Provider used.","object_type":"idp","caption":"Identity Provider","object_name":"Identity Provider"},"packets":{"type":"long_t","description":"The total number of packets (in and out).","caption":"Total Packets","type_name":"Long"},"sbom":{"type":"object_t","description":"The Software Bill of Materials (SBOM) object describes the characteristics of a generated SBOM for a software package.","object_type":"sbom","caption":"Software Bill Of Materials","object_name":"Software Bill of Materials"},"domain":{"type":"string_t","description":"The name of the domain. See specific usage.","caption":"Domain","type_name":"String"},"relation":{"type":"string_t","description":"The relationship between two entities. See specific usage.","caption":"Relation","type_name":"String"},"data":{"type":"json_t","description":"The additional data that is associated with the event or object. See specific usage.","caption":"Data","type_name":"JSON"},"reply_to_list":{"type":"email_t","description":"The machine-readable email header Reply-To values, as defined by RFC 5322. For example example.user@usersdomain.com","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"Reply To List","type_name":"Email Address"},"phase_id":{"type":"integer_t","enum":{"3":{"description":"The intruders will use various tactics, such as phishing, infected USB drives, etc.","caption":"Delivery"},"6":{"description":"Malware opens a command channel to enable the intruders to remotely manipulate the victim's system.","caption":"Command & Control"},"0":{"description":"The kill chain phase is unknown.","caption":"Unknown"},"1":{"description":"The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them.","caption":"Reconnaissance"},"2":{"description":"The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities.","caption":"Weaponization"},"99":{"description":"The kill chain phase is not mapped. See the phase attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The intruders start leveraging vulnerabilities to executed code on the victim’s system.","caption":"Exploitation"},"5":{"description":"The intruders install malware on the victim’s system.","caption":"Installation"},"7":{"description":"With hands-on keyboard access, intruders accomplish the mission’s goal.","caption":"Actions on Objectives"}},"description":"The cyber kill chain phase identifier.","caption":"Kill Chain Phase ID","sibling":"phase","type_name":"Integer"},"kernel":{"type":"object_t","description":"The kernel resource object that pertains to the event.","object_type":"kernel","caption":"Kernel","object_name":"Kernel Resource"},"gpu_info_list":{"type":"object_t","description":"An array of objects describing describing Graphical Processing Unit hardware.","is_array":true,"object_type":"gpu_info","caption":"GPU information","object_name":"GPU Information"},"runtime":{"type":"string_t","description":"The backend running the container, such as containerd or cri-o.","caption":"Runtime","type_name":"String"},"tls_extension_list":{"type":"object_t","description":"The list of TLS extensions.","is_array":true,"object_type":"tls_extension","caption":"TLS Extension List","object_name":"TLS Extension"},"is_mobile_account_active":{"type":"boolean_t","description":"Indicates whether the device has an active mobile account. For example, this is indicated by the itunesStoreAccountActive value within JAMF Pro mobile devices.","caption":"Mobile Account Active","type_name":"Boolean"},"ime":{"type":"string_t","description":"The Input Method Editor (IME) file name.","caption":"IME","type_name":"String"},"install_state":{"type":"string_t","description":"The install state, normalized to the caption of install_state_id. In the case of 'Other', it is defined by the event source.","caption":"Install State","type_name":"String"},"chunks":{"type":"long_t","description":"A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the total number of chunks (in and out).","caption":"Chunks","type_name":"Long"},"detection_pattern_type":{"type":"string_t","description":"The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Detection Pattern","type_name":"String"},"nist":{"type":"string_t","description":"The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.","is_array":true,"caption":"NIST List","type_name":"String"},"pool":{"type":"object_t","description":"An unordered collection of resources. See specific usage.","object_type":"group","caption":"Pool","object_name":"Group"},"post_value":{"type":"string_t","description":"The value after. See specific usage.","caption":"Post-Value","type_name":"String"},"ai_role_id":{"type":"integer_t","description":"The originator or target role of the message.","caption":"AI Role ID","sibling":"ai_role","type_name":"Integer"},"command_response":{"type":"string_t","description":"The response to the command.","caption":"Command Response","type_name":"String"},"kb_articles":{"type":"string_t","description":"The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.","is_array":true,"caption":"Knowledgebase Articles","type_name":"String","@deprecated":{"message":"Use the kb_article_list attribute instead.","since":"1.1.0"}},"packet":{"type":"object_t","description":"The packet object describes a single captured network packet and its associated metadata.","object_type":"packet","caption":"Packet","object_name":"Packet"},"log_version":{"type":"string_t","description":"The log version. See specific usage.","caption":"Log Version","type_name":"String"},"interface_name":{"type":"string_t","description":"The name of the network interface (e.g. eth2).","caption":"Network Interface Name","type_name":"String"},"accessors":{"type":"object_t","description":"A list of users who have access to an entity. See specific usage.","is_array":true,"object_type":"user","caption":"Accessors","object_name":"User"},"module":{"type":"object_t","description":"The module that pertains to the event.","object_type":"module","caption":"Module","object_name":"Module"},"vulnerability":{"type":"object_t","description":"The vulnerability object describes details related to the observed vulnerability","object_type":"vulnerability","caption":"Vulnerability","object_name":"Vulnerability Details"},"xattributes":{"type":"object_t","description":"An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.
3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.","caption":"Vector String","type_name":"String"},"share":{"type":"string_t","description":"The share name. See specific usage.","caption":"Share","type_name":"String"},"record_index_in_array":{"type":"integer_t","description":"The index of the record in the array of records.","caption":"Record Index in Array","type_name":"Integer"},"dkim_domain":{"type":"string_t","description":"The DomainKeys Identified Mail (DKIM) signing domain of the email.","caption":"DKIM Domain","type_name":"String"},"duration_mins":{"type":"integer_t","description":"Represents the duration of the activity in minutes. See specific usage.","caption":"Duration Minutes","type_name":"Integer"},"modified_time_dt":{"type":"datetime_t","description":"The time when the object was last modified. See specific usage.","caption":"Modified Time","type_name":"Datetime"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","caption":"Verdict","type_name":"String"},"win/service_category":{"type":"string_t","description":"The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.","extension":"win","extension_id":2,"caption":"Service Category","type_name":"String"},"format_id":{"type":"integer_t","enum":{"0":{"description":"The format is unknown.","caption":"Unknown"},"99":{"description":"The format is not mapped. See the format attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the format. See specific usage.","caption":"Format ID","sibling":"format","type_name":"Integer"},"cpe_name":{"type":"string_t","description":"The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.","caption":"The product CPE identifier","type_name":"String"},"hash":{"type":"object_t","description":"The hash attribute is the value of a digital fingerprint including information about its algorithm.","object_type":"fingerprint","caption":"Hash","object_name":"Fingerprint"},"end_offset":{"type":"long_t","description":"The ending offset. See specific usage.","caption":"End Offset","type_name":"Long"},"labels":{"type":"string_t","description":"The list of labels attached to an entity. See specific usage.","is_array":true,"caption":"Labels","type_name":"String"},"args":{"type":"string_t","description":"The arguments sent along with the HTTP request.","caption":"HTTP Arguments","type_name":"String"},"security_level":{"type":"string_t","description":"The current security level of the entity","caption":"Security Level","type_name":"String"},"sender":{"type":"email_t","description":"The machine readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the from field, which shows the message author. The sender field is most commonly used when multiple addresses appear in the from_list field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else).","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"Sender","type_name":"Email Address"},"detection_pattern":{"type":"string_t","description":"Specific pattern, algorithm, fingerprint, or model used for detection.","caption":"Detection Pattern","type_name":"String"},"is_managed":{"type":"boolean_t","description":"The event occurred on a managed device.","caption":"Managed Device","type_name":"Boolean"},"coordinates":{"type":"float_t","description":"A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719].","is_array":true,"caption":"Coordinates","type_name":"Float","@deprecated":{"message":"Use specific lat, long attributes instead.","since":"1.2.0"}},"connection_uid":{"type":"string_t","description":"The network connection identifier.","caption":"Connection Identifier","type_name":"String"},"json_path":{"type":"string_t","description":"The JSON path of the attribute. See specific usage.","caption":"JSON Path","type_name":"String"},"hypervisor":{"type":"string_t","description":"The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.","caption":"Hypervisor","type_name":"String"},"endpoint_connections":{"type":"object_t","description":"Contains information about network connection attempts. See specific usage.","is_array":true,"object_type":"endpoint_connection","caption":"Endpoint Connections","object_name":"Endpoint Connection"},"image":{"type":"object_t","description":"The image used as a template to run a container or virtual machine.","object_type":"image","caption":"Image","object_name":"Image"},"error_message":{"type":"string_t","description":"Error Message","caption":"Error Message","type_name":"String"},"rcode_id":{"type":"integer_t","enum":{"0":{"description":"The DNS response code is unknown.","caption":"Unknown"},"99":{"description":"The DNS response code is not defined by the RFC. See the rcode attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the server response code. See specific usage.","caption":"Response Code ID","sibling":"rcode","type_name":"Integer"},"advisory":{"type":"object_t","description":"Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor.","object_type":"advisory","caption":"Security Advisory","object_name":"Advisory"},"eid":{"type":"string_t","description":"An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.","caption":"EID","type_name":"String"},"imported_symbols":{"type":"string_t","description":"A list of symbols imported by the executable file.","is_array":true,"caption":"Imported Symbols","type_name":"String"},"num_trusted_items":{"type":"integer_t","description":"The number of trusted items.","caption":"Trusted","type_name":"Integer"},"run_modes":{"type":"string_t","description":"The list of run_modes, normalized to the captions of the run_mode_ids values. In the case of 'Other', they are defined by the event source. See specific usage.","is_array":true,"caption":"Run Modes","type_name":"String"},"win/reg_value":{"type":"object_t","description":"The registry value.","extension":"win","extension_id":2,"object_type":"win/reg_value","caption":"Registry Value","object_name":"Registry Value"},"observed_pattern":{"type":"string_t","description":"A detected pattern or trend identified in the analyzed data, describing recurring activities or characteristics.","caption":"Observed Pattern","type_name":"String"},"auth_factors":{"type":"object_t","description":"Describes a category of methods used for identity verification. See specific usage.","is_array":true,"object_type":"auth_factor","caption":"Authentication Factors","object_name":"Authentication Factor"},"win/prev_reg_key":{"type":"object_t","description":"The registry key before the mutation","extension":"win","extension_id":2,"object_type":"win/reg_key","caption":"Previous Registry Key","object_name":"Registry Key"},"fingerprint":{"type":"object_t","description":"The digital fingerprint associated with an object.","object_type":"fingerprint","caption":"Fingerprint","object_name":"Fingerprint"},"vertical_speed":{"type":"string_t","description":"Vertical speed upward relative to the WGS-84 datum, measured in meters per second. Special Values: Invalid, No Value, or Unknown: 63 m/s.","caption":"Vertical Speed","type_name":"String"},"product":{"type":"object_t","description":"The product that reported the event.","object_type":"product","caption":"Product","object_name":"Product"},"auth_type_id":{"type":"integer_t","enum":{"0":{"description":"The authentication type is unknown.","caption":"Unknown"},"99":{"description":"The authentication type is not mapped. See the auth_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the agreed upon authentication type. See specific usage.","caption":"Authentication Type ID","sibling":"auth_type","type_name":"Integer"},"group":{"type":"object_t","description":"The group object associated with an entity such as user, policy, or rule.","object_type":"group","caption":"Group","object_name":"Group"},"relationship_id":{"type":"integer_t","enum":{"0":{"description":"The relationship is unknown.","caption":"Unknown"},"1":{"description":"The component is a dependency of another component. Can be used to define both direct and transitive dependencies.","caption":"Depends On"},"99":{"description":"The relationship is not mapped. See the relationship attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the relationship between two software components.","caption":"Relationship ID","sibling":"relationship","type_name":"Integer"},"raw_header":{"type":"string_t","description":"The email authentication header.","caption":"Raw Header","type_name":"String"},"detection_system_id":{"type":"integer_t","enum":{"3":{"description":"A Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tool that can detect sensitive data and/or enforce data security policies on mobile devices (e.g., cellphones, tablets, End User Devices [EUDs]).","caption":"Mobile Device Management"},"6":{"description":"A Secure Email Gateway (SEG) is any tool that can detect sensitive data and/or enforce data security policies within email systems. E.g., Microsoft Defender for Office, Google Workspaces.","caption":"Secure Email Gateway"},"0":{"description":"The type is not mapped. See the detection_system attribute, which contains a data source specific value.","caption":"Unknown"},"1":{"description":"A dedicated agent or sensor installed on a device, either a dedicated data security tool or an Endpoint Detection & Response (EDR) tool that can detect sensitive data and/or enforce data security policies. E.g., Forcepoint DLP, Symantec DLP, Microsoft Defender for Endpoint (MDE).","caption":"Endpoint"},"2":{"description":"A Data Loss Prevention (DLP) gateway that is positioned in-line of an information store such as a network share, a database, or otherwise that can detect sensitive data and/or enforce data security policies.","caption":"DLP Gateway"},"99":{"description":"Any other type of detection system or a multi-variate system made up of several other systems.","caption":"Other"},"4":{"description":"A tool that actively identifies and classifies sensitive data in digital media and information stores in accordance with a policy or automated functionality. E.g, Amazon Macie, Microsoft Purview.","caption":"Data Discovery & Classification"},"5":{"description":"A Secure Web Gateway (SWG) is any tool that can detect sensitive data and/or enforce data security policies at a network-edge such as within a proxy or firewall service.","caption":"Secure Web Gateway"},"7":{"description":"A Digital Rights Management (DRM) or a dedicated Information Rights Management (IRM) are tools which can detect sensitive data and/or enforce data security policies on digital media via policy or user access rights.","caption":"Digital Rights Management"},"8":{"description":"A Cloud Access Security Broker (CASB) that can detect sensitive data and/or enforce data security policies in-line to cloud systems such as the public cloud or Software-as-a-Service (SaaS) tool. E.g., Forcepoint CASB, SkyHigh Security.","caption":"Cloud Access Security Broker"},"9":{"description":"A Database Activity Monitoring (DAM) tool that can detect sensitive data and/or enforce data security policies as part of a dedicated database or warehouse monitoring solution.","caption":"Database Activity Monitoring"},"10":{"description":"A built in Data Loss Prevention (DLP) or other data security capability within a tool or platform such as an Enterprise Resource Planning (ERP) or Customer Relations Management (CRM) tool that can detect sensitive data and/or enforce data security policies.","caption":"Application-Level DLP"},"11":{"description":"Any Developer Security tool such as an Infrastructure-as-Code (IAC) security scanner, Secrets Detection, or Secure Software Development Lifecycle (SSDLC) tool that can detect sensitive data and/or enforce data security policies. E.g., TruffleHog, GitGuardian, Git-Secrets.","caption":"Developer Security"},"12":{"description":"A Data Security Posture Management (DSPM) tool is a continuous monitoring and data discovery solution that can detect sensitive data and/or enforce data security policies for local and cloud environments. E.g., Cyera, Sentra, IBM Polar Security.","caption":"Data Security Posture Management"}},"description":"The type of data security tool or system that the finding, detection, or alert originated from.","caption":"Detection System ID","sibling":"detection_system","type_name":"Integer"},"finding_info_list":{"type":"object_t","description":"A list of finding_info objects associated to an incident.","is_array":true,"object_type":"finding_info","caption":"Finding Information List","object_name":"Finding Information"},"access_list":{"type":"string_t","description":"The list of requested access rights.","is_array":true,"caption":"Access List","type_name":"String"},"peripheral_device":{"type":"object_t","description":"The peripheral device that triggered the event.","object_type":"peripheral_device","caption":"Peripheral Device","object_name":"Peripheral Device"},"isp":{"type":"string_t","description":"The name of the Internet Service Provider (ISP).","caption":"ISP Name","type_name":"String"},"databucket":{"type":"object_t","description":"The data bucket object is a basic container that holds data, typically organized through the use of data partitions.","object_type":"databucket","caption":"Databucket","object_name":"Databucket"},"x_originating_ip":{"type":"ip_t","description":"The X-Originating-IP header identifying the emails originating IP address(es).","is_array":true,"caption":"X-Originating-IP","type_name":"IP Address"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","caption":"Risk Details","type_name":"String"},"geodetic_vertical_accuracy":{"type":"string_t","description":"Provides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters.","caption":"Geodetic Vertical Accuracy","type_name":"String"},"auid":{"type":"integer_t","description":"The audit user assigned at login by the audit subsystem.","caption":"Audit User ID","type_name":"Integer"},"checks":{"type":"object_t","description":"A list of specific, individual compliance verification checks derived from standard or non-standard benchmark rules or requirements.","is_array":true,"object_type":"check","caption":"Compliance Checks","object_name":"Check"},"d3f_tactic":{"type":"object_t","description":"The D3FEND Tactic object describes the defensive tactic name associated with a countermeasure.","references":[{"description":"D3FEND™ Matrix","url":"https://d3fend.mitre.org"}],"object_type":"d3f_tactic","caption":"MITRE D3FEND™ Tactic","object_name":"MITRE D3FEND™ Tactic"},"release":{"type":"string_t","description":"Release is the number of times a version of the software has been packaged.","caption":"Software Release Details","type_name":"String"},"server_hassh":{"type":"object_t","description":"The Server HASSH fingerprinting object.","object_type":"hassh","caption":"Server HASSH","object_name":"HASSH"},"sequence_number":{"type":"long_t","description":"The sequence number. See specific usage.","caption":"Sequence Number","type_name":"Long"},"evidences":{"type":"object_t","description":"A collection of evidence artifacts associated to the activity/activities that triggered a finding. See specific usage.","is_array":true,"object_type":"evidences","caption":"Evidence Artifacts","object_name":"Evidence Artifacts"},"hire_time_dt":{"type":"datetime_t","description":"The timestamp when the user was or will be hired by the organization.","caption":"Hire Time","type_name":"Datetime"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"auth_protocol":{"type":"string_t","description":"The authentication protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.","caption":"Auth Protocol","type_name":"String"},"tactics":{"type":"object_t","description":"The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK® Matrix.","is_array":true,"object_type":"tactic","caption":"Tactics","@deprecated":{"message":"Use the tactic attribute instead.","since":"1.1.0"},"object_name":"MITRE Tactic"},"bios_manufacturer":{"type":"string_t","description":"The BIOS manufacturer. For example: LENOVO.","caption":"BIOS Manufacturer","type_name":"String"},"message_uid":{"type":"string_t","description":"The email header Message-ID value, as defined by RFC 5322.","source":"Message-ID","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"Message UID","type_name":"String","observable":42},"is_remote":{"type":"boolean_t","description":"The indication of whether the session is remote.","caption":"Remote","type_name":"Boolean"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","caption":"Timezone Offset","type_name":"Integer"},"last_used_time_dt":{"type":"datetime_t","description":"The most recent usage time of an entity. See specific usage.","caption":"Last Used Time","type_name":"Datetime"},"last_seen_time":{"type":"timestamp_t","description":"The most recent detection time of the activity or object. See specific usage.","caption":"Last Seen","type_name":"Timestamp"},"namespace_pid":{"type":"integer_t","description":"If running under a process namespace (such as in a container), the process identifier within that process namespace.","caption":"Namespace PID","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"email_uid":{"type":"string_t","description":"The unique identifier of the email, used to correlate related email alert and activity events.","caption":"Email UID","type_name":"String","@deprecated":{"message":"Use the email.uid attribute instead.","since":"1.4.0"}},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"scheme":{"type":"string_t","description":"The scheme portion of the URL. For example: http, https, ftp, or sftp.","caption":"Scheme","type_name":"String"},"category_uid":{"type":"integer_t","description":"The category unique identifier of the event.","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","caption":"Suspected Breach","type_name":"Boolean"},"launch_type":{"type":"string_t","description":"The specific type of Launch activity, normalized to the caption of the launch_type_id value. In the case of Other it is defined by the event source.","caption":"Launch Type","type_name":"String"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"access_result":{"type":"json_t","description":"The list of access check results.","caption":"Access Check Result","type_name":"JSON"},"query_language":{"type":"string_t","description":"The query language, normalized to the caption of the query_language_id value. See specific usage.","caption":"Query Language","type_name":"String"},"handshake_dur":{"type":"integer_t","description":"The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.","caption":"Handshake Duration","type_name":"Integer"},"signatures":{"type":"object_t","description":"A collection of Digital Signature objects.","is_array":true,"object_type":"digital_signature","caption":"Digital Signatures","object_name":"Digital Signature"},"scim_group_schema":{"type":"json_t","description":"SCIM provides a schema for representing groups, identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:Group as defined in RFC-7634. This attribute will capture key-value pairs for the scheme implemented in a SCIM resource.","references":[{"description":"System for Cross-domain Identity Management (SCIM) RFC spec.","url":"https://datatracker.ietf.org/doc/html/rfc7643"}],"caption":"SCIM Group Schema","type_name":"JSON"},"is_http_only":{"type":"boolean_t","description":"This attribute prevents the cookie from being accessed via JavaScript.","caption":"HTTP Only","type_name":"Boolean"},"model":{"type":"string_t","description":"The model name of an entity. See specific usage.","caption":"Model","type_name":"String"},"is_encrypted":{"type":"boolean_t","description":"Indicates if the entity was encrypted. See specific usage.","caption":"Encrypted","type_name":"Boolean"},"share_type":{"type":"string_t","description":"The share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Share Type","type_name":"String"},"service_privilege_analysis":{"type":"object_t","description":"Privilege analysis results for a single cloud service or resource namespace.","object_type":"service_privilege_analysis","caption":"Service Privilege Analysis","object_name":"Service Privilege Analysis"},"reporter":{"type":"object_t","description":"The entity from which an event or finding was first reported. See specific usage.","object_type":"reporter","caption":"Reporter","object_name":"Reporter"},"classifier_details":{"type":"object_t","description":"Describes details about the classifier used for data classification.","object_type":"classifier_details","caption":"Classifier Details","object_name":"Classifier Details"},"action_id":{"type":"integer_t","enum":{"0":{"description":"The action was unknown.","caption":"Unknown"},"1":{"description":"The activity was allowed.","caption":"Allowed"},"2":{"description":"The attempted activity was denied.","caption":"Denied"},"99":{"description":"The action was not mapped. See the action attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized action taken by a control or other policy-based system leading to an outcome or disposition.","caption":"Action ID","sibling":"action","type_name":"Integer"},"opnum":{"type":"integer_t","description":"An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.","caption":"Opnum","type_name":"Integer"},"mac_vendor":{"type":"string_t","description":"The vendor or manufacturer of the network interface controller (NIC) identified from the MAC address. For example: Apple, Inc., Intel Corporate.","references":[{"description":"IEEE Registration Authority","url":"https://standards.ieee.org/products-programs/regauth/"}],"caption":"MAC Vendor","type_name":"String"},"integrity_id":{"type":"integer_t","enum":{"3":{"caption":"Medium"},"6":{"caption":"Protected"},"0":{"description":"The integrity level is unknown.","caption":"Unknown"},"1":{"caption":"Untrusted"},"2":{"caption":"Low"},"99":{"description":"The integrity level is not mapped. See the integrity attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"High"},"5":{"caption":"System"}},"description":"The normalized identifier of the process integrity level (Windows only).","caption":"Integrity Level","sibling":"integrity","type_name":"Integer"},"internal_name":{"type":"string_t","description":"The name by which a resource identifies itself internally. See specific usage.","caption":"Internal Name","type_name":"String"},"name":{"type":"string_t","description":"The name of the entity. See specific usage.","caption":"Name","type_name":"String"},"is_on_premises":{"type":"boolean_t","description":"Indicates whether the location is on-premises.","caption":"On-Premises","type_name":"Boolean"},"access_type":{"type":"string_t","description":"The type or category of access being granted to the identity. See specific usage.","caption":"Access Type","type_name":"String"},"event_uid":{"type":"string_t","description":"The unique identifier of an event. See specific usage.","caption":"Event UID","type_name":"String"},"class":{"type":"string_t","description":"The class name of the object. See specific usage.","caption":"Class","type_name":"String"},"intrusion_sets":{"type":"string_t","description":"A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.","is_array":true,"caption":"Intrusion Sets","type_name":"String"},"geohash":{"type":"string_t","description":"Geohash of the geo-coordinates (latitude and longitude).
Geohashing is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.","caption":"Geohash","type_name":"String"},"mac":{"type":"mac_t","description":"The Media Access Control (MAC) address that is associated with the network interface.","caption":"MAC Address","type_name":"MAC Address"},"privilege_info_list":{"type":"object_t","description":"A list of privilege information objects, where each element describes a specific privilege, action, or permission with its usage status.","is_array":true,"object_type":"privilege_info","caption":"Privilege Info List","object_name":"Privilege Info"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See theconfidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"provider":{"type":"string_t","description":"The origin of information associated with the event. See specific usage.","caption":"Provider","type_name":"String"},"authentication_token":{"type":"object_t","description":"The authentication token, ticket, or assertion. See specific usage.","object_type":"authentication_token","caption":"Authentication Token","object_name":"Authentication Token"},"instance_uid":{"type":"string_t","description":"The unique identifier of a VM instance.","caption":"Instance ID","type_name":"String"},"metadata_endpoint":{"type":"url_t","description":"URL where metadata about a configuration or resource is available (e.g., for SAML configurations). See specific usage.","caption":"Metadata Endpoint","type_name":"URL String"},"parent_uid":{"type":"string_t","description":"The unique identifier of an object's parent object. See specific usage.","caption":"Parent Unique ID","type_name":"String"},"message_trace_uid":{"type":"string_t","description":"The identifier that tracks a message that travels through multiple points of a messaging service.","references":[{"description":"For example Office 365 Message Trace Report.","url":"https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)"}],"caption":"Message Trace UID","type_name":"String"},"nodes":{"type":"object_t","description":"The list of node objects that are part of the graph.","is_array":true,"object_type":"node","caption":"Nodes","object_name":"Node"},"num_resolutions":{"type":"integer_t","description":"The number of items that were resolved.","caption":"Resolutions","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period. See specific usage.","caption":"Start Time","type_name":"Timestamp"},"is_secure":{"type":"boolean_t","description":"The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.","caption":"Secure","type_name":"Boolean"},"is_new_logon":{"type":"boolean_t","description":"Indicates logon is from a device not seen before or a first time account logon.","caption":"New Logon","type_name":"Boolean"},"additional_restrictions":{"type":"object_t","description":"The supplementary restrictions that may apply to an entity, by the virtue of a policy. See specific usage.","is_array":true,"object_type":"additional_restriction","caption":"Additional Restrictions","object_name":"Additional Restriction"},"algorithm_id":{"type":"integer_t","enum":{"0":{"description":"The algorithm is unknown.","caption":"Unknown"},"99":{"description":"The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the algorithm. See specific usage.","caption":"Algorithm ID","sibling":"algorithm","type_name":"Integer"},"observation_parameter":{"type":"string_t","description":"The name of the parameter being analyzed or monitored. This generally identifies the specific characteristic or property being measured. See specific usage.","caption":"Observation Parameter","type_name":"String"},"direction":{"type":"string_t","description":"The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.","caption":"Direction","type_name":"String"},"token":{"type":"object_t","description":"The Token object is the base object for representing tokens, API keys, and authentication credentials. This object provides common attributes for all token types and can be used directly in API activity events to represent API tokens (type_id: 7) or client tokens (type_id: 6) such as Okta API tokens or Microsoft Entra ID Application Registration client secrets. The base token object is also extended by authentication_token for protocol-specific authentication tokens in authentication events. Note: Use authentication_token (which extends token) for protocol-specific authentication tokens (Kerberos, OIDC, SAML) in authentication events, and programmatic_credential for tracking credential lifecycle and usage patterns.","object_type":"token","caption":"Token","object_name":"Token"},"subnet_uid":{"type":"string_t","description":"The unique identifier of a virtual subnet.","caption":"Subnet UID","type_name":"String"},"access_level":{"type":"string_t","description":"The access level of an entity. See specific usage.","caption":"Access Level","type_name":"String"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"auth_protocol_id":{"type":"integer_t","enum":{"3":{"caption":"Digest"},"6":{"caption":"OAUTH 2.0"},"0":{"description":"The authentication protocol is unknown.","caption":"Unknown"},"1":{"caption":"NTLM"},"2":{"caption":"Kerberos"},"99":{"description":"The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"OpenID"},"5":{"caption":"SAML"},"7":{"caption":"PAP"},"8":{"caption":"CHAP"},"9":{"caption":"EAP"},"10":{"caption":"RADIUS"},"11":{"caption":"Basic Authentication"},"12":{"caption":"LDAP"}},"description":"The normalized identifier of the authentication protocol used to create the user session.","caption":"Auth Protocol ID","sibling":"auth_protocol","type_name":"Integer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"url":{"type":"object_t","description":"The URL object that pertains to the event or object. See specific usage.","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"desktop_display":{"type":"object_t","description":"The desktop display affiliated with the event","object_type":"display","caption":"Desktop Display","object_name":"Display"},"cis_csc":{"type":"object_t","description":"The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.","is_array":true,"object_type":"cis_csc","caption":"CIS CSC","@deprecated":{"message":"Use CIS Controls for standard benchmark controls.","since":"1.5.0"},"object_name":"CIS CSC"},"deleted_time":{"type":"timestamp_t","description":"The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.","caption":"Deleted Time","type_name":"Timestamp"},"decision":{"type":"string_t","description":"Decision/outcome of the authorization mechanism (e.g. Approved, Denied)","caption":"Authorization Decision/Outcome","type_name":"String"},"last_authentication_time":{"type":"timestamp_t","description":"The timestamp when this identity last successfully authenticated to any system or service. See specific usage.","caption":"Last Authentication Time","type_name":"Timestamp"},"architecture":{"type":"string_t","description":"Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.","caption":"Architecture","type_name":"String"},"win/win_resource":{"type":"object_t","description":"The Windows resource object that was accessed, such as a mutant or timer.","extension":"win","extension_id":2,"object_type":"win/win_resource","caption":"Windows Resource","object_name":"Windows Resource"},"service":{"type":"object_t","description":"The service that pertains to the event.","object_type":"service","caption":"Service","object_name":"Service"},"resource_type":{"type":"string_t","description":"The resource type as defined by the event source.","caption":"Resource Type","type_name":"String"},"permission_analysis_results":{"type":"object_t","description":"Describes analysis results of permissions, policies directly associated with an identity (user, role, or service account). This evaluates what permissions an identity has been granted through attached policies, which privileges are actively used versus unused, and identifies potential over-privileged access. Use this for identity-centric security assessments such as privilege audits, dormant permission discovery, and least-privilege compliance analysis.","is_array":true,"object_type":"permission_analysis_result","caption":"Permission Analysis Results","object_name":"Permission Analysis Result"},"response":{"type":"object_t","description":"General Purpose API Response Object. See specific usage.","object_type":"response","caption":"API Response Details","object_name":"Response Elements"},"evidence":{"type":"json_t","description":"The data the finding exposes to the analyst.","caption":"Evidence","type_name":"JSON","@deprecated":{"message":"Use the evidences attribute instead.","since":"1.1.0"}},"is_mfa":{"type":"boolean_t","description":"Indicates whether Multi Factor Authentication was used during authentication.","caption":"Multi Factor Authentication","type_name":"Boolean"},"uploaded_time_dt":{"type":"datetime_t","description":"The timestamp at which an entity was uploaded. See specific usage.","caption":"Uploaded Time","type_name":"Datetime"},"is_trusted":{"type":"boolean_t","description":"The event occurred on a trusted device.","caption":"Trusted Device","type_name":"Boolean"},"base_score":{"type":"float_t","description":"The base score as reported by the event source. See specific usage.","caption":"Base Score","type_name":"Float"},"assessment":{"type":"object_t","description":"The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera.","object_type":"assessment","caption":"Assessment","object_name":"Assessment"},"resource":{"type":"object_t","description":"The target resource.","object_type":"resource_details","caption":"Resource","object_name":"Resource Details"},"client_dialects":{"type":"string_t","description":"The list of SMB dialects that the client speaks.","is_array":true,"caption":"Client Dialects","type_name":"String"},"database":{"type":"object_t","description":"The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.","object_type":"database","caption":"Database","object_name":"Database"},"tid":{"type":"integer_t","description":"The identifier of the thread associated with the event, as returned by the operating system.","caption":"Thread ID","type_name":"Integer","@deprecated":{"message":"tid is deprecated in favor of ptid. ptid has type long_t which can accommodate the thread identifiers returned by all platforms (e.g. 64-bit on MacOS).","since":"1.6.0"}},"command_responses":{"type":"string_t","description":"The responses to the command.","is_array":true,"caption":"Command Responses","type_name":"String"},"unmanned_system_operator":{"type":"object_t","description":"The human or machine operator of an Unmanned System.","object_type":"user","caption":"Unmanned Systems Operator","object_name":"User"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"The normalized observation point value. See specific usage.","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","object_type":"device","caption":"Device","object_name":"Device"},"references":{"type":"string_t","description":"A list of reference URLs supporting the finding/detection.","is_array":true,"caption":"References","type_name":"String"},"fix_coverage":{"type":"string_t","description":"The fix coverage, normalized to the caption of the fix_coverage_id value. See specific usage.","caption":"Fix Coverage","type_name":"String"},"is_exploit_available":{"type":"boolean_t","description":"Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.","caption":"Exploit Availability","type_name":"Boolean"},"run_state_id":{"type":"integer_t","enum":{"0":{"description":"The run state is unknown.","caption":"Unknown"},"99":{"description":"The run state is not mapped. See the run_state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the state of the job or service. See specific usage.","caption":"Run State ID","sibling":"run_state","type_name":"Integer"},"accessed_time":{"type":"timestamp_t","description":"The time when the file was last accessed.","caption":"Accessed Time","type_name":"Timestamp"},"unique_malware_count":{"type":"integer_t","description":"The number of unique malware detected during a scan. See specific usage.","caption":"Unique Malware Count","type_name":"Integer"},"is_group_provisioning_enabled":{"type":"boolean_t","description":"Indicates whether group provisioning is automated (e.g., for a SCIM resource). See specific usage.","caption":"Group Provisioning Enabled","type_name":"Boolean"},"install_state_id":{"type":"integer_t","enum":{"3":{"description":"The item is installed pending reboot operation.","caption":"Installed Pending Reboot"},"0":{"description":"The normalized install state is unknown.","caption":"Unknown"},"1":{"description":"The item is installed.","caption":"Installed"},"2":{"description":"The item is not installed.","caption":"Not Installed"},"99":{"description":"The install state is not mapped. See the install_state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized state of the install.","caption":"Install State ID","sibling":"install_state","type_name":"Integer"},"answers":{"type":"object_t","description":"The Domain Name System (DNS) answers.","is_array":true,"object_type":"dns_answer","caption":"DNS Answer","object_name":"DNS Answer"},"d3f_technique":{"type":"object_t","description":"The D3FEND Technique object describes the defensive technique ID and/or name associated with a countermeasure.","references":[{"description":"D3FEND™ Matrix","url":"https://d3fend.mitre.org"}],"object_type":"d3f_technique","caption":"MITRE D3FEND™ Technique","object_name":"MITRE D3FEND™ Technique"},"algorithm":{"type":"string_t","description":"The applicable algorithm, normalized to the caption of 'algorithm_id'. See specific usage.","caption":"Algorithm","type_name":"String"},"analysis_targets":{"type":"object_t","description":"The specific dimensions, components, or aspects of the system that are the targets of the analysis. See specific usage.","is_array":true,"object_type":"analysis_target","caption":"Analysis Targets","object_name":"Analysis Target"},"dnssec_status_id":{"type":"integer_t","enum":{"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"The related domain enables the signing of DNS records using DNSSEC.","caption":"Signed"},"2":{"description":"The related domain does not enable the signing of DNS records using DNSSEC.","caption":"Unsigned"},"99":{"description":"The DNSSEC status is not mapped. See the dnssec_status attribute, which contains a data source specific value.","caption":"Other"}},"description":"Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.","caption":"DNSSEC Status ID","sibling":"dnssec_status","type_name":"Integer"},"os_machine_uuid":{"type":"uuid_t","description":"The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.","caption":"OS Machine UUID","type_name":"UUID"},"create_mask":{"type":"string_t","description":"The original Windows mask that is required to create the object.","caption":"Create Mask","type_name":"String"},"privileges":{"type":"string_t","description":"The user or group privileges.","is_array":true,"caption":"Privileges","type_name":"String"},"account_switch_type_id":{"type":"integer_t","enum":{"0":{"description":"The account switch type is unknown.","caption":"Unknown"},"1":{"description":"A utility like sudo, su, or equivalent was used to perform actions in the context of another user.","references":[{"description":"sudo documentation","url":"https://www.sudo.ws/"},{"description":"su Linux manual page","url":"https://man7.org/linux/man-pages/man1/su.1.html"},{"description":"su macOS manual page","url":"https://www.unix.com/man_page/osx/1/su/"}],"caption":"Substitute User"},"2":{"description":"An API like ImpersonateLoggedOnUser() or equivalent was used to perform actions in the context of another user.","references":[{"description":"Microsoft ImpersonateLoggedOnUser() documentation","url":"https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser"}],"caption":"Impersonate"},"99":{"description":"The account switch type is not mapped. See the account_switch_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the account switch method.","caption":"Account Switch Type ID","sibling":"account_switch_type","type_name":"Integer"},"duration_secs":{"type":"integer_t","description":"Represents the duration of the activity in seconds. See specific usage.","caption":"Duration Seconds","type_name":"Integer"},"log_type_id":{"type":"integer_t","enum":{"0":{"description":"The log type is unknown.","caption":"Unknown"},"1":{"description":"The log type is an Operating System log.","caption":"OS"},"2":{"description":"The log type is an Application log.","caption":"Application"},"99":{"description":"The log type is not mapped. See the log_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized log type identifier.","caption":"Log Type ID","sibling":"log_type","type_name":"Integer"},"unused_services_count":{"type":"integer_t","description":"The number of unused services. See specific usage.","caption":"Unused Services Count","type_name":"Integer"},"extension_list":{"type":"object_t","description":"The list of TLS extensions.","is_array":true,"object_type":"tls_extension","caption":"Extension List","@deprecated":{"message":"Use the tls_extension_list attribute instead.","since":"1.1.0"},"object_name":"TLS Extension"},"uuid":{"type":"uuid_t","description":"The universally unique identifier. See specific usage.","caption":"UUID","type_name":"UUID"},"load_type_id":{"type":"integer_t","enum":{"0":{"description":"The load type is unknown.","caption":"Unknown"},"99":{"description":"The load type is not mapped. See the load_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the load type. See specific usage.","caption":"Load Type ID","sibling":"load_type","type_name":"Integer"},"desc":{"type":"string_t","description":"The description that pertains to the object or event. See specific usage.","caption":"Description","type_name":"String"},"src_url":{"type":"url_t","description":"The URL pointing towards the source of an entity. See specific usage.","caption":"Source URL","type_name":"URL String"},"cve":{"type":"object_t","description":"The Common Vulnerabilities and Exposures (CVE) identifiers for the vulnerability.","object_type":"cve","caption":"CVE","object_name":"CVE"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","is_array":true,"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"customer_uid":{"type":"string_t","description":"The unique customer identifier.","caption":"Customer UID","type_name":"String","@deprecated":{"message":"Use the tenant_uid attribute instead.","since":"1.1.0"}},"color_depth":{"type":"integer_t","description":"The numeric color depth.","caption":"Color Depth","type_name":"Integer"},"orchestrator":{"type":"string_t","description":"The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.","caption":"Orchestrator","type_name":"String"},"sequence":{"type":"integer_t","description":"Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.","caption":"Sequence Number","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time when the object was created. See specific usage.","caption":"Created Time","type_name":"Timestamp"},"vlan_uid":{"type":"string_t","description":"The Virtual LAN identifier.","caption":"VLAN","type_name":"String"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"hire_time":{"type":"timestamp_t","description":"The timestamp when the user was or will be hired by the organization.","caption":"Hire Time","type_name":"Timestamp"},"subject":{"type":"string_t","description":"The identifier of the subject. See specific usage.","caption":"Subject Details","type_name":"String"},"short_desc":{"type":"string_t","description":"The short description that pertains to the object or event. See specific usage.","caption":"Short Description","type_name":"String"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","object_type":"actor","caption":"Actor","object_name":"Actor"},"cis_benchmark_result":{"type":"object_t","description":"The CIS Benchmark Result object captures results generated from benchmark evaluations as defined by the Center for Internet Security (CIS).","object_type":"cis_benchmark_result","caption":"CIS Benchmark Result","@deprecated":{"message":"Use Compliance object with Check object instead.","since":"1.5.0"},"object_name":"CIS Benchmark Result"},"delivered_to":{"type":"email_t","description":"The machine-readable Delivered-To email header field. For example example.user@usersdomain.com","caption":"Delivered To","type_name":"Email Address","@deprecated":{"message":"Use the delivered_to_list attribute instead.","since":"1.4.0"}},"web_resources_result":{"type":"object_t","description":"The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.","is_array":true,"object_type":"web_resource","caption":"Web Resources Result","object_name":"Web Resource"},"match_details":{"type":"string_t","description":"The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.","is_array":true,"caption":"Match Details","type_name":"String"},"opcode_id":{"type":"integer_t","enum":{"3":{"description":"Reserved, not used","caption":"Reserved"},"6":{"description":"DNS Stateful Operations (DSO)","caption":"DSO Message"},"0":{"description":"Standard query","caption":"Query"},"1":{"description":"Inverse query, obsolete","caption":"Inverse Query"},"2":{"description":"Server status request","caption":"Status"},"99":{"description":"The DNS Opcode is not defined by the RFC. See the opcode attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Zone change notification","caption":"Notify"},"5":{"description":"Dynamic DNS update","caption":"Update"}},"description":"The DNS opcode ID specifies the normalized query message type as defined in RFC-5395.","caption":"DNS Opcode ID","type_name":"Integer","suppress_checks":["enum_convention"]},"credential_uid":{"type":"string_t","description":"The unique identifier of the user's credential. For example, AWS Access Key ID.","caption":"User Credential ID","type_name":"String","observable":19},"open_mask":{"type":"integer_t","description":"The Windows options needed to open a registry key.","caption":"Open Mask","type_name":"Integer"},"logon_process":{"type":"object_t","description":"The trusted process that validated the authentication credentials.","object_type":"process","caption":"Logon Process","object_name":"Process"},"attempt":{"type":"integer_t","description":"The delivery attempt.","caption":"Attempt","type_name":"Integer"},"start_address":{"type":"string_t","description":"The start address of the execution.","caption":"Start Address","type_name":"String"},"rcode":{"type":"string_t","description":"The server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.","caption":"Response Code","type_name":"String"},"ttl":{"type":"integer_t","description":"The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.","caption":"TTL","type_name":"Integer"},"domain_contact":{"type":"object_t","description":"The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.","object_type":"domain_contact","caption":"Domain Contact","object_name":"Domain Contact"},"details":{"type":"string_t","description":"Details of an entity. See specific usage","caption":"Details","type_name":"String"},"logged_time":{"type":"timestamp_t","description":"The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.","caption":"Logged Time","type_name":"Timestamp"},"tcp_state_id":{"type":"integer_t","enum":{"3":{"description":"The socket has passively received a connection request from a remote peer.","caption":"SYN-RECEIVED"},"6":{"description":"The socket connection has been closed by the local application, the remote peer has closed its half of the connection, and the system is waiting to be sure that the remote peer received the last acknowledgement.","caption":"TIME-WAIT"},"0":{"description":"The socket state is unknown.","caption":"Unknown"},"1":{"description":"The socket has an established connection between a local application and a remote peer.","caption":"ESTABLISHED"},"2":{"description":"The socket is actively trying to establish a connection to a remote peer.","caption":"SYN-SENT"},"4":{"description":"The socket connection has been closed by the local application, the remote peer has not yet acknowledged the close, and the system is waiting for it to close its half of the connection.","caption":"FIN-WAIT-1"},"5":{"description":"The socket connection has been closed by the local application, the remote peer has acknowledged the close, and the system is waiting for it to close its half of the connection.","caption":"FIN-WAIT-2"},"7":{"description":"The socket is not in use.","caption":"CLOSED"},"8":{"description":"The socket connection has been closed by the remote peer, and the system is waiting for the local application to close its half of the connection.","caption":"CLOSE-WAIT"},"9":{"description":"The socket connection has been closed by the remote peer, the local application has closed its half of the connection, and the system is waiting for the remote peer to acknowledge the close.","caption":"LAST-ACK"},"10":{"description":"The socket is listening for incoming connections.","caption":"LISTEN"},"11":{"description":"The socket connection has been closed by the local application and the remote peer simultaneously, and the remote peer has not yet acknowledged the close attempt of the local application.","caption":"CLOSING"}},"description":"The state of the TCP socket for the network connection.","references":[{"description":"RFC 9293","url":"https://datatracker.ietf.org/doc/html/rfc9293"}],"caption":"TCP State ID","type_name":"Integer"},"duration_days":{"type":"integer_t","description":"Represents the duration of the activity in days. See specific usage.","caption":"Duration Days","type_name":"Integer"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication. Examples include network taps, span ports, inline security devices, or packet capture systems.","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"physical_orientation":{"type":"integer_t","description":"The numeric physical orientation of display.","caption":"Physical Orientation","type_name":"Integer"},"is_cleartext":{"type":"boolean_t","description":"Indicates whether the credentials were passed in clear text.Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.
","caption":"Cleartext Credentials","type_name":"Boolean"},"stratum_id":{"type":"integer_t","enum":{"0":{"description":"Unspecified or invalid.","caption":"Unknown"},"1":{"description":"The highest precision primary server (e.g atomic clock or GPS).","caption":"Primary Server"},"2":{"description":"A secondary level server (possible values: 2-15).","caption":"Secondary Server"},"99":{"description":"The stratum level is not mapped. See thestratum attribute, which contains a data source specific value.","caption":"Other"},"16":{"caption":"Unsynchronized"},"17":{"description":"Reserved stratum (possible values: 17-255).","caption":"Reserved"}},"description":"The normalized identifier of the stratum level, as defined in RFC-5905.","caption":"Stratum ID","sibling":"stratum","type_name":"Integer"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","caption":"Disposition","type_name":"String"},"svc_name":{"type":"string_t","description":"The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.","caption":"Service Name","type_name":"String"},"query":{"type":"object_t","description":"The Domain Name System (DNS) query.","object_type":"dns_query","caption":"DNS Query","object_name":"DNS Query"},"tcp_flags":{"type":"integer_t","description":"The network connection TCP header flags (i.e., control bits).","caption":"TCP Flags","type_name":"Integer"},"issuer":{"type":"string_t","description":"The identifier of the issuer. See specific usage.","caption":"Issuer Details","type_name":"String"},"win/prev_reg_value":{"type":"object_t","description":"The registry value before the mutation","extension":"win","extension_id":2,"object_type":"win/reg_value","caption":"Previous Registry Value","object_name":"Registry Value"},"confidentiality_id":{"type":"integer_t","enum":{"3":{"caption":"Secret"},"6":{"caption":"Restricted"},"0":{"description":"The confidentiality is unknown.","caption":"Unknown"},"1":{"caption":"Not Confidential"},"2":{"caption":"Confidential"},"99":{"description":"The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Top Secret"},"5":{"caption":"Private"}},"description":"The normalized identifier of the file content confidentiality indicator.","caption":"Confidentiality ID","sibling":"confidentiality","type_name":"Integer"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"related_cwes":{"type":"object_t","description":"Describes Common Weakness Enumeration (CWE) entries that are related to an entity. See specific usage.","is_array":true,"object_type":"cwe","caption":"Related CWEs","object_name":"CWE"},"hostname":{"type":"hostname_t","description":"The hostname of an endpoint or a device.","caption":"Hostname","type_name":"Hostname"},"boundary":{"type":"string_t","description":"The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
","caption":"Boundary","type_name":"String"},"lang":{"type":"string_t","description":"The two letter lower case language codes, as defined by ISO 639-1. For example:en (English), de (German), or fr (French).","caption":"Language","type_name":"String"},"type_uid":{"type":"long_t","description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","caption":"Type ID","sibling":"type_name","type_name":"Long"},"meets_criteria":{"type":"boolean_t","description":"Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.","caption":"Meets Criteria","type_name":"Boolean"},"length":{"type":"integer_t","description":"The HTTP response length, in number of bytes.","caption":"Response Length","type_name":"Integer"},"deleted_time_dt":{"type":"datetime_t","description":"The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.","caption":"Deleted Time","type_name":"Datetime"},"registrar":{"type":"string_t","description":"The domain registrar.","caption":"Domain Registrar","type_name":"String"},"original_event_uid":{"type":"string_t","description":"The unique identifier assigned to the event in its original logging system before transformation to OCSF format. This field preserves the source system's native event identifier, enabling traceability back to the raw log entry. For example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value, or a database transaction log sequence number.","caption":"Original Event ID","type_name":"String"},"win/win_service":{"type":"object_t","description":"The Windows service.","extension":"win","extension_id":2,"object_type":"win/win_service","caption":"Windows Service","object_name":"Windows Service"},"access_mask":{"type":"integer_t","description":"The access mask in a platform-native format.","caption":"Access Mask","type_name":"Integer"},"http_status":{"type":"integer_t","description":"The Hypertext Transfer Protocol (HTTP) status code returned to the client.","caption":"HTTP Status","type_name":"Integer","@deprecated":{"message":"Use the http_response.code attribute instead.","since":"1.1.0"}},"transmit_time_dt":{"type":"datetime_t","description":"The event transmission time from one device to another. See specific usage.","caption":"Transmission Time","type_name":"Datetime"},"is_applied":{"type":"boolean_t","description":"A determination if a policy, rule, or enforcement action was applied.","caption":"Applied","type_name":"Boolean"},"relay":{"type":"object_t","description":"The network relay that is associated with the event.","object_type":"network_interface","caption":"Relay","object_name":"Network Interface"},"access_analysis_result":{"type":"object_t","description":"Describes access relationships and pathways between identities, resources, focusing on who can access what and through which mechanisms. This evaluates access levels (read/write/admin), access types (direct, cross-account, public, federated), and the conditions under which access is granted. Use this for resource-centric security assessments such as external access discovery, public exposure analysis, etc.","object_type":"access_analysis_result","caption":"Access Analysis Result","object_name":"Access Analysis Result"},"cloud_partition":{"type":"string_t","description":"The logical grouping or isolated segment within a cloud provider's infrastructure. See specific usage.","caption":"Cloud Partition","type_name":"String"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"ja3_hash":{"type":"object_t","description":"The MD5 hash of a JA3 string.","object_type":"fingerprint","caption":"JA3 Hash","object_name":"Fingerprint"},"entity":{"type":"object_t","description":"The managed entity that is being acted upon.","object_type":"managed_entity","caption":"Entity","object_name":"Managed Entity"},"locations":{"type":"object_t","description":"A list of detailed geographical locations.","is_array":true,"object_type":"location","caption":"Geo Locations","object_name":"Geo Location"},"is_locked":{"type":"boolean_t","description":"Indicates if the entity is locked. See specific usage.","caption":"Locked","type_name":"Boolean"},"injection_type":{"type":"string_t","description":"The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Injection Type","type_name":"String"},"standards":{"type":"string_t","description":"Compliance standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001","is_array":true,"caption":"Compliance Standards: List","type_name":"String"},"email_addrs":{"type":"email_t","description":"A list of additional email addresses for the user.","is_array":true,"caption":"Email Addresses","type_name":"Email Address"},"data_sources":{"type":"string_t","description":"A list of data sources utilized in generation of the finding.","is_array":true,"caption":"Data Sources","type_name":"String"},"trace":{"type":"object_t","description":"The information about the trace. See specific usage.","object_type":"trace","caption":"Trace","object_name":"Trace"},"campaign":{"type":"object_t","description":"The campaign object describes details about the campaign that was the source of the activity.","object_type":"campaign","caption":"Campaign","object_name":"Campaign"},"types":{"type":"string_t","description":"The type/s of an entity. See specific usage.","is_array":true,"caption":"Types","type_name":"String"},"sender_mailbox":{"type":"string_t","description":"The human readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the from_mailbox field, which shows the message author. The sender mailbox field is most commonly used when multiple addresses appear in the from_mailboxes field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else).","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"Sender Mailbox","type_name":"String"},"meid":{"type":"string_t","description":"The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.","caption":"MEID","type_name":"String"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","is_array":true,"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"reply_to_mailboxes":{"type":"string_t","description":"The human-readable email header Reply To Mailbox values. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"caption":"Reply To Mailboxes","type_name":"String"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","caption":"Risk Score","type_name":"Integer"},"capabilities":{"type":"string_t","description":"A list of RDP capabilities.","is_array":true,"caption":"Capabilities","type_name":"String"},"finding":{"type":"object_t","description":"The Finding object provides details about a finding/detection generated by a security tool.","object_type":"finding","caption":"Finding","object_name":"Finding"},"codes":{"type":"integer_t","description":"The list of numeric responses sent to a request.","is_array":true,"caption":"Response Codes","type_name":"Integer"},"job":{"type":"object_t","description":"The job object that pertains to the event.","object_type":"job","caption":"Job","object_name":"Job"},"command_uid":{"type":"string_t","description":"The unique command identifier.","caption":"Command UID","type_name":"String"},"is_personal":{"type":"boolean_t","description":"The event occurred on a personal device.","caption":"Personal Device","type_name":"Boolean"},"criticality":{"type":"string_t","description":"Criticality of a resource/object in question","caption":"Criticality","type_name":"String"},"num_skipped_items":{"type":"integer_t","description":"The number of skipped items.","caption":"Skipped","type_name":"Integer"},"first_seen_time":{"type":"timestamp_t","description":"The initial detection time of the activity or object. See specific usage","caption":"First Seen","type_name":"Timestamp"},"action":{"type":"string_t","description":"The normalized caption of 'action_id' or the source specific action.","caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"sandbox":{"type":"string_t","description":"The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.","caption":"Sandbox","type_name":"String"},"role":{"type":"string_t","description":"The role of an entity in the context of the event or finding, normalized to the caption of the role_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"Role","type_name":"String"},"execute_count":{"type":"integer_t","description":"The execute count. See specific usage.","caption":"Execute Count","type_name":"Integer"},"dkim":{"type":"string_t","description":"The DomainKeys Identified Mail (DKIM) status of the email.","caption":"DKIM Status","type_name":"String"},"run_state":{"type":"string_t","description":"The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"Run State","type_name":"String"},"lineage":{"type":"file_path_t","description":"The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].","is_array":true,"caption":"Lineage","type_name":"File Path"},"referrer":{"type":"string_t","description":"The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.","caption":"HTTP Referrer","type_name":"String"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","is_array":true,"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"tactic":{"type":"object_t","description":"The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"object_type":"tactic","caption":"MITRE Tactic","object_name":"MITRE Tactic"},"parent_process":{"type":"object_t","description":"The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.","references":[{"description":"Guidance on Representing Process Parentage","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md"}],"object_type":"process","caption":"Parent Process","object_name":"Process"},"cis_controls":{"type":"object_t","description":"The CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.","is_array":true,"object_type":"cis_control","caption":"CIS Controls","object_name":"CIS Control"},"schedule_uid":{"type":"string_t","description":"The unique identifier of the schedule associated with a scan job.","caption":"Schedule UID","type_name":"String"},"city":{"type":"string_t","description":"The name of the city.","caption":"City","type_name":"String"},"profiles":{"type":"string_t","description":"The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.","is_array":true,"caption":"Profiles","type_name":"String"},"boot_uid":{"type":"string_t","description":"A unique identifier of the device that changes after every reboot. For example, the value of /proc/sys/kernel/random/boot_id from Linux's procfs.","references":[{"description":"Linux kernel's documentation","url":"https://docs.kernel.org/admin-guide/sysctl/kernel.html#random"}],"caption":"Boot UID","type_name":"String"},"num_folders":{"type":"integer_t","description":"The number of folders scanned.","caption":"Scanned Folders","type_name":"Integer"},"long":{"type":"float_t","description":"The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083.","caption":"Longitude","type_name":"Float"},"num_processes":{"type":"integer_t","description":"The number of processes scanned.","caption":"Scanned Processes","type_name":"Integer"},"identifier_cookie":{"type":"string_t","description":"The client identifier cookie during client/server exchange.","caption":"Identifier Cookie","type_name":"String"},"cpu_cores":{"type":"integer_t","description":"The number of processor cores in all installed processors. For Example: 42.","caption":"CPU Cores","type_name":"Integer"},"keyboard_info":{"type":"object_t","description":"The keyboard detailed information.","object_type":"keyboard_info","caption":"Keyboard Information","object_name":"Keyboard Information"},"created_time_dt":{"type":"datetime_t","description":"The time when the object was created. See specific usage.","caption":"Created Time","type_name":"Datetime"},"autonomous_system":{"type":"object_t","description":"The Autonomous System details associated with an IP address.","object_type":"autonomous_system","caption":"Autonomous System","object_name":"Autonomous System"},"vendor_id_list":{"type":"string_t","description":"The list of vendor IDs. See specific usage.","is_array":true,"caption":"Vendor ID List","type_name":"String"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","is_array":true,"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"completion_tokens":{"type":"integer_t","description":"Number of tokens in the model's response/completion for this message.","caption":"Completion Tokens","type_name":"Integer"},"fixed_in_version":{"type":"string_t","description":"The software package version in which a reported vulnerability was patched/fixed.","caption":"Fixed In Version","type_name":"String"},"transformation_info_list":{"type":"object_t","description":"An array of transformation info that describes the mappings or transforms applied to the data.","is_array":true,"object_type":"transformation_info","caption":"Transformation Info","object_name":"Transformation Info"},"is_vpn":{"type":"boolean_t","description":"The indication of whether the session is a VPN session.","caption":"VPN Session","type_name":"Boolean"},"version":{"type":"string_t","description":"The version that pertains to the event or object. See specific usage.","caption":"Version","type_name":"String"},"to_mailboxes":{"type":"string_t","description":"The human-readable email header To Mailbox values. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"caption":"To Mailboxes","type_name":"String"},"is_default":{"type":"boolean_t","description":"The indication of whether the value is from a default value name. For example, the value name could be missing.","caption":"Default Value","type_name":"Boolean"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","caption":"Confidence Score","type_name":"Integer"},"applications":{"type":"object_t","description":"A list of application objects. See specific usage.","is_array":true,"object_type":"application","caption":"Applications","object_name":"Application"},"unmanned_aerial_system":{"type":"object_t","description":"The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.","object_type":"unmanned_aerial_system","caption":"Unmanned Aerial System","object_name":"Unmanned Aerial System"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period. See specific usage.","caption":"End Time","type_name":"Datetime"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs attached to an entity. A Tag may be used to categorize, filter, and search for entities. For e.g. \"Environment\": \"Production\", \"Owner\": \"007\". See specific usage.","is_array":true,"object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"is_truncated":{"type":"boolean_t","description":"Indicates that an attribute has been truncated. See specific usage.","caption":"Is Truncated","type_name":"Boolean"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","is_array":true,"object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"graph":{"type":"object_t","description":"A graph data structure representation with nodes and edges.","object_type":"graph","caption":"Graph","object_name":"Graph"},"num_violations":{"type":"integer_t","description":"The number of times the policy or rule was violated.","caption":"Violations","type_name":"Integer"},"chunks_in":{"type":"long_t","description":"A unit of information within an SCTP packet, consisting of a chunk header and chunk-specific content. See RFC 4960. This field can be used for the chunks sent from the destination to the source.","caption":"Chunks In","type_name":"Long"},"technique":{"type":"object_t","description":"The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"object_type":"technique","caption":"MITRE Technique","object_name":"MITRE Technique"},"return_path":{"type":"email_t","description":"The address found in the 'Return-Path' header, which indicates where bounce messages (non-delivery reports) should be sent. This address is often set by the sending system and may differ from the 'From' or 'Sender' addresses. For example, mailer-daemon@senderserver.com.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"},{"description":"RFC 5321 - Simple Mail Transfer Protocol","url":"https://datatracker.ietf.org/doc/html/rfc5321#section-4.4"}],"caption":"Return Path","type_name":"Email Address"},"accessed_time_dt":{"type":"datetime_t","description":"The time when the file was last accessed.","caption":"Accessed Time","type_name":"Datetime"},"win/service_start_type":{"type":"string_t","description":"The service start type, normalized to the caption of the service_start_type_id value. In the case of 'Other', it is defined by the event source.","extension":"win","extension_id":2,"caption":"Service Start Type","type_name":"String"},"agent":{"type":"object_t","description":"An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.","object_type":"agent","caption":"Agent","object_name":"Agent"},"from_mailboxes":{"type":"email_t","description":"The human-readable email header From Mailbox values. This array should contain the value in from_mailbox. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"caption":"From Mailboxes","type_name":"Email Address"},"data_lifecycle_state_id":{"type":"integer_t","enum":{"3":{"description":"The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF.","caption":"Data in-Use"},"0":{"description":"The data lifecycle state is unknown.","caption":"Unknown"},"1":{"description":"The data was stored on physical or logical media and was not actively moving through the network nor was being processed. E.g., data stored in a database, PDF files in a file share, or EHR records in object storage.","caption":"Data at-Rest"},"2":{"description":"The data was actively moving through the network or from one physical or logical location to another. E.g., emails being send, data replication or Change Data Capture (CDC) streams, or sensitive data processed on an API.","caption":"Data in-Transit"},"99":{"description":"The data lifecycle state is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The stage or state that the data was in when it was assessed or scanned by a data security tool.","caption":"Data Lifecycle State ID","sibling":"data_lifecycle_state","type_name":"Integer"},"is_user_provisioning_enabled":{"type":"boolean_t","description":"Indicates whether user provisioning is automated (e.g., for a SCIM resource). See specific usage.","caption":"User Provisioning Enabled","type_name":"Boolean"},"table":{"type":"object_t","description":"The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.","object_type":"table","caption":"Table","object_name":"Table"},"bus_type":{"type":"string_t","description":"The attachment bus or interface standard, normalized to the caption of the bus_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Bus Type","type_name":"String"},"win/service_category_id":{"type":"integer_t","enum":{"0":{"description":"The service category is unknown.","caption":"Unknown"},"1":{"description":"A kernel mode driver.","caption":"Kernel Mode"},"2":{"description":"A user mode service.","caption":"User Mode"},"99":{"description":"The service category is not mapped. See the service_category attribute, which contains an event source specific value.","caption":"Other"}},"description":"The normalized identifier of the service category.","extension":"win","extension_id":2,"caption":"Service Category ID","sibling":"service_category","type_name":"Integer"},"uploaded_time":{"type":"timestamp_t","description":"The timestamp at which an entity was uploaded. See specific usage.","caption":"Uploaded Time","type_name":"Timestamp"},"function_name":{"type":"string_t","description":"The function name. See specific usage.","caption":"Function Name","type_name":"String"},"precision":{"type":"integer_t","description":"The numeric precision. See specific usage.","caption":"Precision","type_name":"Integer"},"query_type":{"type":"string_t","description":"The normalized caption of query_type_id or the source-specific query type.","caption":"Query Type","type_name":"String"},"security_descriptor":{"type":"string_t","description":"The object security descriptor.","caption":"Security Descriptor","type_name":"String"},"status_details":{"type":"string_t","description":"A list of descriptions, containing additional information about the event/finding status.","is_array":true,"caption":"Status Details","type_name":"String"},"rssi":{"type":"integer_t","description":"Received Signal Strength Indicator (RSSI) is a measurement of the power of a radio signal. See specific usage.","caption":"RSSI","type_name":"Integer"},"department":{"type":"string_t","description":"The name of the department or organizational unit where the entity is assigned or belongs. See specific usage.","caption":"Department","type_name":"String"},"prompt_tokens":{"type":"integer_t","description":"Number of tokens in the input prompt for this message.","caption":"Prompt Tokens","type_name":"Integer"},"exploit_requirement":{"type":"string_t","description":"The requirement description related to any constraints around exploit execution.","caption":"Exploit Requirement","type_name":"String"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"object_type":"observable","caption":"Observables","object_name":"Observable"},"log_source":{"type":"string_t","description":"The log where the data originated. See specific usage.","caption":"Log Source","type_name":"String"},"is_fix_available":{"type":"boolean_t","description":"Indicates if a fix is available for the reported vulnerability.","caption":"Fix Availability","type_name":"Boolean"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","object_type":"group","caption":"Assignee Group","object_name":"Group"},"subdomains":{"type":"string_t","description":"An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).","is_array":true,"caption":"Subdomains","type_name":"String"},"accessor":{"type":"object_t","description":"The name of the user who last accessed the object.","object_type":"user","caption":"Accessor","object_name":"User"},"phone_number":{"type":"string_t","description":"The number associated with the phone.","caption":"Phone Number","type_name":"String"},"is_renewable":{"type":"boolean_t","description":"The indication of whether something is renewable. See specific usage.","caption":"Renewable","type_name":"Boolean"},"client_ciphers":{"type":"string_t","description":"The client cipher suites that were exchanged during the TLS handshake negotiation.","is_array":true,"caption":"Client Cipher Suites","type_name":"String"},"src_endpoint":{"type":"object_t","description":"The network source endpoint.","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"tunnel_type_id":{"type":"integer_t","description":"The normalized tunnel type ID.","caption":"Type","sibling":"tunnel_type","type_name":"Integer"},"scim":{"type":"object_t","description":"The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634","references":[{"description":"System for Cross-domain Identity Management (SCIM) RFC.","url":"https://datatracker.ietf.org/doc/html/rfc7643"}],"object_type":"scim","caption":"SCIM","object_name":"SCIM"},"volume":{"type":"string_t","description":"The volume on the storage device where the file is located. See specific usage.","caption":"Volume","type_name":"String"},"cpu_bits":{"type":"integer_t","description":"The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.","caption":"CPU Bits","type_name":"Integer"},"detection_uid":{"type":"string_t","description":"The associated unique detection event identifier. For example: detection response events include the Detection ID of the original event.","caption":"Detection UID","type_name":"String"},"auth_type":{"type":"string_t","description":"The agreed upon authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.","caption":"Authentication Type","type_name":"String"},"ack_reason":{"type":"integer_t","description":"An integer that provides a reason code or additional information about the acknowledgment result.","caption":"Acknowledgement Reason","type_name":"Integer"},"keyboard_type":{"type":"string_t","description":"The keyboard type (e.g., xt, ico).","caption":"Keyboard Type","type_name":"String"},"win/service_dependencies":{"type":"string_t","description":"The names of other services upon which this service has a dependency.","extension":"win","is_array":true,"extension_id":2,"caption":"Service Dependencies","type_name":"String"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"cwe":{"type":"object_t","description":"The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.","object_type":"cwe","caption":"CWE","object_name":"CWE"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","is_array":true,"object_type":"packet","caption":"Packets","object_name":"Packet"},"delay":{"type":"integer_t","description":"The total round-trip delay to the reference clock in milliseconds.","caption":"Root Delay","type_name":"Integer"},"path":{"type":"string_t","description":"The path that pertains to the event or object. See specific usage.","caption":"Path","type_name":"String"},"column_name":{"type":"string_t","description":"The name of the column. See specific usage.","caption":"Column Name","type_name":"String"},"attack_graph":{"type":"object_t","description":"An Attack Graph describes possible routes an attacker could take through an environment. It describes relationships between resources and their findings, such as malware detections, vulnerabilities, misconfigurations, and other security actions.","references":[{"description":"MS Defender description of Attack Path","url":"https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-attack-path"},{"description":"SentinelOne Attack Path documentation","url":"https://www.sentinelone.com/cybersecurity-101/cybersecurity/attack-path-analysis/"}],"object_type":"graph","caption":"Attack Graph","object_name":"Graph"},"idle_timeout":{"type":"integer_t","description":"Duration (in minutes) of allowed inactivity before a timeout See specific usage.","caption":"SSO Idle Timeout","type_name":"Integer"},"source":{"type":"string_t","description":"The source, when used with source_id, is normalized to the caption of the source_id value. In the case of 'Other', it is defined by the event source. See specific usage.","caption":"Source","type_name":"String"},"whois":{"type":"object_t","description":"The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.","object_type":"whois","caption":"WHOIS","object_name":"WHOIS"},"actual_permissions":{"type":"integer_t","description":"The permissions that were granted in a platform-native format. See specific usage.","caption":"Actual Permissions","type_name":"Integer"},"radius":{"type":"string_t","description":"Farthest horizontal distance from the reported location at which any UA in a group may be located (meters). Also allows defining the area where an Intent-Based Network Participant operation is taking place. Default: 0 m.","caption":"Radius","type_name":"String"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"unused_privileges_count":{"type":"integer_t","description":"The number of unused Privileges. See specific usage.","caption":"Unused Privileges Count","type_name":"Integer"},"debug":{"type":"string_t","description":"Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.","is_array":true,"caption":"Debug Information","type_name":"String"},"stratum":{"type":"string_t","description":"The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.","caption":"Stratum","type_name":"String"},"cpu_architecture":{"type":"string_t","description":"The CPU architecture, normalized to the caption of the cpu_architecture_id value. In the case of Other, it is defined by the source.","caption":"CPU Architecture","type_name":"String"},"open_ports":{"type":"object_t","description":"The list of open ports on a network interface, including port numbers and associated protocol information.","is_array":true,"object_type":"port_info","caption":"Open Ports","object_name":"Port Information"},"analyzed_privileges_count":{"type":"integer_t","description":"The total count of privileges that were analyzed. See specific usage.","caption":"Analyzed Privileges Count","type_name":"Integer"},"reputation":{"type":"object_t","description":"Contains the original and normalized reputation scores.","object_type":"reputation","caption":"Reputation Scores","object_name":"Reputation"},"value":{"type":"string_t","description":"The value associated to an attribute. See specific usage.","caption":"Value","type_name":"String"},"command":{"type":"string_t","description":"The command name.","caption":"Command","type_name":"String"},"ack_result":{"type":"integer_t","description":"An integer that denotes the acknowledgment result of the DCE/RPC call.","caption":"Acknowledgement Result","type_name":"Integer"},"column_number":{"type":"integer_t","description":"The number of the column. See specific usage.","caption":"Column Number","type_name":"Integer"},"project_uid":{"type":"string_t","description":"The unique identifier of a Cloud project.","caption":"Project ID","type_name":"String","@deprecated":{"message":"Use the account.uid attribute instead.","since":"1.4.0"}},"http_only":{"type":"boolean_t","description":"A cookie attribute to make it inaccessible via JavaScript","caption":"HTTP Only","type_name":"Boolean","@deprecated":{"message":"Use the is_http_only attribute instead.","since":"1.1.0"}},"surname":{"type":"string_t","description":"The last or family name for the user.","caption":"Surname","type_name":"String"},"vram_size":{"type":"integer_t","description":"The total amount of installed video RAM.","caption":"VRAM Size","type_name":"Integer"},"dnssec_status":{"type":"string_t","description":"The normalized value of dnssec_status_id.","caption":"DNSSEC Status","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","object_type":"ticket","caption":"Ticket","object_name":"Ticket"},"dkim_signature":{"type":"string_t","description":"The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.","caption":"DKIM Signature","type_name":"String"},"related_events":{"type":"object_t","description":"Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.","is_array":true,"object_type":"related_event","caption":"Related Events/Findings","object_name":"Related Event/Finding"},"smtp_hello":{"type":"string_t","description":"The value of the SMTP HELO or EHLO command.","caption":"SMTP Hello","type_name":"String","@deprecated":{"message":"Use the command attribute instead.","since":"1.4.0"}},"parameters":{"type":"object_t","description":"The parameters passed into a function invocation.","is_array":true,"object_type":"parameter","caption":"Parameters","object_name":"Parameter"},"resource_relationship":{"type":"object_t","description":"Describes entities related to the resource, using a graph structure. See specific usage.","object_type":"graph","caption":"Resource Relationship","object_name":"Graph"},"exploit_last_seen_time":{"type":"timestamp_t","description":"The time when the exploit was most recently observed.","caption":"Exploit Last Seen Time","type_name":"Timestamp"},"win/reg_integer_data":{"type":"long_t","description":"The data of the registry value when type_id is REG_DWORD, REG_DWORD_BIG_ENDIAN, or REG_QWORD.","extension":"win","extension_id":2,"caption":"Registry Integer Data","type_name":"Long"},"is_self_signed":{"type":"boolean_t","description":"Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).","caption":"Certificate Self-Signed","type_name":"Boolean"},"detection_pattern_type_id":{"type":"integer_t","enum":{"3":{"caption":"SIGMA"},"6":{"caption":"YARA"},"0":{"description":"The type is not mapped.","caption":"Unknown"},"1":{"caption":"STIX"},"2":{"caption":"PCRE"},"99":{"description":"The detection pattern type is not mapped. See the detection_pattern_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Snort"},"5":{"caption":"Suricata"}},"description":"Specifies the type of detection pattern used to identify the associated threat indicator.","caption":"Detection Pattern Type ID","sibling":"detection_pattern_type","type_name":"Integer"},"packages":{"type":"object_t","description":"List of vulnerable packages as identified by the security product","is_array":true,"object_type":"package","caption":"Software Packages","@deprecated":{"message":"Use the affected_packages attribute instead.","since":"1.1.0"},"object_name":"Software Package"},"processed_time_dt":{"type":"datetime_t","description":"The event processed time, such as an ETL operation.","caption":"Processed Time","type_name":"Datetime"},"requirements":{"type":"string_t","description":"A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10","is_array":true,"caption":"Compliance Requirements","type_name":"String"},"user_result":{"type":"object_t","description":"The result of the user account change. It should contain the new values of the changed attributes.","object_type":"user","caption":"User Result","object_name":"User"},"email_addr":{"type":"email_t","description":"The user's primary email address.","caption":"Email Address","type_name":"Email Address"},"num_infected":{"type":"integer_t","description":"The number of infected entities. See specific usage.","caption":"Number of Infected Entities","type_name":"Integer"},"next_run_time_dt":{"type":"datetime_t","description":"The next run time. See specific usage.","caption":"Next Run","type_name":"Datetime"},"creator":{"type":"object_t","description":"The user that created the object associated with event. See specific usage.","object_type":"user","caption":"Creator","object_name":"User"},"tunnel_type":{"type":"string_t","description":"The tunnel type. See specific usage.","caption":"Type","type_name":"String"},"programmatic_credentials":{"type":"object_t","description":"Details about the programmatic credential (API key, service account key, access token, certificate). See specific usage.","is_array":true,"object_type":"programmatic_credential","caption":"Programmatic Credentials","object_name":"Programmatic Credential"},"delivered_to_list":{"type":"email_t","description":"The machine-readable Delivered-To email header values. For example example.user@usersdomain.com","is_array":true,"references":[{"description":"RFC 9228","url":"https://www.rfc-editor.org/rfc/rfc9228"}],"caption":"Delivered To List","type_name":"Email Address"},"feature":{"type":"object_t","description":"The feature that reported the event.","object_type":"feature","caption":"Feature","object_name":"Feature"},"modifier":{"type":"object_t","description":"The user that last modified the object associated with the event. See specific usage.","object_type":"user","caption":"Modifier","object_name":"User"},"physical_height":{"type":"integer_t","description":"The numeric physical height of display.","caption":"Physical Height","type_name":"Integer"},"affected_code":{"type":"object_t","description":"List of Affected Code objects that describe details about code blocks identified as vulnerable.","is_array":true,"object_type":"affected_code","caption":"Affected Code","object_name":"Affected Code"},"packets_out":{"type":"long_t","description":"The number of packets sent from the source to the destination.","caption":"Packets Out","type_name":"Long"},"gpu_count":{"type":"integer_t","description":"The number of GPU's on a system. For example: 1.","caption":"GPU Count","type_name":"Integer"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"classifications":{"type":"string_t","description":"The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.","is_array":true,"caption":"Classifications","type_name":"String"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"kb_article_list":{"type":"object_t","description":"A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.","is_array":true,"object_type":"kb_article","caption":"Knowledgebase Articles","object_name":"KB Article"},"latency":{"type":"integer_t","description":"The HTTP response latency measured in milliseconds.","caption":"Latency","type_name":"Integer"},"edges":{"type":"object_t","description":"The list of edge objects that are part of the graph.","is_array":true,"object_type":"edge","caption":"Edges","object_name":"Edge"},"tlp":{"type":"string_t","description":"The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.","caption":"Traffic Light Protocol","type_name":"String"},"category_id":{"type":"integer_t","description":"The normalized identifier of the object category. See specific usage.","caption":"Category ID","sibling":"category","type_name":"Integer"},"domain_contacts":{"type":"object_t","description":"An array of Domain Contact objects.","is_array":true,"object_type":"domain_contact","caption":"Domain Contacts","object_name":"Domain Contact"},"drive_type_id":{"type":"integer_t","enum":{"3":{"description":"The drive is a remote (network) drive.","caption":"Remote"},"0":{"description":"The drive type is unknown.","caption":"Unknown"},"1":{"description":"The drive has removable media; for example, a floppy drive, thumb drive, or flash card reader.","caption":"Removable"},"2":{"description":"The drive has fixed media; for example, a hard disk drive or flash drive.","caption":"Fixed"},"99":{"description":"The drive type is not mapped. See the drive_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The drive is a CD-ROM drive.","caption":"CD-ROM"},"5":{"description":"The drive is a RAM disk.","caption":"RAM Disk"}},"description":"Identifies the type of a disk drive, i.e. fixed, removable, etc.","caption":"Drive Type ID","sibling":"drive_type","type_name":"Integer"},"dependency_chain":{"type":"string_t","description":"Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. E.g., serverless-offline -> @serverless/utils -> memoizee -> es5-ext.","caption":"Dependency Chain","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal.","caption":"Alert","type_name":"Boolean"},"related_vulnerabilities":{"type":"string_t","description":"List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability.","is_array":true,"caption":"Related Vulnerability IDs","type_name":"String"},"build":{"type":"string_t","description":"The operating system build number.","caption":"OS Build","type_name":"String"},"event_code":{"type":"string_t","description":"The Event ID, Code, or Name that the product uses to primarily identify the event.","caption":"Event Code","type_name":"String"},"account":{"type":"object_t","description":"The account object describes details about the account that was the source or target of the activity. See specific usage.","object_type":"account","caption":"Account","object_name":"Account"},"number":{"type":"integer_t","description":"The number of the entity. See specific usage.","caption":"Number","type_name":"Integer"},"email_auth":{"type":"object_t","description":"The SPF, DKIM and DMARC attributes of an email.","object_type":"email_auth","caption":"Email Authentication","object_name":"Email Authentication"},"is_readonly":{"type":"boolean_t","description":"Indicates that an object cannot be modified. See specific usage","caption":"Read-Only","type_name":"Boolean"},"log_level":{"type":"string_t","description":"The log specific level at which an event was generated. See specific usage.","caption":"Log Level","type_name":"String"},"dmarc_policy":{"type":"string_t","description":"The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.","caption":"DMARC Policy","type_name":"String"},"values":{"type":"string_t","description":"An array of values associated to an attribute. See specific usage.","is_array":true,"caption":"Values","type_name":"String"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","object_type":"api","caption":"API Details","object_name":"API"},"epss":{"type":"object_t","description":"The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS).","object_type":"epss","caption":"EPSS","object_name":"EPSS"},"transmit_time":{"type":"timestamp_t","description":"The event transmission time from one device to another. See specific usage.","caption":"Transmission Time","type_name":"Timestamp"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value.","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"Describes details of a policy. See specific usage.","object_type":"policy","caption":"Policy","object_name":"Policy"},"share_type_id":{"type":"integer_t","enum":{"3":{"caption":"Print"},"0":{"description":"The share type is unknown.","caption":"Unknown"},"1":{"caption":"File"},"2":{"caption":"Pipe"},"99":{"description":"The share type is not mapped. See the share_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the share type.","caption":"Share Type ID","sibling":"share_type","type_name":"Integer"},"application":{"type":"object_t","description":"An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.","object_type":"application","caption":"Application","object_name":"Application"},"from":{"type":"email_t","description":"The machine-readable email header From value, as defined by RFC 5322. For example example.user@usersdomain.com.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"From","type_name":"Email Address"},"geodetic_altitude":{"type":"string_t","description":"The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m.","caption":"Geodetic Altitude","type_name":"String"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","caption":"Confidence","type_name":"String"},"num_registry_items":{"type":"integer_t","description":"The number of registry items scanned.","caption":"Scanned Registry Items","type_name":"Integer"},"size":{"type":"long_t","description":"The size of data, in bytes.","caption":"Size","type_name":"Long"},"http_request":{"type":"object_t","description":"The HTTP Request Object documents attributes of a request made to a web server.","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"read_count":{"type":"integer_t","description":"The read count. See specific usage.","caption":"Read Count","type_name":"Integer"},"tree_uid":{"type":"string_t","description":"The tree id is a unique SMB identifier which represents an open connection to a share.","caption":"Tree UID","type_name":"String"},"speed_accuracy":{"type":"string_t","description":"Provides quality/containment on horizontal ground speed. Measured in meters/second.","caption":"Speed Accuracy","type_name":"String"},"country":{"type":"string_t","description":"The ISO 3166-1 Alpha-2 country code.Note: The two letter country code should be capitalized. For example: US or CA.
parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.","is_array":true,"references":[{"description":"Guidance on Representing Process Parentage","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md"}],"object_type":"process_entity","caption":"Ancestry","object_name":"Process Entity"},"euid":{"type":"integer_t","description":"The effective user under which this process is running.","caption":"Effective User ID","type_name":"Integer"},"storage_class":{"type":"string_t","description":"The storage class of the entity. See specific usage.","caption":"Storage Class","type_name":"String"},"subdomain":{"type":"string_t","description":"The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.","caption":"Subdomain","type_name":"String"},"server_ciphers":{"type":"string_t","description":"The server cipher suites that were exchanged during the TLS handshake negotiation.","is_array":true,"caption":"Server Cipher Suites","type_name":"String"},"packets_in":{"type":"long_t","description":"The number of packets sent from the destination to the source.","caption":"Packets In","type_name":"Long"},"is_disabled":{"type":"boolean_t","description":"Indicates if the entity is disabled. See specific usage.","caption":"Disabled","type_name":"Boolean"},"supporting_data":{"type":"json_t","description":"Additional data supporting a finding as provided by security tool","caption":"Supporting Data","type_name":"JSON"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","caption":"Count","type_name":"Integer"},"hashes":{"type":"object_t","description":"An array of hash attributes.","is_array":true,"object_type":"fingerprint","caption":"Hashes","object_name":"Fingerprint"},"metrics":{"type":"object_t","description":"The general purpose metrics associated with the event. See specific usage.","is_array":true,"object_type":"metric","caption":"Metrics","object_name":"Metric"},"lease_dur":{"type":"integer_t","description":"This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.","caption":"Lease Duration","type_name":"Integer"},"author":{"type":"string_t","description":"The author(s) who published the software component.","caption":"Author","type_name":"String"},"sp_name":{"type":"string_t","description":"The name of the latest Service Pack.","caption":"OS Service Pack","type_name":"String"},"confidentiality":{"type":"string_t","description":"The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.","caption":"Confidentiality","type_name":"String"},"unmanned_system_operating_area":{"type":"object_t","description":"The UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.","object_type":"unmanned_system_operating_area","caption":"UAS Operating Area","object_name":"Unmanned System Operating Area"},"analytic":{"type":"object_t","description":"The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.","object_type":"analytic","caption":"Analytic","object_name":"Analytic"},"last_used_time":{"type":"timestamp_t","description":"The most recent usage time of an entity. See specific usage.","caption":"Last Used Time","type_name":"Timestamp"},"uid_alt":{"type":"string_t","description":"The alternate unique identifier. See specific usage.","caption":"Alternate ID","type_name":"String"},"forward_addr":{"type":"email_t","description":"The user's forwarding email address.","caption":"Forwarding Address","type_name":"Email Address"},"boot_time_dt":{"type":"datetime_t","description":"The time when the system was booted.","caption":"Boot Time","type_name":"Datetime"},"response_time":{"type":"timestamp_t","description":"The Domain Name System (DNS) response time.","caption":"Response Time","type_name":"Timestamp"},"smtp_to":{"type":"email_t","description":"The value of the SMTP envelope RCPT TO command.","is_array":true,"caption":"SMTP To","type_name":"Email Address","@deprecated":{"message":"Use the to attribute instead.","since":"1.4.0"}},"dmarc":{"type":"string_t","description":"The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.","caption":"DMARC Status","type_name":"String"},"app_uid":{"type":"string_t","description":"The unique ID of the application associated with the event or object.","caption":"Application ID","type_name":"String"},"resources_result":{"type":"object_t","description":"Updated resources after an activity/event.","is_array":true,"object_type":"resource_details","caption":"Resource Results Array","object_name":"Resource Details"},"certificate_chain":{"type":"string_t","description":"The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.","is_array":true,"caption":"Certificate Chain","type_name":"String"},"related_events_count":{"type":"integer_t","description":"Number of related events or findings.","caption":"Related Events/Findings Count","type_name":"Integer"},"system_call":{"type":"string_t","description":"The system call that was invoked.","caption":"System Call","type_name":"String"},"postal_code":{"type":"string_t","description":"The postal code of the location.","caption":"Postal Code","type_name":"String"},"users":{"type":"object_t","description":"The users that pertain to the event or object.","is_array":true,"object_type":"user","caption":"Users","object_name":"User"},"logon_type":{"type":"string_t","description":"The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Logon Type","type_name":"String"},"win/service_error_control_id":{"type":"integer_t","enum":{"3":{"description":"The startup program logs the error in the event log. If the last-known-good configuration is being started, the startup operation continues. Otherwise, the system is restarted with the last-known-good configuration.","caption":"Severe"},"0":{"description":"The service error control is unknown.","caption":"Unknown"},"1":{"description":"The startup program ignores the error and continues the startup operation.","caption":"Ignore"},"2":{"description":"The startup program logs the error in the event log but continues the startup operation.","caption":"Normal"},"99":{"description":"The service error control is not mapped. See the service_error_control attribute, which contains an event source specific value.","caption":"Other"},"4":{"description":"The startup program logs the error in the event log, if possible. If the last-known-good configuration is being started, the startup operation fails. Otherwise, the system is restarted with the last-known good configuration.","caption":"Critical"}},"description":"The normalized identifier of the service error control.","extension":"win","extension_id":2,"caption":"Service Error Control ID","sibling":"service_error_control","type_name":"Integer"},"scim_user_schema":{"type":"json_t","description":"SCIM provides a resource type for user resources. The core schema for user is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User as defined in RFC-7634. his attribute will capture key-value pairs for the scheme implemented in a SCIM resource. This object is inclusive of both the basic and Enterprise User Schema Extension.","references":[{"description":"System for Cross-domain Identity Management (SCIM) RFC spec.","url":"https://datatracker.ietf.org/doc/html/rfc7643"}],"caption":"SCIM User Schema","type_name":"JSON"},"http_cookies":{"type":"object_t","description":"The cookies object describes details about HTTP cookies","is_array":true,"object_type":"http_cookie","caption":"HTTP Cookies","object_name":"HTTP Cookie"},"traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"The user-provided comment.","caption":"Comment","type_name":"String"},"pattern_match":{"type":"string_t","description":"A text, binary, file name, or datastore that matched against a detection rule.","caption":"Pattern Match","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The end time of a time period. See specific usage.","caption":"End Time","type_name":"Timestamp"},"keyboard_layout":{"type":"string_t","description":"The keyboard locale identifier name (e.g., en-US).","caption":"Keyboard Layout","type_name":"String"},"correlation_uid":{"type":"string_t","description":"A unique identifier used to correlate events. See specific usage.","caption":"Correlation UID","type_name":"String"},"cwe_uid":{"type":"string_t","description":"The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.","caption":"CWE UID","type_name":"String","@deprecated":{"message":"Use the related_cwes object attributes instead.","since":"1.1.0"}},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"object_type":"agent","caption":"Agent List","object_name":"Agent"},"protocol_num":{"type":"integer_t","description":"The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: 6 for TCP and 17 for UDP.","references":[{"description":"IANA Protocol Numbers","url":"https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"}],"caption":"Protocol Number","type_name":"Integer"},"cell_name":{"type":"string_t","description":"The name of the cell. See specific usage.","caption":"Cell Name","type_name":"String"},"x_forwarded_for":{"type":"ip_t","description":"The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.","is_array":true,"caption":"X-Forwarded-For","type_name":"IP Address"},"package":{"type":"object_t","description":"The Software Package object describes details about a software package.","references":[{"description":"D3FEND™ Ontology d3f:SoftwarePackage.","url":"https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/"}],"object_type":"package","caption":"Software Package","object_name":"Software Package"},"protocol_name":{"type":"string_t","description":"The protocol name. See specific usage.","caption":"Protocol Name","type_name":"String"},"win/reg_string_list_data":{"type":"string_t","description":"The data of the registry value when type_id is REG_MULTI_SZ.","extension":"win","is_array":true,"extension_id":2,"caption":"Registry String List Data","type_name":"String"},"connection_info":{"type":"object_t","description":"The network connection information.","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"sp_ver":{"type":"integer_t","description":"The version number of the latest Service Pack.","caption":"OS Service Pack Version","type_name":"Integer"},"countermeasures":{"type":"object_t","description":"The MITRE D3FEND™ Matrix Countermeasures associated with a remediation.","is_array":true,"object_type":"d3fend","caption":"Countermeasures","object_name":"MITRE D3FEND™"},"score_id":{"type":"integer_t","enum":{"3":{"description":"Reasonable history of good behavior.","caption":"Probably Safe"},"6":{"description":"Starting to establish a history of suspicious or risky behavior.","caption":"Exercise Caution"},"0":{"description":"The reputation score is unknown.","caption":"Unknown"},"1":{"description":"Long history of good behavior.","caption":"Very Safe"},"2":{"description":"Consistently good behavior.","caption":"Safe"},"99":{"description":"The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Starting to establish a history of normal behavior.","caption":"Leans Safe"},"5":{"description":"No established history of normal behavior.","caption":"May not be Safe"},"7":{"description":"A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious).","caption":"Suspicious/Risky"},"8":{"description":"Strong possibility of maliciousness.","caption":"Possibly Malicious"},"9":{"description":"Indicators of maliciousness.","caption":"Probably Malicious"},"10":{"description":"Proven evidence of maliciousness.","caption":"Malicious"}},"description":"The normalized reputation score identifier.","caption":"Reputation Score ID","sibling":"score","type_name":"Integer"},"log_provider":{"type":"string_t","description":"The logging provider or logging service that logged the event. See specific usage.","caption":"Log Provider","type_name":"String"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"key_length":{"type":"integer_t","description":"The length of the encryption key.","caption":"Key Length","type_name":"Integer"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"start_type":{"type":"string_t","description":"The start type of a service, driver, or application.","caption":"Start Type","type_name":"String"},"rate_limit":{"type":"integer_t","description":"The rate limit for a rate-based rule.","caption":"Rate Limit","type_name":"Integer"},"is_hotp":{"type":"boolean_t","description":"Whether the authentication factor is an HMAC-based One-time Password (HOTP).","caption":"HMAC-based One-time Password (HOTP)","type_name":"Boolean"},"requested_permissions":{"type":"integer_t","description":"The permissions mask. See specific usage.","caption":"Requested Permissions","type_name":"Integer"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","is_array":true,"object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"dialect":{"type":"string_t","description":"The negotiated protocol dialect.","caption":"Dialect","type_name":"String"},"is_on_premises_sync_enabled":{"type":"boolean_t","description":"Indicates whether synchronization with an on-premises directory service is enabled. For example, Microsoft Entra Connect.","caption":"On-Premises Sync Enabled","type_name":"Boolean"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value.","caption":"Class","type_name":"String"},"related_cves":{"type":"object_t","description":"Describes Common Vulnerabilities and Exposures (CVE) entries that are related to an entity. See specific usage.","is_array":true,"object_type":"cve","caption":"Related CVEs","object_name":"CVE"},"manager":{"type":"object_t","description":"The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.","object_type":"user","caption":"Manager","object_name":"User"},"security_questions":{"type":"string_t","description":"The question(s) provided to user for a question-based authentication factor.","is_array":true,"caption":"Security Questions","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The network destination endpoint.","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"sensitivity":{"type":"string_t","description":"The sensitivity of the firewall rule in the matched event. For example: HIGH.","caption":"Sensitivity","type_name":"String"},"cumulative_traffic":{"type":"object_t","description":"The cumulative network traffic. See specific usage.","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.ai_role_id.","caption":"AI Role","type_name":"String"},"protocol_ver_id":{"type":"integer_t","enum":{"0":{"description":"The protocol version is unknown.","caption":"Unknown"},"99":{"description":"The protocol version is not mapped. See the protocol_ver attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the Protocol version. See specific usage.","caption":"Protocol Version ID","sibling":"protocol_ver","type_name":"Integer"},"bios_date":{"type":"string_t","description":"The BIOS date. For example: 03/31/16.","caption":"BIOS Date","type_name":"String"},"protocol_ver":{"type":"string_t","description":"The Protocol version, normalized to the caption of the protocol_ver_id value. In the case of 'Other', it is defined by the event source.","caption":"Protocol Version","type_name":"String"},"exploit_type":{"type":"string_t","description":"The categorization or type of Exploit. E.g., Network or Physical.","caption":"Exploit Type","type_name":"String"},"encryption_details":{"type":"object_t","description":"The encryption details of a file or other content. See specific usage.","object_type":"encryption_details","caption":"Encryption Details","object_name":"Encryption Details"},"ldap_person":{"type":"object_t","description":"The additional LDAP attributes that describe a person.","object_type":"ldap_person","caption":"LDAP Person","object_name":"LDAP Person"},"scopes":{"type":"string_t","description":"Scopes define the specific permissions or actions that the client is allowed to perform on behalf of the user. Each scope represents a different set of permissions, and the user can selectively grant or deny access to specific scopes during the authorization process.","is_array":true,"caption":"Scopes","type_name":"String"},"cwe_url":{"type":"url_t","description":"Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.","caption":"CWE URL","type_name":"URL String","@deprecated":{"message":"Use the related_cwes object attributes instead.","since":"1.1.0"}},"ai_provider":{"type":"string_t","description":"AI service provider or organization name.","caption":"AI Provider","type_name":"String"},"subnet_prefix":{"type":"integer_t","description":"The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.","caption":"Subnet Prefix Length","type_name":"Integer"},"extension":{"type":"object_t","description":"The schema extension used to create the event.","object_type":"extension","caption":"Schema Extension","@deprecated":{"message":"Use the extensions attribute instead.","since":"1.1.0"},"object_name":"Schema Extension"},"direction_id":{"type":"integer_t","enum":{"3":{"description":"Lateral network connection. The connection originated from inside the network, destined for services on the inside network.","caption":"Lateral"},"0":{"description":"The connection direction is unknown.","caption":"Unknown"},"1":{"description":"Inbound network connection. The connection originated from the Internet or outside network, destined for services on the inside network.","caption":"Inbound"},"2":{"description":"Outbound network connection. The connection originated from inside the network, destined for services on the Internet or outside network.","caption":"Outbound"},"99":{"description":"The direction is not mapped. See the direction attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Local network connection (localhost). The connection is intra-device, originating from and destined for services running on the same device.","caption":"Local"}},"description":"The normalized identifier of the direction of the initiated connection, traffic, or email.","caption":"Direction ID","sibling":"direction","type_name":"Integer"},"terminated_time_dt":{"type":"datetime_t","description":"The time when the entity was terminated. See specific usage.","caption":"Terminated Time","type_name":"Datetime"},"exit_code":{"type":"integer_t","description":"The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.","caption":"Exit Code","type_name":"Integer"},"horizontal_accuracy":{"type":"string_t","description":"Provides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters.","caption":"Horizontal Accuracy","type_name":"String"},"row_number":{"type":"integer_t","description":"The row number. See specific usage.","caption":"Row Number","type_name":"Integer"},"flags":{"type":"string_t","description":"The list of communication flags, normalized to the captions of the flag_ids values. See specific usage.","is_array":true,"caption":"Flags","type_name":"String"},"community_uid":{"type":"string_t","description":"The Community ID of the network connection.","source":"community_id","references":[{"description":"Community ID definition.","url":"https://github.com/corelight/community-id-spec"}],"caption":"Community ID","type_name":"String"},"to":{"type":"email_t","description":"The machine-readable email header To values, as defined by RFC 5322. For example example.user@usersdomain.com","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"To","type_name":"Email Address"},"leave_time":{"type":"timestamp_t","description":"The timestamp when the user left or will be leaving the organization.","caption":"Leave Time","type_name":"Timestamp"},"altitude_floor":{"type":"string_t","description":"Minimum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: Invalid, No Value, or Unknown: -1000 m.","caption":"Altitude Floor","type_name":"String"},"expiration_time_dt":{"type":"datetime_t","description":"The expiration time. See specific usage.","caption":"Expiration Time","type_name":"Datetime"},"groups":{"type":"object_t","description":"The groups to which an entity belongs. See specific usage.","is_array":true,"object_type":"group","caption":"Groups","object_name":"Group"},"urls":{"type":"object_t","description":"The URLs that pertain to the event or object.","is_array":true,"object_type":"url","caption":"URLs","object_name":"Uniform Resource Locator"},"attack":{"type":"object_t","description":"The MITRE ATT&CK® object describing the tactic, technique, and sub-technique.","object_type":"attack","caption":"MITRE ATT&CK® Details","object_name":"MITRE ATT&CK® & ATLAS™"},"has_mfa":{"type":"boolean_t","description":"The user has a multi-factor or secondary-factor device assigned.","caption":"MFA Assigned","type_name":"Boolean"},"win/reg_string_data":{"type":"string_t","description":"The data of the registry value when type_id is REG_SZ, REG_EXPAND_SZ, or REG_LINK.","extension":"win","extension_id":2,"caption":"Registry String Data","type_name":"String"},"cpid":{"type":"uuid_t","description":"A unique process identifier that can be assigned deterministically by multiple system data producers.","source":"cpid","references":[{"description":"OCSF Common Process Identifier (CPID) Specification","url":"https://github.com/ocsf/common-process-id"}],"caption":"Common Process Identifier","type_name":"UUID"},"sni":{"type":"string_t","description":" The Server Name Indication (SNI) extension sent by the client.","caption":"Server Name Indication","type_name":"String"},"last_seen_time_dt":{"type":"datetime_t","description":"The most recent detection time of the activity or object. See specific usage.","caption":"Last Seen","type_name":"Datetime"},"data_lifecycle_state":{"type":"string_t","description":"The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.","caption":"Data Lifecycle State","type_name":"String"},"total":{"type":"integer_t","description":"The total number of items. See specific usage.","caption":"Total","type_name":"Integer"},"samesite":{"type":"string_t","description":"The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None","caption":"SameSite","type_name":"String"},"drive_type":{"type":"string_t","description":"The drive type, normalized to the caption of the drive_type_id value. In the case of Other, it is defined by the source.","caption":"Drive Type","type_name":"String"},"control_parameters":{"type":"object_t","description":"The list of control parameters evaluated in a Compliance check.","is_array":true,"object_type":"key_value_object","caption":"Control Parameters","object_name":"Key:Value object"},"relationship":{"type":"string_t","description":"The relationship between two software components, normalized to the caption of the relationship_id value. In the case of 'Other', it is defined by the source.","caption":"Relationship","type_name":"String"},"next_run_time":{"type":"timestamp_t","description":"The next run time. See specific usage.","caption":"Next Run","type_name":"Timestamp"},"secure":{"type":"boolean_t","description":"The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.","caption":"Secure","type_name":"Boolean","@deprecated":{"message":"Use the is_secure attribute instead.","since":"1.1.0"}},"epoch":{"type":"integer_t","description":"The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.","caption":"Epoch","type_name":"Integer"},"base_address":{"type":"string_t","description":"The memory address where the module was loaded.","caption":"Base Address","type_name":"String"},"priority_id":{"type":"integer_t","enum":{"3":{"description":"Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.","caption":"High"},"0":{"description":"No priority is assigned.","caption":"Unknown"},"1":{"description":"Application or personal procedure is unusable, where a workaround is available or a repair is possible.","caption":"Low"},"2":{"description":"Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available.","caption":"Medium"},"99":{"description":"The priority is not normalized.","caption":"Other"},"4":{"description":"Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative.","caption":"Critical"}},"description":"The normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.","caption":"Priority ID","sibling":"priority","type_name":"Integer"},"anomalies":{"type":"object_t","description":"A list of detected anomalies or deviations from expected behavior patterns. See specific usage.","is_array":true,"object_type":"anomaly","caption":"Anomalies","object_name":"Anomaly"},"rule":{"type":"object_t","description":"The rules that reported the events.","object_type":"rule","caption":"Rule","object_name":"Rule"},"vram_mode_id":{"type":"integer_t","enum":{"0":{"description":"The VRAM mode is unknown or not reported.","caption":"Unknown"},"1":{"description":"Video memory is allocated from system memory.","caption":"Shared"},"2":{"description":"Video memory is physically separate from system memory.","caption":"Dedicated"},"99":{"description":"A VRAM mode not covered by the defined values; the exact value is reported by the event source.","caption":"Other"}},"description":"The normalized identifier of the video memory attachment mode.","caption":"VRAM Mode ID","sibling":"vram_mode","type_name":"Integer"},"session":{"type":"object_t","description":"The authenticated user or service session.","object_type":"session","caption":"Session","object_name":"Session"},"privilege_attack_info":{"type":"object_t","description":"Information about privileges grouped by the potential attack they could enable.","object_type":"privilege_attack_info","caption":"Privilege Attack Info","object_name":"Privilege Attack Info"},"opcode":{"type":"string_t","description":"The DNS opcode specifies the type of the query message.","caption":"DNS Opcode","type_name":"String"},"reply_to":{"type":"email_t","description":"The machine-readable email header Reply-To value, as defined by RFC 5322. For example example.user@usersdomain.com","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"Reply To","type_name":"Email Address","@deprecated":{"message":"Use the reply_to_list attribute instead.","since":"1.4.0"}},"sub_technique":{"type":"object_t","description":"The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"object_type":"sub_technique","caption":"MITRE Sub-technique","object_name":"MITRE Sub-technique"},"source_id":{"type":"integer_t","enum":{"0":{"description":"The source is unknown.","caption":"Unknown"},"99":{"description":"The source is not mapped. See the source attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the source. See specific usage.","caption":"Source ID","sibling":"source","type_name":"Integer"},"phones":{"type":"string_t","description":"The phone numbers associated with the user","is_array":true,"caption":"Phones","type_name":"String"},"start_type_id":{"type":"integer_t","enum":{"3":{"description":"Started on demand. For example, by the Windows Service Control Manager when a process calls the StartService function.","caption":"On Demand"},"6":{"description":"Started on specific user logins.","caption":"Specific User Login"},"0":{"description":"The start type is unknown.","caption":"Unknown"},"1":{"description":"Service started automatically during system startup.","caption":"Auto"},"2":{"description":"Device driver started by the system loader.","caption":"Boot"},"99":{"description":"The start type is not mapped. See the start_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The service is disabled, and cannot be started.","caption":"Disabled"},"5":{"description":"Started on all user logins.","caption":"All Logins"},"7":{"description":"Stared according to a schedule.","caption":"Scheduled"},"8":{"description":"Started when a system item, such as a file or registry key, changes.","caption":"System Changed"}},"description":"The start type ID of a service or application.","caption":"Start Type ID","sibling":"start_type","type_name":"Integer"},"display_name":{"type":"string_t","description":"The display name. See specific usage.","caption":"Display Name","type_name":"String"},"compliance_standards":{"type":"object_t","description":"A list of established guidelines or criteria that define specific requirements an organization must follow.","is_array":true,"object_type":"kb_article","caption":"Compliance Standards: Details","@deprecated":{"message":"Use the Compliance object with Check array instead","since":"1.5.0"},"object_name":"KB Article"},"terminal":{"type":"string_t","description":"The Pseudo Terminal. Ex: the tty or pts value.","caption":"Terminal","type_name":"String"},"win/service_type":{"type":"string_t","description":"The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.","extension":"win","extension_id":2,"caption":"Service Type","type_name":"String"},"software_components":{"type":"object_t","description":"The list of software components used in the software package.","is_array":true,"object_type":"software_component","caption":"Software Components","object_name":"Software Component"},"alert":{"type":"integer_t","description":"The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.","caption":"Client TLS Alert","type_name":"Integer"},"error":{"type":"string_t","description":"Error Code","caption":"Error Code","type_name":"String"},"bytes_out":{"type":"long_t","description":"The number of bytes sent from the source to the destination.","caption":"Bytes Out","type_name":"Long"},"iccid":{"type":"string_t","description":"The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.","caption":"ICCID","type_name":"String"},"total_queued_duration":{"type":"object_t","description":"The amount of time an event spent in a queue awaiting processing.","object_type":"timespan","caption":"Total Queued Duration","object_name":"Time Span"},"avg_timespan":{"type":"object_t","description":"The average time span of an activity.","object_type":"timespan","caption":"Average Timespan","object_name":"Time Span"},"aircraft":{"type":"object_t","description":"The Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise. The Aircraft object is intended to normalized data captured or otherwise logged from active radar, passive radar, multi-spectral systems, or the Automatic Dependant Broadcast - Surveillance (ADS-B), and/or Mode S systems.","object_type":"aircraft","caption":"Aircraft","object_name":"Aircraft"},"is_totp":{"type":"boolean_t","description":"Whether the authentication factor is a Time-based One-time Password (TOTP).","caption":"Time-based One-time Password (TOTP)","type_name":"Boolean"},"aerial_height":{"type":"string_t","description":"Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m.","caption":"Aerial Height","type_name":"String"},"raw_data_size":{"type":"long_t","description":"The size of the raw data which was transformed into an OCSF event, in bytes.","caption":"Raw Data Size","type_name":"Long"},"num_files":{"type":"integer_t","description":"The number of files scanned.","caption":"Scanned Files","type_name":"Integer"},"identity_activity_metrics":{"type":"object_t","description":"Describes usage activity and other metrics of an Identity i.e. AWS IAM User, GCP IAM Principal, etc.","object_type":"identity_activity_metrics","caption":"Identity Activity Metrics","object_name":"Identity Activity Metrics"},"win/run_count":{"type":"integer_t","description":"The prefetch file run count.","extension":"win","extension_id":2,"caption":"Run Count","type_name":"Integer"},"score":{"type":"string_t","description":"The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.","caption":"Reputation Score","type_name":"String"},"related_analytics":{"type":"object_t","description":"Describes analytics related to the analytic of a finding or detection as identified by the security product.","is_array":true,"object_type":"analytic","caption":"Related Analytics","object_name":"Analytic"},"remote_display":{"type":"object_t","description":"The remote display affiliated with the event","object_type":"display","caption":"Remote Display","object_name":"Display"},"track_direction":{"type":"string_t","description":"Direction of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value","caption":"Track Direction","type_name":"String"},"app_name":{"type":"string_t","description":"The name of the application associated with the event or object.","caption":"Application Name","type_name":"String"},"org":{"type":"object_t","description":"Organization and org unit relevant to the event or object. See specific usage.","object_type":"organization","caption":"Organization","object_name":"Organization"},"external_uid":{"type":"string_t","description":"A unique identifier assigned by an external system for cross-referencing.","caption":"External ID","type_name":"String"},"pre_value":{"type":"string_t","description":"The value before. See specific usage.","caption":"Pre-Value","type_name":"String"},"status":{"type":"string_t","description":"The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.","caption":"Status","type_name":"String"},"condition_keys":{"type":"object_t","description":"The list of condition keys and their values that were evaluated as part of a rule or policy. Condition keys are used to define circumstances under which the rule/policy is in effect. See specific usage.","is_array":true,"object_type":"key_value_object","caption":"Condition Keys","object_name":"Key:Value object"},"original_time":{"type":"string_t","description":"The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.","caption":"Original Time","type_name":"String"},"ip":{"type":"ip_t","description":"The IP address, in either IPv4 or IPv6 format.","caption":"IP Address","type_name":"IP Address"},"raw_data":{"type":"string_t","description":"The raw event/finding data as received from the source.","caption":"Raw Data","type_name":"String"},"observation_type":{"type":"string_t","description":"The classification or category of the observation, indicating what kind of measurement or finding it represents. See specific usage.","caption":"Observation Type","type_name":"String"},"status_id":{"type":"integer_t","enum":{"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"caption":"Success"},"2":{"caption":"Failure"},"99":{"description":"The status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","caption":"Status ID","sibling":"status","type_name":"Integer"},"url_string":{"type":"url_t","description":"The URL string. See RFC 1738. For example: http://www.example.com/download/trouble.exe.","caption":"URL String","type_name":"URL String"},"page_number":{"type":"integer_t","description":"The page number of the document. See specific usage.","caption":"Page Number","type_name":"Integer"},"factor_type_id":{"type":"integer_t","enum":{"3":{"description":"System calls the user's registered phone number and requires the user to answer and provide a response.","caption":"Phone Call"},"6":{"description":"Physical device that generates a code to be used for authentication.","caption":"Hardware Token"},"0":{"caption":"Unknown"},"1":{"description":"User receives and inputs a code sent to their mobile device via SMS text message.","caption":"SMS"},"2":{"description":"The user responds to a security question as part of a question-based authentication factor","caption":"Security Question"},"99":{"caption":"Other"},"4":{"description":"Devices that verify identity-based on user's physical identifiers, such as fingerprint scanners or retina scanners.","caption":"Biometric"},"5":{"description":"Push notification is sent to user's registered device and requires the user to acknowledge.","caption":"Push Notification"},"7":{"description":"Application generates a one-time password (OTP) for use in authentication.","caption":"OTP"},"8":{"description":"A code or link is sent to a user's registered email address.","caption":"Email"},"9":{"description":"Typically involves a hardware token, which the user physically interacts with to authenticate.","caption":"U2F"},"10":{"description":"Web-based API that enables users to register devices as authentication factors.","caption":"WebAuthn"},"11":{"description":"The user enters a password that they have previously established.","caption":"Password"}},"description":"The normalized identifier for the authentication factor.","caption":"Factor Type ID","sibling":"factor_type","type_name":"Integer"},"vram_mode":{"type":"string_t","description":"The video memory attachment mode, indicating how the VRAM hardware is integrated with the system (e.g., shared or dedicated), normalized to the caption of the vram_mode_id value. For 'Other', the exact attachment mode is defined by the event source.","caption":"VRAM Mode","type_name":"String"},"log_type":{"type":"string_t","description":"The log type, normalized to the caption of the log_type_id value. In the case of 'Other', it is defined by the event source.","caption":"Log Type","type_name":"String"},"key_uid":{"type":"string_t","description":"The unique identifier of the key. See specific usage.","caption":"Key UID","type_name":"String"},"is_directed":{"type":"boolean_t","description":"Indicates if the entity has directionality. See specific usage.","caption":"Directed","type_name":"Boolean"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","caption":"Event Time","type_name":"Datetime"},"exploit_ref_url":{"type":"url_t","description":"The URL of the exploit code or Proof-of-Concept (PoC).","caption":"Exploit URL","type_name":"URL String"},"is_unused":{"type":"boolean_t","description":"Indicates whether an item is unused. See specific usage.","caption":"Is Unused","type_name":"Boolean"},"duration_months":{"type":"integer_t","description":"Represents the duration of the activity in months. See specific usage.","caption":"Duration Months","type_name":"Integer"},"fix_available":{"type":"boolean_t","description":"Indicates if a fix is available for the reported vulnerability.","caption":"Fix Availability","type_name":"Boolean","@deprecated":{"message":"Use the is_fix_available attribute instead.","since":"1.1.0"}},"network_interfaces":{"type":"object_t","description":"The physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event.
","is_array":true,"object_type":"network_interface","caption":"Network Interfaces","object_name":"Network Interface"},"digest":{"type":"object_t","description":"The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.","object_type":"fingerprint","caption":"Message Digest","object_name":"Fingerprint"},"win/service_start_type_id":{"type":"integer_t","enum":{"3":{"description":"A user mode service started automatically during system startup.","caption":"Auto"},"0":{"description":"The service start type is unknown.","caption":"Unknown"},"1":{"description":"A kernel mode driver loaded at boot.","caption":"Boot"},"2":{"description":"A kernel mode driver loaded during system startup.","caption":"System"},"99":{"description":"The service start type is not mapped. See theservice_start_type attribute, which contains an event source specific value.","caption":"Other"},"4":{"description":"A user mode service started on demand when a process calls StartService.","caption":"Demand"},"5":{"description":"A driver or service that cannot be started.","caption":"Disabled"}},"description":"The normalized identifier of the service start type.","extension":"win","extension_id":2,"caption":"Service Start Type ID","sibling":"service_start_type","type_name":"Integer"},"detection_system":{"type":"string_t","description":"The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.","caption":"Detection System","type_name":"String"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","caption":"Status Detail","type_name":"String"},"span":{"type":"object_t","description":"The information about the span. See specific usage.","object_type":"span","caption":"Span","object_name":"Span"},"last_run_time_dt":{"type":"datetime_t","description":"The last run time of application or service. See specific usage.","caption":"Last Run","type_name":"Datetime"},"pressure_altitude":{"type":"string_t","description":"The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: Invalid, No Value, or Unknown: -1000 m.","caption":"Pressure Altitude","type_name":"String"},"component":{"type":"string_t","description":"The component of a data object. See specific usage.","caption":"Component","type_name":"String"},"certificate":{"type":"object_t","description":"The certificate object containing information about the digital certificate.","object_type":"certificate","caption":"Certificate","object_name":"Digital Certificate"},"isp_org":{"type":"string_t","description":"The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.","caption":"ISP Org","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"region":{"type":"string_t","description":"The name or the code of a region. See specific usage.","caption":"Region","type_name":"String"},"cpu_speed":{"type":"integer_t","description":"The speed of the processor in Mhz. For Example: 4200.","caption":"Processor Speed","type_name":"Integer"},"duration_weeks":{"type":"integer_t","description":"Represents the duration of the activity in weeks. See specific usage.","caption":"Duration Weeks","type_name":"Integer"},"bus_type_id":{"type":"integer_t","enum":{"3":{"description":"Peripheral Component Interconnect Express slot with 8 lanes; common for high‑performance NICs, storage controllers, and accelerators.","caption":"PCIe x8"},"6":{"description":"M.2 (NGFF) internal module form factor/connector exposing PCIe (and/or SATA/USB) for SSDs and add‑in modules.","caption":"M.2"},"0":{"description":"The bus type is unknown or not reported.","caption":"Unknown"},"1":{"description":"The device is attached directly on the motherboard or SoC (often referred to as 'integrated' or 'onboard').","caption":"Onboard"},"2":{"description":"Peripheral Component Interconnect Express slot with 16 lanes, typically used for high‑bandwidth add‑in devices.","caption":"PCIe x16"},"99":{"description":"A bus or interface standard not covered by the defined values; the exact value is reported by the event source.","caption":"Other"},"4":{"description":"Mobile PCI Express Module (MXM) Type A form factor (compact laptop/embedded GPU module).","caption":"MXM Type A"},"5":{"description":"Mobile PCI Express Module (MXM) Type B form factor (larger laptop/embedded GPU module).","caption":"MXM Type B"},"7":{"description":"Compute Express Link (CXL), an open cache‑coherent interconnect for processors, memory expansion, and accelerators built on the PCIe physical layer.","caption":"CXL"}},"description":"The normalized identifier of the attachment bus or interface standard.","caption":"Bus Type ID","sibling":"bus_type","type_name":"Integer"},"duration":{"type":"long_t","description":"This represents the duration of the activity in milliseconds. See specific usage.","caption":"Duration Milliseconds","type_name":"Long"},"vendor_name":{"type":"string_t","description":"The name of the vendor. See specific usage.","caption":"Vendor Name","type_name":"String"},"location":{"type":"object_t","description":"The detailed geographical location usually associated with an IP address.","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"license":{"type":"string_t","description":"The name or identifier of the license applied on package or software. See SPDX License List.","caption":"Software License","type_name":"String"},"file_result":{"type":"object_t","description":"The result of the file change. It should contain the new values of the changed attributes.","object_type":"file","caption":"File Result","object_name":"File"},"classification":{"type":"string_t","description":"The classification as defined by the vendor.","caption":"Classification","type_name":"String"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","object_type":"user","caption":"Assignee","object_name":"User"},"bulletin":{"type":"string_t","description":"The vendor bulletin identifier.","caption":"Patch Bulletin","type_name":"String"},"first_seen_time_dt":{"type":"datetime_t","description":"The initial detection time of the activity or object. See specific usage","caption":"First Seen","type_name":"Datetime"},"code":{"type":"integer_t","description":"The numeric response sent to a request.","caption":"Response Code","type_name":"Integer"},"log_name":{"type":"string_t","description":"The log name. See specific usage.","caption":"Log Name","type_name":"String"},"query_evidence":{"type":"object_t","description":"The resulting evidence discovered from the evidence search request.","object_type":"query_evidence","caption":"Query Evidence","object_name":"Query Evidence"},"company_name":{"type":"string_t","description":"The name of the company that published the file. For example: Microsoft Corporation.","caption":"Company Name","type_name":"String"},"discovery_details":{"type":"object_t","description":"A collection of Discovery Details objects. See specific usage.","is_array":true,"object_type":"discovery_details","caption":"Discovery Details","object_name":"Discovery Details"},"intermediate_ips":{"type":"ip_t","description":"The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.","is_array":true,"caption":"Intermediate IP Addresses","type_name":"IP Address"},"compliance_references":{"type":"object_t","description":"A list of reference KB articles that provide information to help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.","is_array":true,"object_type":"kb_article","caption":"Compliance Standard References","@deprecated":{"message":"Use the Compliance object with Check array instead","since":"1.5.0"},"object_name":"KB Article"},"condition":{"type":"string_t","description":"The condition that was evaluated in a rule, policy. See specific usage.","caption":"Condition","type_name":"String"},"chassis":{"type":"string_t","description":"The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types","caption":"Chassis","type_name":"String"},"cc":{"type":"email_t","description":"The machine-readable email header Cc values, as defined by RFC 5322. For example example.user@usersdomain.com.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"caption":"Cc","type_name":"Email Address"},"total_potential_attacks_count":{"type":"integer_t","description":"The total count of privilege-to-attack technique mappings identified across all analyzed privileges.","caption":"Total Potential Attacks Count","type_name":"Integer"},"purl":{"type":"string_t","description":"A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.","caption":"Package URL","type_name":"String"},"operation":{"type":"string_t","description":"Verb/Operation associated with the request","caption":"Operation","type_name":"String"},"file":{"type":"object_t","description":"The file that pertains to the event or object. See specific usage.","object_type":"file","caption":"File","object_name":"File"},"from_list":{"type":"email_t","description":"The machine-readable email header From values. This array should contain the value in from. For example example.user@usersdomain.com.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"caption":"From List","type_name":"Email Address"},"caption":{"type":"string_t","description":"A short description or caption of the device. For example: Scanner 1 or Database Manager.","caption":"Caption","type_name":"String"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","caption":"Impact Score","type_name":"Integer"},"user_agent":{"type":"string_t","description":"The request header that identifies the operating system and web browser.","caption":"HTTP User-Agent","type_name":"String","observable":16},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","caption":"Severity","type_name":"String"},"bytes":{"type":"long_t","description":"The total number of bytes (in and out).","caption":"Total Bytes","type_name":"Long"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period. See specific usage.","caption":"Start Time","type_name":"Datetime"},"overall_score":{"type":"float_t","description":"The overall score as reported by the event source. See specific usage.","caption":"Overall Score","type_name":"Float"},"web_resources":{"type":"object_t","description":"Describes details about web resources that were affected by an activity/event.","is_array":true,"object_type":"web_resource","caption":"Web Resources","object_name":"Web Resource"},"pid":{"type":"integer_t","description":"The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.","caption":"Process ID","type_name":"Integer","observable":15},"package_manager":{"type":"string_t","description":"The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.","caption":"Package Manager","type_name":"String"},"edition":{"type":"string_t","description":"The operating system edition. For example: Professional.","caption":"OS Edition","type_name":"String"},"autoscale_uid":{"type":"string_t","description":"The unique identifier of the cloud autoscale configuration.","caption":"Autoscale UID","type_name":"String"},"office_location":{"type":"string_t","description":"The primary office location associated with the user. This could be any string and isn't a specific address. For example, South East Virtual.","caption":"Office Location","type_name":"String"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","caption":"Severity ID","sibling":"severity","type_name":"Integer"},"network_endpoint":{"type":"object_t","description":"The Network Endpoint object describes characteristics of a network endpoint. See specific usage.","object_type":"network_endpoint","caption":"Network Endpoint","object_name":"Network Endpoint"},"ldap_dn":{"type":"string_t","description":"The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example,cn=John Doe,ou=People,dc=example,dc=com.","caption":"LDAP Distinguished Name","type_name":"String"}},"name":"dictionary","description":"The Attribute Dictionary provides a comprehensive catalog of standardized attributes used across OCSF. It defines each attribute's properties, data types, and relationships. This dictionary serves as the authoritative reference for attribute definitions and ensures consistent usage throughout the schema.","types":{"attributes":{"boolean_t":{"values":[false,true],"description":"Boolean value. One of true or false.","caption":"Boolean"},"float_t":{"description":"Real floating-point value. For example:3.14.","caption":"Float"},"integer_t":{"description":"Signed integer value.","caption":"Integer"},"json_t":{"description":"Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See www.json.org.","caption":"JSON"},"long_t":{"description":"8-byte long, signed integer value.","caption":"Long"},"string_t":{"description":"UTF-8 encoded byte sequence.","caption":"String"},"bytestring_t":{"type":"string_t","description":"Base 64 encoded immutable byte sequence. Traditional Base 64 is preferred but publishers may use URL-safe Base 64 when known to be acceptable to consumers. These encodings are described in RFC 4648.","regex":"^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)|(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=))?$","references":[{"description":"RFC 4648","url":"https://www.rfc-editor.org/rfc/rfc4648.html"}],"caption":"Byte String","type_name":"String"},"datetime_t":{"type":"string_t","description":"The Internet Date/Time format as defined in RFC-3339. For example:2024-09-10T23:20:50.520Z,2024-09-10 23:20:50.520789Z.","regex":"^\\d{4}-\\d{2}-\\d{2}[Tt]\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?([Zz]|[\\+-]\\d{2}:\\d{2})?$","caption":"Datetime","type_name":"String"},"email_t":{"type":"string_t","description":"Email address. For example:john_doe@example.com.","regex":"^[a-zA-Z0-9!#$%&'*+-/=?^_`{|}~.]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$","caption":"Email Address","type_name":"String","observable":5},"file_hash_t":{"type":"string_t","description":"Fingerprint. A value, in any format, that maps an arbitrarily large data item to a much shorter string that uniquely identifies the original data. Examples include cryptographic hashing of a file, code signing, and Network Protocol Fingerprinting (NPF).Note about name. The type name file_hast_t and the caption "Hash" are used for legacy reasons. This type has been generalized from a file hash to a general fingerprint. The existing type name and caption were retained for backwards compatibility.","caption":"Hash","type_name":"String","observable":8},"file_name_t":{"type":"string_t","description":"File name. For example:text-file.txt.","caption":"File Name","type_name":"String","observable":7},"file_path_t":{"type":"string_t","description":"The full path to the file. For example: For example:c:\\windows\\system32\\svchost.exe.","caption":"File Path","type_name":"String","observable":45},"hostname_t":{"type":"string_t","description":"Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com","caption":"Hostname","type_name":"String","observable":1},"ip_t":{"type":"string_t","description":"Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24,
2001:0db8:85a3:0000:0000:8a2e:0370:7334.","regex":"((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))","caption":"IP Address","type_name":"String","max_len":40,"observable":2},"mac_t":{"type":"string_t","description":"Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A.","regex":"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$","caption":"MAC Address","type_name":"String","max_len":32,"observable":3},"port_t":{"type":"integer_t","description":"The TCP/UDP port number. For example:80,22.","range":[0,65535],"caption":"Port","type_name":"Integer","observable":11},"process_name_t":{"type":"string_t","description":"Process name. For example:Notepad.","caption":"Process Name","type_name":"String","observable":9},"resource_uid_t":{"type":"string_t","description":"Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.","caption":"Resource UID","type_name":"String","observable":10},"subnet_t":{"type":"string_t","description":"The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/24,2001:0db8:85a3:0000::/64","caption":"Subnet","type_name":"String","max_len":42,"observable":12},"timestamp_t":{"type":"long_t","description":"The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.","caption":"Timestamp","type_name":"Long"},"url_t":{"type":"string_t","description":"Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.","caption":"URL String","type_name":"String","observable":6},"username_t":{"type":"string_t","description":"User name. For example:john_doe.","caption":"User Name","type_name":"String","observable":4},"uuid_t":{"type":"string_t","description":"128-bit universal unique identifier. For example:123e4567-e89b-12d3-a456-42661417400.","regex":"[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}","caption":"UUID","type_name":"String"},"reg_key_path_t":{"type":"string_t","description":"Full path of registry key.","extension":"win","extension_id":2,"caption":"Registry Key Path","type_name":"String","observable":46}},"description":"The data types available in OCSF. Each data type specifies constraints in the form regular expressions, max lengths or value limits. Implementers of OCSF should ensure they abide to these constraints.","caption":"Data Types"},"caption":"Attribute Dictionary"},"version":"1.8.0","extensions":{"linux":{"name":"linux","version":"1.8.0","description":"The Linux extension defines Linux specific attributes, profiles, objects, and classes.","uid":1,"caption":"Linux","platform_extension?":true},"win":{"name":"win","version":"1.8.0","description":"The Windows extension defines Windows specific attributes, objects, and classes.","uid":2,"caption":"Windows","platform_extension?":true},"macos":{"name":"macos","version":"1.8.0","description":"The macOS extension defines macOS specific attributes, profiles, objects, and classes.","uid":3,"caption":"macOS","platform_extension?":true}},"objects":{"query_info":{"attributes":{"data":{"type":"json_t","description":"The data returned from the query execution.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The query name for a saved or scheduled query.","requirement":"recommended","caption":"Name","type_name":"String"},"bytes":{"type":"long_t","description":"The size of the data returned from the query.","requirement":"optional","caption":"Total Bytes","type_name":"Long"},"uid":{"type":"string_t","description":"The unique identifier of the query.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"query_string":{"type":"string_t","description":"A string representing the query code being run. For example: SELECT * FROM my_table","requirement":"required","caption":"Query String","type_name":"String"},"query_time":{"type":"timestamp_t","description":"The time when the query was run.","requirement":"optional","caption":"Query Time","type_name":"Timestamp"},"query_time_dt":{"type":"datetime_t","description":"The time when the query was run.","requirement":"optional","profiles":["datetime"],"caption":"Query Time","type_name":"Datetime"}},"name":"query_info","description":"The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a query must be written using a specific syntax.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["datetime"],"caption":"Query Information"},"vendor_attributes":{"attributes":{"severity":{"type":"string_t","description":"The finding severity, as reported by the Vendor (Finding Provider). The value should be normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Severity","type_name":"String"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The finding severity ID, as reported by the Vendor (Finding Provider).","requirement":"optional","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"vendor_attributes","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like severity_id.
The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.","extends":"object","caption":"Vendor Attributes"},"process_entity":{"attributes":{"name":{"type":"process_name_t","description":"The friendly name of the process, for example: Notepad++.","requirement":"recommended","caption":"Name","type_name":"Process Name"},"pid":{"type":"integer_t","description":"The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.","requirement":"recommended","caption":"Process ID","type_name":"Integer","observable":15},"path":{"type":"string_t","description":"The process file path.","requirement":"optional","caption":"Path","type_name":"String"},"uid":{"type":"string_t","description":"A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":39},"cmd_line":{"type":"string_t","description":"The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.","requirement":"recommended","caption":"Command Line","type_name":"String","observable":13},"cpid":{"type":"uuid_t","description":"A unique process identifier that can be assigned deterministically by multiple system data producers.","source":"cpid","references":[{"description":"OCSF Common Process Identifier (CPID) Specification","url":"https://github.com/ocsf/common-process-id"}],"requirement":"recommended","caption":"Common Process Identifier","type_name":"UUID"},"created_time":{"type":"timestamp_t","description":"The time when the process was created/started.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"created_time_dt":{"type":"datetime_t","description":"The time when the process was created/started.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"}},"name":"process_entity","description":"The Process Entity object provides critical fields for referencing a process.","extends":"_entity","constraints":{"at_least_one":["cmd_line","name","path","pid","uid","cpid"]},"profiles":["datetime"],"caption":"Process Entity"},"cvss":{"attributes":{"version":{"type":"string_t","description":"The CVSS version. For example: 3.1.","requirement":"required","caption":"Version","type_name":"String"},"depth":{"type":"string_t","enum":{"Base":{"caption":"Base"},"Environmental":{"caption":"Environmental"},"Temporal":{"caption":"Temporal"}},"description":"The CVSS depth represents a depth of the equation used to calculate CVSS score.","requirement":"recommended","caption":"CVSS Depth","type_name":"String"},"severity":{"type":"string_t","description":"
The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.
CVSS v2.0{ {\"Access Vector\", \"Network\"}, {\"Access Complexity\", \"Low\"}, ...}.","is_array":true,"requirement":"optional","object_type":"metric","caption":"Metrics","object_name":"Metric"},"base_score":{"type":"float_t","description":"The CVSS base score. For example: 9.1.","requirement":"required","caption":"Base Score","type_name":"Float"},"overall_score":{"type":"float_t","description":"The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.","requirement":"recommended","caption":"Overall Score","type_name":"Float"},"src_url":{"type":"url_t","description":"The source URL for the CVSS score. For example: https://nvd.nist.gov/vuln/detail/CVE-2021-44228","requirement":"optional","caption":"Source URL","type_name":"URL String"},"vector_string":{"type":"string_t","description":"The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.","requirement":"optional","caption":"Vector String","type_name":"String"},"vendor_name":{"type":"string_t","description":"The vendor that provided the CVSS score. For example: NVD, REDHAT etc.","requirement":"recommended","caption":"Vendor Name","type_name":"String"}},"name":"cvss","description":"The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.","extends":"object","caption":"CVSS Score"},"authorization":{"attributes":{"decision":{"type":"string_t","description":"Authorization Result/outcome, e.g. allowed, denied.","requirement":"recommended","caption":"Authorization Decision/Outcome","type_name":"String"},"policy":{"type":"object_t","description":"Details about the Identity/Access management policies that are applicable.","requirement":"optional","object_type":"policy","caption":"Policy","object_name":"Policy"}},"name":"authorization","description":"The Authorization Result object provides details about the authorization outcome and associated policies related to activity.","extends":"object","caption":"Authorization Result"},"ai_model":{"attributes":{"name":{"type":"string_t","description":"Human-readable model name. For example: gpt-4o, claude-3-sonnet, or text-embedding-ada-002.","requirement":"required","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"Model version identifier. For example: 2024-05-13, v2.1.0, or beta.","requirement":"recommended","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the AI model.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"ai_provider":{"type":"string_t","description":"AI service provider or organization name. For example: OpenAI, Anthropic, Google, or Internal.","requirement":"required","caption":"AI Provider","type_name":"String"}},"name":"ai_model","description":"The AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"AI Model Registry and Documentation Standards","url":"https://huggingface.co/docs/hub/models"},{"description":"OpenAI Model Documentation","url":"https://platform.openai.com/docs/models"}],"caption":"AI Model"},"cis_benchmark":{"attributes":{"name":{"type":"string_t","description":"The CIS Benchmark name. For example: Ensure mounting of cramfs filesystems is disabled.","requirement":"required","caption":"Name","type_name":"String"},"desc":{"type":"string_t","description":"The CIS Benchmark description. For example: The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.","requirement":"optional","caption":"Description","type_name":"String"},"cis_controls":{"type":"object_t","description":"The CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.","is_array":true,"requirement":"recommended","object_type":"cis_control","caption":"CIS Controls","object_name":"CIS Control"}},"name":"cis_benchmark","description":"The CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security. See also Getting to Know the CIS Benchmarks.","extends":"object","caption":"CIS Benchmark","@deprecated":{"message":"Use the Compliance object with Checks object instead.","since":"1.5.0"}},"win/reg_key":{"attributes":{"path":{"type":"reg_key_path_t","description":"The full path to the registry key.","requirement":"required","caption":"Path","type_name":"Registry Key Path"},"is_system":{"type":"boolean_t","description":"The indication of whether the object is part of the operating system.","requirement":"optional","caption":"System","type_name":"Boolean"},"modified_time":{"type":"timestamp_t","description":"The time when the registry key was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"security_descriptor":{"type":"string_t","description":"The security descriptor of the registry key.","requirement":"optional","caption":"Security Descriptor","type_name":"String"},"modified_time_dt":{"type":"datetime_t","description":"The time when the registry key was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"reg_key","description":"The registry key object describes a Windows registry key.","extension":"win","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:WindowsRegistryKey.","url":"https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryKey/"}],"extension_id":2,"profiles":["datetime"],"caption":"Registry Key","observable":28},"threat_actor":{"attributes":{"name":{"type":"string_t","description":"The name of the threat actor.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.","requirement":"optional","caption":"Threat Actor Type","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Hacktivists"},"0":{"description":"The threat actor type is unknown.","caption":"Unknown"},"1":{"caption":"Nation-state"},"2":{"caption":"Cybercriminal"},"99":{"description":"The threat actor type is not mapped.","caption":"Other"},"4":{"caption":"Insider"}},"description":"The normalized datastore resource type identifier.","requirement":"recommended","caption":"Threat Actor Type ID","sibling":"type","type_name":"Integer"}},"name":"threat_actor","description":"Threat actor is responsible for the observed malicious activity.","extends":"object","caption":"Threat Actor"},"scan":{"attributes":{"name":{"type":"string_t","description":"The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of scan.","requirement":"optional","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The application-defined unique identifier assigned to an instance of a scan.","requirement":"recommended","caption":"Scan UID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"The scan was triggered by a content update.","caption":"Updated Content"},"6":{"description":"The scan was started due to a user logon.","caption":"User Logon"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"The scan was manually initiated by the user or administrator.","caption":"Manual"},"2":{"description":"The scan was started based on scheduler.","caption":"Scheduled"},"99":{"description":"The scan type id is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The scan was triggered by newly quarantined items.","caption":"Quarantined Items"},"5":{"description":"The scan was triggered by the attachment of removable media.","caption":"Attached Media"},"7":{"description":"The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.","caption":"ELAM"}},"description":"The type id of the scan.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"}},"name":"scan","description":"The Scan object describes characteristics of a proactive scan.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Scan"},"kernel_driver":{"attributes":{"file":{"type":"object_t","description":"The driver/extension file object.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"}},"name":"kernel_driver","description":"The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:KernelModule","url":"https://d3fend.mitre.org/dao/artifact/d3f:KernelModule/"}],"profiles":["data_classification"],"caption":"Kernel Extension"},"kill_chain_phase":{"attributes":{"phase":{"type":"string_t","description":"The cyber kill chain phase.","requirement":"recommended","caption":"Kill Chain Phase","type_name":"String"},"phase_id":{"type":"integer_t","enum":{"3":{"description":"The intruders will use various tactics, such as phishing, infected USB drives, etc.","caption":"Delivery"},"6":{"description":"Malware opens a command channel to enable the intruders to remotely manipulate the victim's system.","caption":"Command & Control"},"0":{"description":"The kill chain phase is unknown.","caption":"Unknown"},"1":{"description":"The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim’s vulnerabilities to determine how to exploit them.","caption":"Reconnaissance"},"2":{"description":"The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities.","caption":"Weaponization"},"99":{"description":"The kill chain phase is not mapped. See the phase attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The intruders start leveraging vulnerabilities to executed code on the victim’s system.","caption":"Exploitation"},"5":{"description":"The intruders install malware on the victim’s system.","caption":"Installation"},"7":{"description":"With hands-on keyboard access, intruders accomplish the mission’s goal.","caption":"Actions on Objectives"}},"description":"The cyber kill chain phase identifier.","requirement":"required","caption":"Kill Chain Phase ID","sibling":"phase","type_name":"Integer"}},"name":"kill_chain_phase","description":"The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain®.","extends":"object","caption":"Kill Chain Phase"},"os":{"attributes":{"name":{"type":"string_t","description":"The operating system name.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the operating system.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The version of the OS running on the device that originated the event. For example: \"Windows 10\", \"OS X 10.7\", or \"iOS 9\".","requirement":"optional","caption":"Version","type_name":"String"},"build":{"type":"string_t","description":"The operating system build number.","requirement":"optional","caption":"OS Build","type_name":"String"},"country":{"type":"string_t","description":"The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code).Note: The two letter country code should be capitalized. For example: US or CA.
en (English), de (German), or fr (French).","requirement":"optional","caption":"Language","type_name":"String"},"type_id":{"type":"integer_t","enum":{"0":{"description":"The type is unknown.","caption":"Unknown"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"101":{"caption":"Windows Mobile"},"100":{"caption":"Windows"},"200":{"caption":"Linux"},"201":{"caption":"Android"},"300":{"caption":"macOS"},"301":{"caption":"iOS"},"302":{"caption":"iPadOS"},"400":{"caption":"Solaris"},"401":{"caption":"AIX"},"402":{"caption":"HP-UX"}},"description":"The type identifier of the operating system.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"cpe_name":{"type":"string_t","description":"The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.","requirement":"optional","caption":"The product CPE identifier","type_name":"String"},"cpu_bits":{"type":"integer_t","description":"The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.","requirement":"optional","caption":"CPU Bits","type_name":"Integer"},"edition":{"type":"string_t","description":"The operating system edition. For example: Professional.","requirement":"optional","caption":"OS Edition","type_name":"String"},"kernel_release":{"type":"string_t","description":"The kernel release of the operating system. On Unix-based systems, this is determined from the uname -r command output, for example \"5.15.0-122-generic\".","requirement":"optional","caption":"Kernel Release","type_name":"String"},"sp_name":{"type":"string_t","description":"The name of the latest Service Pack.","requirement":"optional","caption":"OS Service Pack","type_name":"String"},"sp_ver":{"type":"integer_t","description":"The version number of the latest Service Pack.","requirement":"optional","caption":"OS Service Pack Version","type_name":"Integer"}},"name":"os","description":"The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:OperatingSystem","url":"https://d3fend.mitre.org/dao/artifact/d3f:OperatingSystem/"}],"caption":"Operating System (OS)"},"compliance":{"attributes":{"control":{"type":"string_t","description":"A Control is a prescriptive, actionable set of specifications that strengthens device posture. The control specifies required security measures, while the specific implementation values are defined in control_parameters. E.g., CIS AWS Foundations Benchmark 1.2.0 - Control 2.1 - Ensure CloudTrail is enabled in all regions","references":[{"description":"CIS AWS Foundations Benchmark 1.2.0","url":"https://www.cisecurity.org/benchmark/amazon_web_services"},{"description":"CloudTrail Documentation","url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html"}],"requirement":"recommended","caption":"Security Control","type_name":"String"},"status":{"type":"string_t","description":"The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.","requirement":"recommended","caption":"Status","type_name":"String"},"desc":{"type":"string_t","description":"The description or criteria of a control.","requirement":"optional","caption":"Description","type_name":"String"},"category":{"type":"string_t","description":"The category a control framework pertains to, as reported by the source tool, such as Asset Management or Risk Assessment.","requirement":"optional","caption":"Category","type_name":"String"},"assessments":{"type":"object_t","description":"A list of assessments associated with the compliance requirements evaluation.","is_array":true,"requirement":"optional","object_type":"assessment","caption":"Assessments","object_name":"Assessment"},"checks":{"type":"object_t","description":"A list of compliance checks associated with specific industry standards or frameworks. Each check represents an individual rule or requirement that has been evaluated against a target device. Checks typically include details such as the check name (e.g., CIS: 'Ensure mounting of cramfs filesystems is disabled' or DISA STIG descriptive titles), unique identifiers (such as CIS identifier '1.1.1.1' or DISA STIG identifier 'V-230234'), descriptions (detailed explanations of security requirements or vulnerability discussions), and version information.","is_array":true,"references":[{"description":"Center for Internet Security Benchmarks","url":"https://www.cisecurity.org/cis-benchmarks/"},{"description":"DISA Security Technical Implementation Guides (STIGs)","url":"https://public.cyber.mil/stigs/"}],"requirement":"optional","object_type":"check","caption":"Compliance Checks","object_name":"Check"},"compliance_references":{"type":"object_t","description":"A list of reference KB articles that provide information to help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.","is_array":true,"requirement":"optional","object_type":"kb_article","caption":"Compliance Standard References","@deprecated":{"message":"Use the Compliance object with Check array instead.","since":"1.5.0"},"object_name":"KB Article"},"compliance_standards":{"type":"object_t","description":"A list of established guidelines or criteria that define specific requirements an organization must follow.","is_array":true,"requirement":"optional","object_type":"kb_article","caption":"Compliance Standards: Details","@deprecated":{"message":"Use the Compliance object with Check array instead.","since":"1.5.0"},"object_name":"KB Article"},"control_parameters":{"type":"object_t","description":"The list of control parameters evaluated in a Compliance check. E.g., parameters for CloudTrail configuration might include multiRegionTrailEnabled: true, logFileValidationEnabled: true, and requiredRegions: [us-east-1, us-west-2]","is_array":true,"references":[{"description":"AWS CloudTrail Configuration Parameters","url":"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html"},{"description":"AWS Multi-Region CloudTrail Best Practices","url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html"},{"description":"CloudTrail Log File Validation","url":"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html"}],"requirement":"optional","object_type":"key_value_object","caption":"Control Parameters","object_name":"Key:Value object"},"requirements":{"type":"string_t","description":"The specific compliance requirements being evaluated. E.g., PCI DSS Requirement 8.2.3 - Passwords must meet minimum complexity requirements or HIPAA Security Rule 164.312(a)(2)(iv) - Implement encryption and decryption mechanisms","is_array":true,"references":[{"description":"PCI DSS Standards","url":"https://www.pcisecuritystandards.org/document_library"},{"description":"HIPAA Security Rule","url":"https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html"}],"requirement":"optional","caption":"Compliance Requirements","type_name":"String"},"standards":{"type":"string_t","description":"The regulatory or industry standards being evaluated for compliance.","is_array":true,"references":[{"description":"PCI DSS 3.2.1","url":"https://www.pcisecuritystandards.org/document_library"},{"description":"HIPAA Security Rule","url":"https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html"},{"description":"NIST SP 800-53 Rev. 5","url":"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"},{"description":"ISO/IEC 27001:2013","url":"https://www.iso.org/standard/54534.html"}],"requirement":"recommended","caption":"Compliance Standards: List","type_name":"String"},"status_code":{"type":"string_t","description":"The resultant status code of the compliance check.","requirement":"optional","caption":"Status Code","type_name":"String"},"status_detail":{"type":"string_t","description":"The contextual description of the status, status_code values.","requirement":"optional","caption":"Status Detail","type_name":"String","@deprecated":{"message":"Use the status_details attribute instead.","since":"1.4.0"}},"status_details":{"type":"string_t","description":"A list of contextual descriptions of the status, status_code values.","is_array":true,"requirement":"optional","caption":"Status Details","type_name":"String"},"status_id":{"type":"integer_t","enum":{"3":{"description":"The compliance check failed for at least one of the evaluated resources.","caption":"Fail"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"The compliance check passed for all the evaluated resources.","caption":"Pass"},"2":{"description":"The compliance check did not yield a result due to missing information.","caption":"Warning"},"99":{"description":"The status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized status identifier of the compliance check.","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"}},"name":"compliance","description":"The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements or details about custom assessments utilized in a compliance evaluation. Standards define broad security frameworks, controls represent specific security requirements within those frameworks, and checks are the testable verification points used to determine if controls are properly implemented.","extends":"object","profiles":["cloud","data_classification"],"caption":"Compliance"},"d3fend":{"attributes":{"version":{"type":"string_t","description":"The D3FEND™ Matrix version.","requirement":"recommended","caption":"Version","type_name":"String"},"d3f_tactic":{"type":"object_t","description":"The Tactic object describes the tactic ID and/or name that is associated with a countermeasure.","references":[{"description":"D3FEND™ Matrix","url":"https://d3fend.mitre.org"}],"requirement":"recommended","object_type":"d3f_tactic","caption":"MITRE D3FEND™ Tactic","object_name":"MITRE D3FEND™ Tactic"},"d3f_technique":{"type":"object_t","description":"The Technique object describes the technique ID and/or name associated with a countermeasure.","references":[{"description":"D3FEND™ Matrix","url":"https://d3fend.mitre.org"}],"requirement":"recommended","object_type":"d3f_technique","caption":"MITRE D3FEND™ Technique","object_name":"MITRE D3FEND™ Technique"}},"name":"d3fend","description":"The MITRE D3FEND™ object describes the tactic & technique associated with a countermeasure.","extends":"object","constraints":{"at_least_one":["d3f_tactic","d3f_technique"]},"references":[{"description":"D3FEND™ Matrix","url":"https://d3fend.mitre.org"}],"caption":"MITRE D3FEND™"},"email":{"attributes":{"size":{"type":"long_t","description":"The size in bytes of the email, including attachments.","requirement":"recommended","caption":"Size","type_name":"Long"},"from_list":{"type":"email_t","description":"The machine-readable email header From values. This array should contain the value in from. For example example.user@usersdomain.com.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"requirement":"optional","caption":"From List","type_name":"Email Address"},"uid":{"type":"string_t","description":"The unique identifier of the email thread.","requirement":"recommended","caption":"Email Thread UID","type_name":"String","observable":41},"files":{"type":"object_t","description":"The files embedded or attached to the email.","is_array":true,"requirement":"optional","object_type":"file","caption":"Files","object_name":"File"},"from":{"type":"email_t","description":"The machine-readable email header From value, as defined by RFC 5322. For example example.user@usersdomain.com.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"From","type_name":"Email Address"},"cc":{"type":"email_t","description":"The machine-readable email header Cc values, as defined by RFC 5322. For example example.user@usersdomain.com.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"optional","caption":"Cc","type_name":"Email Address"},"to":{"type":"email_t","description":"The machine-readable email header To values, as defined by RFC 5322. For example example.user@usersdomain.com","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"To","type_name":"Email Address"},"sender":{"type":"email_t","description":"The machine readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the from field, which shows the message author. The sender field is most commonly used when multiple addresses appear in the from_list field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else).","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"optional","caption":"Sender","type_name":"Email Address"},"subject":{"type":"string_t","description":"The email header Subject value, as defined by RFC 5322.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"Subject","type_name":"String","observable":40},"cc_mailboxes":{"type":"string_t","description":"The human-readable email header Cc Mailbox values. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"requirement":"optional","caption":"Cc Mailboxes","type_name":"String"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"delivered_to":{"type":"email_t","description":"The machine-readable Delivered-To email header field. For example example.user@usersdomain.com","requirement":"optional","caption":"Delivered To","type_name":"Email Address","@deprecated":{"message":"Use the delivered_to_list attribute instead.","since":"1.4.0"}},"delivered_to_list":{"type":"email_t","description":"The machine-readable Delivered-To email header values. For example example.user@usersdomain.com","is_array":true,"references":[{"description":"RFC 9228","url":"https://www.rfc-editor.org/rfc/rfc9228"}],"requirement":"optional","caption":"Delivered To List","type_name":"Email Address"},"from_mailbox":{"type":"string_t","description":"The human-readable email header From Mailbox value. For example 'Example User <example.user@usersdomain.com>'.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"requirement":"optional","caption":"From Mailbox","type_name":"String"},"from_mailboxes":{"type":"email_t","description":"The human-readable email header From Mailbox values. This array should contain the value in from_mailbox. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"requirement":"optional","caption":"From Mailboxes","type_name":"Email Address"},"http_headers":{"type":"object_t","description":"Additional HTTP headers of an HTTP request or response.","is_array":true,"requirement":"optional","object_type":"http_header","caption":"HTTP Headers","object_name":"HTTP Header"},"is_read":{"type":"boolean_t","description":"The indication of whether the email has been read.","requirement":"optional","caption":"Read","type_name":"Boolean"},"message_uid":{"type":"string_t","description":"The email header Message-ID value, as defined by RFC 5322.","source":"Message-ID","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"Message UID","type_name":"String","observable":42},"raw_header":{"type":"string_t","description":"The email authentication header.","requirement":"optional","caption":"Raw Header","type_name":"String"},"reply_to":{"type":"email_t","description":"The machine-readable email header Reply-To value, as defined by RFC 5322. For example example.user@usersdomain.com","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"Reply To","type_name":"Email Address","@deprecated":{"message":"Use the reply_to_list attribute instead.","since":"1.4.0"}},"reply_to_list":{"type":"email_t","description":"The machine-readable email header Reply-To values, as defined by RFC 5322. For example example.user@usersdomain.com","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"optional","caption":"Reply To List","type_name":"Email Address"},"reply_to_mailboxes":{"type":"string_t","description":"The human-readable email header Reply To Mailbox values. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"requirement":"optional","caption":"Reply To Mailboxes","type_name":"String"},"return_path":{"type":"email_t","description":"The address found in the 'Return-Path' header, which indicates where bounce messages (non-delivery reports) should be sent. This address is often set by the sending system and may differ from the 'From' or 'Sender' addresses. For example, mailer-daemon@senderserver.com.","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"},{"description":"RFC 5321 - Simple Mail Transfer Protocol","url":"https://datatracker.ietf.org/doc/html/rfc5321#section-4.4"}],"requirement":"optional","caption":"Return Path","type_name":"Email Address"},"sender_mailbox":{"type":"string_t","description":"The human readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the from_mailbox field, which shows the message author. The sender mailbox field is most commonly used when multiple addresses appear in the from_mailboxes field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else).","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"optional","caption":"Sender Mailbox","type_name":"String"},"smtp_from":{"type":"email_t","description":"The value of the SMTP MAIL FROM command.","requirement":"recommended","caption":"SMTP From","type_name":"Email Address","@deprecated":{"message":"Use the from attribute instead.","since":"1.4.0"}},"smtp_to":{"type":"email_t","description":"The value of the SMTP envelope RCPT TO command.","is_array":true,"requirement":"recommended","caption":"SMTP To","type_name":"Email Address","@deprecated":{"message":"Use the to attribute instead.","since":"1.4.0"}},"to_mailboxes":{"type":"string_t","description":"The human-readable email header To Mailbox values. For example 'Example User <example.user@usersdomain.com>'.","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322#section-3.4"}],"requirement":"optional","caption":"To Mailboxes","type_name":"String"},"urls":{"type":"object_t","description":"The URLs embedded in the email.","is_array":true,"requirement":"optional","object_type":"url","caption":"URLs","object_name":"Uniform Resource Locator"},"x_originating_ip":{"type":"ip_t","description":"The X-Originating-IP header identifying the emails originating IP address(es).","is_array":true,"requirement":"optional","caption":"X-Originating-IP","type_name":"IP Address"}},"name":"email","description":"The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files.","extends":"object","constraints":{"at_least_one":["from","to"]},"references":[{"description":"D3FEND™ Ontology d3f:Email.","url":"https://d3fend.mitre.org/dao/artifact/d3f:Email/"}],"profiles":["data_classification"],"caption":"Email","observable":22},"firewall_rule":{"attributes":{"name":{"type":"string_t","description":"The name of the rule that generated the event.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The rule type.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The rule version. For example: 1.1.","requirement":"optional","caption":"Version","type_name":"String"},"desc":{"type":"string_t","description":"The description of the rule that generated the event.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the rule that generated the event.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The rule category.","requirement":"optional","caption":"Category","type_name":"String"},"duration":{"type":"long_t","description":"The rule response time duration, usually used for challenge completion time.","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"condition":{"type":"string_t","description":"The rule trigger condition for the rule. For example: SQL_INJECTION.","requirement":"optional","caption":"Condition","type_name":"String"},"match_details":{"type":"string_t","description":"The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.","is_array":true,"requirement":"optional","caption":"Match Details","type_name":"String"},"match_location":{"type":"string_t","description":"The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.","requirement":"optional","caption":"Match Location","type_name":"String"},"rate_limit":{"type":"integer_t","description":"The rate limit for a rate-based rule.","requirement":"optional","caption":"Rate Limit","type_name":"Integer"},"sensitivity":{"type":"string_t","description":"The sensitivity of the firewall rule in the matched event. For example: HIGH.","requirement":"optional","caption":"Sensitivity","type_name":"String"}},"name":"firewall_rule","description":"The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.","extends":"rule","constraints":{"at_least_one":["name","uid"]},"caption":"Firewall Rule"},"startup_item":{"attributes":{"driver":{"type":"object_t","description":"The startup item kernel driver resource.","requirement":"optional","object_type":"kernel_driver","caption":"Kernel Driver","object_name":"Kernel Extension"},"name":{"type":"string_t","description":"The unique name of the startup item.","requirement":"required","caption":"Name","type_name":"String"},"process":{"type":"object_t","description":"The startup item process resource.","requirement":"optional","object_type":"process","caption":"Process","object_name":"Process"},"type":{"type":"string_t","description":"The startup item type.","requirement":"optional","caption":"Type","type_name":"String"},"start_type":{"type":"string_t","description":"The start type of the startup item.","requirement":"optional","caption":"Start Type","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A background process typically managed by the operating system, e.g., a service process on Windows or a systemd-managed daemon on Linux.","caption":"Service"},"6":{"description":"System extensions on macOS enables 3rd parties to extend the capabilities of macOS.","caption":"System Extension"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"Kernel mode driver.","caption":"Kernel Mode Driver"},"2":{"description":"User mode driver.","caption":"User Mode Driver"},"99":{"description":"The startup item type is not mapped. See the type attribute, which contains data source specific values.","caption":"Other"},"4":{"description":"An application that runs in the user space.","caption":"User Mode Application"},"5":{"description":"The macOS Autoload Application.","caption":"Autoload"},"7":{"description":"Kernel extensions on macOS includes Apple provided pre-installs and 3rd party installs which enables support for specific hardware or software features not natively supported by macOS.","caption":"Kernel Extension"},"8":{"description":"A job or task that runs on a configured schedule.","caption":"Scheduled Job, Task"}},"description":"The startup item type identifier.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"job":{"type":"object_t","description":"The startup item job resource.","requirement":"optional","object_type":"job","caption":"Job","object_name":"Job"},"run_mode_ids":{"type":"integer_t","enum":{"3":{"description":"The startup item runs in a shared process.","caption":"Shared Process"},"0":{"description":"The run mode is unknown.","caption":"Unknown"},"1":{"description":"The startup item interacts with the desktop.","caption":"Interactive"},"2":{"description":"The startup item runs in its own process.","caption":"Own Process"},"99":{"description":"The run mode is not mapped. See the run_modes attribute, which contains data source specific values.","caption":"Other"}},"description":"The list of normalized identifiers that describe the startup items' properties when it is running. Use this field to capture extended information about the process, which may depend on the type of startup item. E.g., A Windows service that interacts with the desktop.","is_array":true,"requirement":"optional","caption":"Run Mode IDs","sibling":"run_modes","type_name":"Integer"},"run_modes":{"type":"string_t","description":"The list of run_modes, normalized to the captions of the run_mode_id values. In the case of 'Other', they are defined by the event source.","is_array":true,"requirement":"optional","caption":"Run Modes","type_name":"String"},"run_state":{"type":"string_t","description":"The run state of the startup item.","requirement":"optional","caption":"Run State","type_name":"String"},"run_state_id":{"type":"integer_t","enum":{"3":{"description":"The service is stopping.","caption":"Stop Pending"},"6":{"description":"The service is pending pause.","caption":"Pause Pending"},"0":{"description":"The run state is unknown.","caption":"Unknown"},"1":{"description":"The service is not running.","caption":"Stopped"},"2":{"description":"The service is starting.","caption":"Start Pending"},"99":{"description":"The run state is not mapped. See the run_state attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The service is running.","caption":"Running"},"5":{"description":"The service is pending continue.","caption":"Continue Pending"},"7":{"description":"The service is paused.","caption":"Paused"},"8":{"description":"The service is pending restart.","caption":"Restart Pending"}},"description":"The run state ID of the startup item.","requirement":"recommended","caption":"Run State ID","sibling":"run_state","type_name":"Integer"},"start_type_id":{"type":"integer_t","enum":{"3":{"description":"Started on demand. For example, by the Windows Service Control Manager when a process calls the StartService function.","caption":"On Demand"},"6":{"description":"Started on specific user logins.","caption":"Specific User Login"},"0":{"description":"The start type is unknown.","caption":"Unknown"},"1":{"description":"Service started automatically during system startup.","caption":"Auto"},"2":{"description":"Device driver started by the system loader.","caption":"Boot"},"99":{"description":"The start type is not mapped. See the start_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The service is disabled, and cannot be started.","caption":"Disabled"},"5":{"description":"Started on all user logins.","caption":"All Logins"},"7":{"description":"Stared according to a schedule.","caption":"Scheduled"},"8":{"description":"Started when a system item, such as a file or registry key, changes.","caption":"System Changed"}},"description":"The start type ID of the startup item.","requirement":"required","caption":"Start Type ID","sibling":"start_type","type_name":"Integer"},"win_service":{"type":"object_t","description":"The startup item Windows service resource.","extension":"win","requirement":"optional","extension_id":2,"object_type":"win/win_service","caption":"Windows Service","object_name":"Windows Service"}},"name":"startup_item","description":"The startup item object describes an application component that has associated startup criteria and configurations.","constraints":{"just_one":["driver","job","process","win_service"]},"profiles":["container","data_classification","linux/linux_users","macos/macos_users"],"caption":"Startup Item"},"dce_rpc":{"attributes":{"command":{"type":"string_t","description":"The request command (e.g. REQUEST, BIND).","requirement":"recommended","caption":"Command","type_name":"String"},"flags":{"type":"string_t","description":"The list of interface flags.","is_array":true,"requirement":"required","caption":"Flags","type_name":"String"},"command_response":{"type":"string_t","description":"The reply to the request command (e.g. RESPONSE, BINDACK or FAULT).","requirement":"recommended","caption":"Command Response","type_name":"String"},"opnum":{"type":"integer_t","description":"An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.","requirement":"recommended","caption":"Opnum","type_name":"Integer"},"rpc_interface":{"type":"object_t","description":"The RPC Interface object describes the details pertaining to the remote procedure call interface.","requirement":"required","object_type":"rpc_interface","caption":"Remote Procedure Call Interface","object_name":"RPC Interface"}},"name":"dce_rpc","description":"The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:RemoteProcedureCall.","url":"https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/"}],"caption":"DCE/RPC"},"node":{"attributes":{"data":{"type":"json_t","description":"Additional data about the node stored as key-value pairs. Can include custom properties specific to the node.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"A human-readable name or label for the node. Should be descriptive and unique within the graph context.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"Categorizes the node into a specific class or type. Useful for grouping and filtering nodes.","requirement":"optional","caption":"Type","type_name":"String"},"desc":{"type":"string_t","description":"A human-readable description of the node's purpose or meaning in the graph.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"A unique string or numeric identifier that distinguishes this node from all others in the graph. Must be unique across all nodes.","requirement":"required","caption":"Unique ID","type_name":"String"}},"name":"node","description":"Represents a node or a vertex in a graph structure.","extends":"object","references":[{"description":"JSON graph specification.","url":"https://github.com/jsongraph/json-graph-specification/"}],"caption":"Node"},"http_cookie":{"attributes":{"name":{"type":"string_t","description":"The HTTP cookie name.","requirement":"required","caption":"Name","type_name":"String"},"value":{"type":"string_t","description":"The HTTP cookie value.","requirement":"required","caption":"Value","type_name":"String"},"path":{"type":"string_t","description":"The path of the HTTP cookie.","requirement":"optional","caption":"Path","type_name":"String"},"domain":{"type":"string_t","description":"The domain name for the server from which the http_cookie is served.","requirement":"optional","caption":"Domain","type_name":"String"},"secure":{"type":"boolean_t","description":"The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.","requirement":"optional","caption":"Secure","type_name":"Boolean","@deprecated":{"message":"Use the is_secure attribute instead.","since":"1.1.0"}},"http_only":{"type":"boolean_t","description":"A cookie attribute to make it inaccessible via JavaScript","requirement":"optional","caption":"HTTP Only","type_name":"Boolean","@deprecated":{"message":"Use the is_http_only attribute instead.","since":"1.1.0"}},"expiration_time":{"type":"timestamp_t","description":"The expiration time of the HTTP cookie.","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"is_http_only":{"type":"boolean_t","description":"This attribute prevents the cookie from being accessed via JavaScript.","requirement":"optional","caption":"HTTP Only","type_name":"Boolean"},"is_secure":{"type":"boolean_t","description":"The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.","requirement":"optional","caption":"Secure","type_name":"Boolean"},"samesite":{"type":"string_t","description":"The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None","requirement":"optional","caption":"SameSite","type_name":"String"},"expiration_time_dt":{"type":"datetime_t","description":"The expiration time of the HTTP cookie.","requirement":"optional","profiles":["datetime"],"caption":"Expiration Time","type_name":"Datetime"}},"name":"http_cookie","description":"The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user's web browser. This data is then stored by the browser and sent back to the server with subsequent requests, allowing the server to remember and track certain information about the user's browsing session or preferences.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:SessionCookie.","url":"https://d3fend.mitre.org/dao/artifact/d3f:SessionCookie/"}],"profiles":["datetime"],"caption":"HTTP Cookie"},"malware":{"attributes":{"name":{"type":"string_t","description":"The malware name, as reported by the detection engine.","requirement":"recommended","caption":"Name","type_name":"String"},"path":{"type":"file_path_t","description":"The filesystem path of the malware that was observed.","requirement":"recommended","caption":"Path","type_name":"File Path","@deprecated":{"message":"Use file.path attribute available via files.","since":"1.5.0"}},"uid":{"type":"string_t","description":"A unique identifier for the specific malware instance, as assigned by the detection engine (e.g., virus signature ID or IPS rule ID).","requirement":"recommended","caption":"Unique ID","type_name":"String"},"files":{"type":"object_t","description":"The list of file objects representing files that were identified as infected by the malware.","is_array":true,"requirement":"optional","object_type":"file","caption":"Files","object_name":"File"},"severity":{"type":"string_t","description":"The severity of the malware, normalized to the captions of the severity_id values. In the case of 'Other', they are defined by the event source.","requirement":"optional","caption":"Severity","type_name":"String"},"classification_ids":{"type":"integer_t","enum":{"3":{"caption":"Bot"},"6":{"caption":"Downloader"},"0":{"description":"The classification is unknown.","caption":"Unknown"},"1":{"caption":"Adware"},"2":{"caption":"Backdoor"},"99":{"description":"The classification is not mapped. See the classifications attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Bootkit"},"5":{"caption":"DDOS"},"7":{"caption":"Dropper"},"8":{"caption":"Exploit-Kit"},"9":{"caption":"Keylogger"},"10":{"caption":"Ransomware"},"11":{"caption":"Remote-Access-Trojan"},"14":{"caption":"Rogue-Security-Software"},"15":{"caption":"Rootkit"},"16":{"caption":"Screen-Capture"},"17":{"caption":"Spyware"},"18":{"caption":"Trojan"},"20":{"caption":"Webshell"},"21":{"caption":"Wiper"},"22":{"caption":"Worm"},"13":{"caption":"Resource-Exploitation"},"19":{"caption":"Virus"}},"description":"The list of normalized identifiers of the malware classifications.","is_array":true,"references":[{"description":"STIX Malware Types","url":"https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oxlc4df65spl"}],"requirement":"required","caption":"Classification IDs","sibling":"classifications","type_name":"Integer"},"classifications":{"type":"string_t","description":"The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source.","is_array":true,"requirement":"optional","caption":"Classifications","type_name":"String"},"cves":{"type":"object_t","description":"The list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. Reference: CVE","is_array":true,"requirement":"optional","object_type":"cve","caption":"CVE List","object_name":"CVE"},"num_infected":{"type":"integer_t","description":"The number of files that were identified to be infected by the malware.","requirement":"optional","caption":"Number of Infected Entities","type_name":"Integer"},"provider":{"type":"string_t","description":"The name or identifier of the security solution or service that provided the malware detection information.","requirement":"recommended","caption":"Provider","type_name":"String"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the malware severity.","requirement":"recommended","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"malware","description":"The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["data_classification"],"caption":"Malware"},"occurrence_details":{"attributes":{"end_line":{"type":"integer_t","description":"The line number of the last line of the file, where the information was discovered.","requirement":"optional","caption":"End Line","type_name":"Integer"},"cell_name":{"type":"string_t","description":"The cell name/reference in a spreadsheet. e.g A2","requirement":"optional","caption":"Cell Name","type_name":"String"},"column_name":{"type":"string_t","description":"The column name in a spreadsheet, where the information was discovered.","requirement":"optional","caption":"Column Name","type_name":"String"},"column_number":{"type":"integer_t","description":"The column number in a spreadsheet or a plain text document, where the information was discovered.","requirement":"optional","caption":"Column Number","type_name":"Integer"},"json_path":{"type":"string_t","description":"The JSON path of the attribute in a json record, where the information was discovered","requirement":"optional","caption":"JSON Path","type_name":"String"},"page_number":{"type":"integer_t","description":"The page number in a document, where the information was discovered.","requirement":"optional","caption":"Page Number","type_name":"Integer"},"record_index_in_array":{"type":"integer_t","description":"The index of the record in the array of records, where the information was discovered. e.g. the index of a record in an array of JSON records in a file.","requirement":"optional","caption":"Record Index in Array","type_name":"Integer"},"row_number":{"type":"integer_t","description":"The row number in a spreadsheet, where the information was discovered.","requirement":"optional","caption":"Row Number","type_name":"Integer"},"start_line":{"type":"integer_t","description":"The line number of the first line of the file, where the information was discovered.","requirement":"optional","caption":"Start Line","type_name":"Integer"}},"name":"occurrence_details","description":"Details about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populated.","extends":"object","constraints":{"at_least_one":["cell_name","column_name","column_number","end_line","json_path","page_number","record_index_in_array","row_number","start_line"]},"caption":"Occurrence Details"},"script":{"attributes":{"name":{"type":"string_t","description":"Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis.","requirement":"optional","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The script type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Type","type_name":"String"},"file":{"type":"object_t","description":"Present if this script is associated with a file. Not present in the case of a file-less script.","requirement":"optional","object_type":"file","caption":"File","object_name":"File"},"uid":{"type":"string_t","description":"Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the ScriptBlockId in the raw ETW events provided by the OS.","requirement":"optional","caption":"Unique ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Python"},"6":{"caption":"Unix Shell"},"0":{"description":"The script type is unknown.","caption":"Unknown"},"1":{"caption":"Windows Command Prompt"},"2":{"caption":"PowerShell"},"99":{"description":"The script type is not mapped. See the type attribute which contains an event source specific value.","caption":"Other"},"4":{"caption":"JavaScript"},"5":{"caption":"VBScript"},"7":{"caption":"VBA"}},"description":"The normalized script type ID.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"hashes":{"type":"object_t","description":"An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.","is_array":true,"requirement":"recommended","object_type":"fingerprint","caption":"Hashes","object_name":"Fingerprint"},"parent_uid":{"type":"string_t","description":"This attribute relates a sub-script to a parent script having the matching uid attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.","requirement":"optional","caption":"Parent Unique ID","type_name":"String"},"script_content":{"type":"object_t","description":"The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.","requirement":"required","object_type":"long_string","caption":"Script Content","object_name":"Long String","observable":36}},"name":"script","description":"The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term script here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:ExecutableScript.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/"}],"profiles":["data_classification"],"caption":"Script"},"privilege_info":{"attributes":{"name":{"type":"string_t","description":"The name of the privilege, action, or permission. Examples: GetObject, CreateStoreImageTask (AWS); Microsoft.Storage/storageAccounts/read (Azure); storage.objects.get (GCP).","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type or category of the privilege, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Type","type_name":"String"},"is_unused":{"type":"boolean_t","description":"Indicates whether the privilege is unused within the analysis timeframe.","requirement":"optional","caption":"Is Unused","type_name":"Boolean"},"type_id":{"type":"integer_t","enum":{"3":{"description":"An execute-type privilege that permits running operations or invoking functions. Examples: lambda:InvokeFunction, Microsoft.Compute/virtualMachines/start/action.","caption":"Execute"},"0":{"description":"The privilege type is unknown.","caption":"Unknown"},"1":{"description":"A read-type privilege that permits viewing or retrieving data. Examples: s3:GetObject, Microsoft.Storage/storageAccounts/read, storage.objects.get.","caption":"Read"},"2":{"description":"A write-type privilege that permits creating, modifying, or deleting data. Examples: s3:PutObject, Microsoft.Storage/storageAccounts/write, storage.objects.create.","caption":"Write"},"99":{"description":"The privilege type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized type of the privilege.","requirement":"optional","caption":"Type ID","sibling":"type","type_name":"Integer"},"last_used_time":{"type":"timestamp_t","description":"The most recent time this privilege was used.","requirement":"optional","caption":"Last Used Time","type_name":"Timestamp"},"last_used_time_dt":{"type":"datetime_t","description":"The most recent time this privilege was used.","requirement":"optional","profiles":["datetime"],"caption":"Last Used Time","type_name":"Datetime"}},"name":"privilege_info","description":"The Privilege Info object describes information about a specific privilege, action, or permission. It captures the privilege name, type, usage status, and when it was last used.","extends":"object","profiles":["datetime"],"caption":"Privilege Info"},"http_response":{"attributes":{"code":{"type":"integer_t","description":"The Hypertext Transfer Protocol (HTTP) status code returned from the web server to the client. For example, 200.","requirement":"required","caption":"Response Code","type_name":"Integer"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","requirement":"optional","caption":"Message","type_name":"String"},"status":{"type":"string_t","description":"The response status. For example: A successful HTTP status of 'OK' which corresponds to a code of 200.","requirement":"optional","caption":"Status","type_name":"String"},"length":{"type":"integer_t","description":"The length of the entire HTTP response, in number of bytes.","requirement":"optional","caption":"Response Length","type_name":"Integer"},"content_type":{"type":"string_t","description":"The request header that identifies the original media type of the resource (prior to any content encoding applied for sending).","requirement":"optional","caption":"HTTP Content Type","type_name":"String"},"body_length":{"type":"integer_t","description":"The actual length of the HTTP response body, in number of bytes, independent of a potentially existing Content-Length header.","requirement":"optional","caption":"Response Body Length","type_name":"Integer"},"http_headers":{"type":"object_t","description":"Additional HTTP headers of an HTTP request or response.","is_array":true,"requirement":"recommended","object_type":"http_header","caption":"HTTP Headers","object_name":"HTTP Header"},"latency":{"type":"integer_t","description":"The HTTP response latency measured in milliseconds.","requirement":"optional","caption":"Latency","type_name":"Integer"}},"name":"http_response","description":"The HTTP Response object contains detailed information about the response sent from a web server to the requester. It encompasses attributes and metadata that describe the response status, headers, body content, and other relevant information.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:InboundInternetNetworkTraffic.","url":"https://d3fend.mitre.org/dao/artifact/d3f:InboundInternetNetworkTraffic/"}],"caption":"HTTP Response"},"data_security":{"attributes":{"size":{"type":"long_t","description":"Size of the data classified.","requirement":"optional","caption":"Size","type_name":"Long"},"status":{"type":"string_t","description":"The resultant status of the classification job normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.","requirement":"recommended","caption":"Status","type_name":"String"},"total":{"type":"integer_t","description":"The total count of discovered entities, by the classification job.","requirement":"optional","caption":"Total","type_name":"Integer"},"uid":{"type":"string_t","description":"The unique identifier of the classification job.","requirement":"optional","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.","requirement":"optional","caption":"Category","type_name":"String"},"pattern_match":{"type":"string_t","description":"A text, binary, file name, or datastore that matched against a detection rule.","requirement":"optional","caption":"Pattern Match","type_name":"String"},"category_id":{"type":"integer_t","enum":{"3":{"description":"Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc.","caption":"Financial"},"6":{"description":"Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc.","caption":"Security"},"0":{"description":"The type is not mapped. See the data_type attribute, which contains a data source specific value.","caption":"Unknown"},"1":{"description":"Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc.","caption":"Personal"},"2":{"description":"Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc.","caption":"Governmental"},"99":{"description":"Any other type of data classification or a multi-variate classification made up of several other classification categories.","caption":"Other"},"4":{"description":"Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar.","caption":"Business"},"5":{"description":"Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data.","caption":"Military and Law Enforcement"}},"description":"The normalized identifier of the data classification category.","requirement":"recommended","caption":"Category ID","sibling":"category","type_name":"Integer"},"classifier_details":{"type":"object_t","description":"Describes details about the classifier used for data classification.","requirement":"recommended","object_type":"classifier_details","caption":"Classifier Details","object_name":"Classifier Details"},"confidentiality":{"type":"string_t","description":"The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Confidentiality","type_name":"String"},"confidentiality_id":{"type":"integer_t","enum":{"3":{"caption":"Secret"},"6":{"caption":"Restricted"},"0":{"description":"The confidentiality is unknown.","caption":"Unknown"},"1":{"caption":"Not Confidential"},"2":{"caption":"Confidential"},"99":{"description":"The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Top Secret"},"5":{"caption":"Private"}},"description":"The normalized identifier of the file content confidentiality indicator.","requirement":"recommended","caption":"Confidentiality ID","sibling":"confidentiality","type_name":"Integer"},"data_lifecycle_state":{"type":"string_t","description":"The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.","requirement":"optional","caption":"Data Lifecycle State","type_name":"String"},"data_lifecycle_state_id":{"type":"integer_t","enum":{"3":{"description":"The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF.","caption":"Data in-Use"},"0":{"description":"The data lifecycle state is unknown.","caption":"Unknown"},"1":{"description":"The data was stored on physical or logical media and was not actively moving through the network nor was being processed. E.g., data stored in a database, PDF files in a file share, or EHR records in object storage.","caption":"Data at-Rest"},"2":{"description":"The data was actively moving through the network or from one physical or logical location to another. E.g., emails being send, data replication or Change Data Capture (CDC) streams, or sensitive data processed on an API.","caption":"Data in-Transit"},"99":{"description":"The data lifecycle state is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The stage or state that the data was in when it was assessed or scanned by a data security tool.","requirement":"recommended","caption":"Data Lifecycle State ID","sibling":"data_lifecycle_state","type_name":"Integer"},"detection_pattern":{"type":"string_t","description":"Specific pattern, algorithm, fingerprint, or model used for detection.","requirement":"recommended","caption":"Detection Pattern","type_name":"String"},"detection_system":{"type":"string_t","description":"The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.","requirement":"optional","caption":"Detection System","type_name":"String"},"detection_system_id":{"type":"integer_t","enum":{"3":{"description":"A Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tool that can detect sensitive data and/or enforce data security policies on mobile devices (e.g., cellphones, tablets, End User Devices [EUDs]).","caption":"Mobile Device Management"},"6":{"description":"A Secure Email Gateway (SEG) is any tool that can detect sensitive data and/or enforce data security policies within email systems. E.g., Microsoft Defender for Office, Google Workspaces.","caption":"Secure Email Gateway"},"0":{"description":"The type is not mapped. See the detection_system attribute, which contains a data source specific value.","caption":"Unknown"},"1":{"description":"A dedicated agent or sensor installed on a device, either a dedicated data security tool or an Endpoint Detection & Response (EDR) tool that can detect sensitive data and/or enforce data security policies. E.g., Forcepoint DLP, Symantec DLP, Microsoft Defender for Endpoint (MDE).","caption":"Endpoint"},"2":{"description":"A Data Loss Prevention (DLP) gateway that is positioned in-line of an information store such as a network share, a database, or otherwise that can detect sensitive data and/or enforce data security policies.","caption":"DLP Gateway"},"99":{"description":"Any other type of detection system or a multi-variate system made up of several other systems.","caption":"Other"},"4":{"description":"A tool that actively identifies and classifies sensitive data in digital media and information stores in accordance with a policy or automated functionality. E.g, Amazon Macie, Microsoft Purview.","caption":"Data Discovery & Classification"},"5":{"description":"A Secure Web Gateway (SWG) is any tool that can detect sensitive data and/or enforce data security policies at a network-edge such as within a proxy or firewall service.","caption":"Secure Web Gateway"},"7":{"description":"A Digital Rights Management (DRM) or a dedicated Information Rights Management (IRM) are tools which can detect sensitive data and/or enforce data security policies on digital media via policy or user access rights.","caption":"Digital Rights Management"},"8":{"description":"A Cloud Access Security Broker (CASB) that can detect sensitive data and/or enforce data security policies in-line to cloud systems such as the public cloud or Software-as-a-Service (SaaS) tool. E.g., Forcepoint CASB, SkyHigh Security.","caption":"Cloud Access Security Broker"},"9":{"description":"A Database Activity Monitoring (DAM) tool that can detect sensitive data and/or enforce data security policies as part of a dedicated database or warehouse monitoring solution.","caption":"Database Activity Monitoring"},"10":{"description":"A built in Data Loss Prevention (DLP) or other data security capability within a tool or platform such as an Enterprise Resource Planning (ERP) or Customer Relations Management (CRM) tool that can detect sensitive data and/or enforce data security policies.","caption":"Application-Level DLP"},"11":{"description":"Any Developer Security tool such as an Infrastructure-as-Code (IAC) security scanner, Secrets Detection, or Secure Software Development Lifecycle (SSDLC) tool that can detect sensitive data and/or enforce data security policies. E.g., TruffleHog, GitGuardian, Git-Secrets.","caption":"Developer Security"},"12":{"description":"A Data Security Posture Management (DSPM) tool is a continuous monitoring and data discovery solution that can detect sensitive data and/or enforce data security policies for local and cloud environments. E.g., Cyera, Sentra, IBM Polar Security.","caption":"Data Security Posture Management"}},"description":"The type of data security tool or system that the finding, detection, or alert originated from.","requirement":"recommended","caption":"Detection System ID","sibling":"detection_system","type_name":"Integer"},"discovery_details":{"type":"object_t","description":"Details about the data discovered by classification job.","is_array":true,"requirement":"optional","object_type":"discovery_details","caption":"Discovery Details","object_name":"Discovery Details"},"policy":{"type":"object_t","description":"Details about the policy that triggered the finding.","requirement":"recommended","object_type":"policy","caption":"Policy","object_name":"Policy"},"src_url":{"type":"url_t","description":"The source URL pointing towards the full classification job details.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"status_details":{"type":"string_t","description":"The contextual description of the status, status_id value.","is_array":true,"requirement":"optional","caption":"Status Details","type_name":"String"},"status_id":{"type":"integer_t","enum":{"3":{"description":"The classification job failed for the evaluated resource.","caption":"Fail"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"The classification job completed for the evaluated resource.","caption":"Complete"},"2":{"description":"The classification job partially completed for the evaluated resource.","caption":"Partial"},"99":{"description":"The classification job type id is not mapped.","caption":"Other"}},"description":"The normalized status identifier of the classification job.","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"}},"name":"data_security","description":"The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).","extends":"data_classification","constraints":{"at_least_one":["data_lifecycle_state_id","detection_pattern","detection_system_id","policy"]},"caption":"Data Security"},"timespan":{"attributes":{"type":{"type":"string_t","description":"The type of time span duration the object represents.","requirement":"optional","caption":"Time Span Type","type_name":"String"},"start_time":{"type":"timestamp_t","description":"The start time or beginning of the timespan's interval.","requirement":"recommended","caption":"Start Time","type_name":"Timestamp"},"duration":{"type":"long_t","description":"The duration of the time span in milliseconds.","requirement":"recommended","caption":"Duration Milliseconds","type_name":"Long"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Minutes"},"6":{"caption":"Weeks"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"Milliseconds"},"2":{"caption":"Seconds"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Hours"},"5":{"caption":"Days"},"7":{"caption":"Months"},"8":{"caption":"Years"},"9":{"description":"The start_time and end_time should be set.","caption":"Time Interval"}},"description":"The normalized identifier for the time span duration type.","requirement":"recommended","caption":"Time Span Type ID","sibling":"type","type_name":"Integer"},"end_time":{"type":"timestamp_t","description":"The end time or conclusion of the timespan's interval.","requirement":"recommended","caption":"End Time","type_name":"Timestamp"},"start_time_dt":{"type":"datetime_t","description":"The start time or beginning of the timespan's interval.","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"end_time_dt":{"type":"datetime_t","description":"The end time or conclusion of the timespan's interval.","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"duration_days":{"type":"integer_t","description":"The duration of the time span in days.","requirement":"recommended","caption":"Duration Days","type_name":"Integer"},"duration_hours":{"type":"integer_t","description":"The duration of the time span in hours.","requirement":"recommended","caption":"Duration Hours","type_name":"Integer"},"duration_mins":{"type":"integer_t","description":"The duration of the time span in minutes.","requirement":"recommended","caption":"Duration Minutes","type_name":"Integer"},"duration_months":{"type":"integer_t","description":"The duration of the time span in months.","requirement":"recommended","caption":"Duration Months","type_name":"Integer"},"duration_secs":{"type":"integer_t","description":"The duration of the time span in seconds.","requirement":"recommended","caption":"Duration Seconds","type_name":"Integer"},"duration_weeks":{"type":"integer_t","description":"The duration of the time span in weeks.","requirement":"recommended","caption":"Duration Weeks","type_name":"Integer"},"duration_years":{"type":"integer_t","description":"The duration of the time span in years.","requirement":"recommended","caption":"Duration Years","type_name":"Integer"}},"name":"timespan","description":"The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may be populated since each member is of integral type. In that case type_id if present should be set to Other.A timespan may also be defined by its time interval boundaries, start_time and end_time.","extends":"object","constraints":{"at_least_one":["duration","duration_days","duration_hours","duration_mins","duration_months","duration_secs","duration_weeks","duration_years","end_time","start_time"]},"profiles":["datetime"],"caption":"Time Span"},"user":{"attributes":{"name":{"type":"username_t","description":"The username. For example, janedoe1.","requirement":"recommended","caption":"Name","type_name":"User Name"},"type":{"type":"string_t","description":"The type of the user. For example, System, AWS IAM User, etc.","requirement":"optional","caption":"Type","type_name":"String"},"domain":{"type":"string_t","description":"The domain where the user is defined. For example: the LDAP or Active Directory domain.","requirement":"optional","caption":"Domain","type_name":"String"},"uid":{"type":"string_t","description":"The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":31},"groups":{"type":"object_t","description":"The administrative groups to which the user belongs.","is_array":true,"requirement":"optional","object_type":"group","caption":"Groups","object_name":"Group"},"org":{"type":"object_t","description":"Organization and org unit related to the user.","requirement":"optional","object_type":"organization","caption":"Organization","object_name":"Organization"},"full_name":{"type":"string_t","description":"The full name of the user, as reported by the product.","requirement":"optional","caption":"Full Name","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"System account. For example, Windows computer accounts with a trailing dollar sign ($).","caption":"System"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"Regular user account.","caption":"User"},"2":{"description":"Admin/root user account.","caption":"Admin"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Service account. For example, Windows service account.","caption":"Service"}},"description":"The account type identifier.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"account":{"type":"object_t","description":"The user's account or the account associated with the user.","requirement":"optional","object_type":"account","caption":"Account","object_name":"Account"},"credential_uid":{"type":"string_t","description":"The unique identifier of the user's credential. For example, AWS Access Key ID.","requirement":"optional","caption":"User Credential ID","type_name":"String","@deprecated":{"message":"Use programmatic_credentials instead.","since":"1.6.0"},"observable":19},"display_name":{"type":"string_t","description":"The display name of the user, as reported by the product.","requirement":"optional","caption":"Display Name","type_name":"String"},"email_addr":{"type":"email_t","description":"The user's primary email address.","requirement":"optional","caption":"Email Address","type_name":"Email Address"},"forward_addr":{"type":"email_t","description":"The user's forwarding email address.","requirement":"optional","caption":"Forwarding Address","type_name":"Email Address"},"has_mfa":{"type":"boolean_t","description":"The user has a multi-factor or secondary-factor device assigned.","requirement":"recommended","caption":"MFA Assigned","type_name":"Boolean"},"ldap_person":{"type":"object_t","description":"The additional LDAP attributes that describe a person.","requirement":"optional","object_type":"ldap_person","caption":"LDAP Person","object_name":"LDAP Person"},"phone_number":{"type":"string_t","description":"The telephone number of the user.","requirement":"optional","caption":"Telephone Number","type_name":"String"},"programmatic_credentials":{"type":"object_t","description":"Details about the programmatic credential (API keys, access tokens, certificates, etc) associated to the user.","is_array":true,"requirement":"optional","object_type":"programmatic_credential","caption":"Programmatic Credentials","object_name":"Programmatic Credential"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","requirement":"optional","caption":"Risk Level","type_name":"String"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","requirement":"optional","caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","requirement":"optional","caption":"Risk Score","type_name":"Integer"},"uid_alt":{"type":"string_t","description":"The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.","requirement":"optional","caption":"Alternate ID","type_name":"String"}},"name":"user","description":"The User object describes the characteristics of a user/person or a security principal.","extends":"_entity","constraints":{"at_least_one":["account","name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:UserAccount","url":"https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/"}],"caption":"User","observable":21},"baseline":{"attributes":{"observation_parameter":{"type":"string_t","description":"The specific parameter or property being monitored. Examples include: CPU usage percentage, API response time in milliseconds, HTTP error rate, memory utilization, network latency, transaction volume, etc.","requirement":"required","caption":"Observation Parameter","type_name":"String"},"observation_type":{"type":"string_t","description":"The type of analysis being performed to establish baseline behavior. Common types include: Frequency Analysis, Time Pattern Analysis, Volume Analysis, Sequence Analysis, Distribution Analysis, etc.","requirement":"recommended","caption":"Observation Type","type_name":"String"},"observations":{"type":"object_t","description":"Collection of actual measured values, data points and observations recorded for this baseline.","is_array":true,"requirement":"required","object_type":"observation","caption":"Observations","object_name":"Observation"},"observed_pattern":{"type":"string_t","description":"The specific pattern identified within the observation type. For Frequency Analysis, this could be 'FREQUENT', 'INFREQUENT', 'RARE', or 'UNSEEN'. For Time Pattern Analysis, this could be 'BUSINESS_HOURS', 'OFF_HOURS', or 'UNUSUAL_TIME'. For Volume Analysis, this could be 'NORMAL_VOLUME', 'HIGH_VOLUME', or 'SURGE'. The pattern values are specific to each observation type and indicate the baseline behavior.","requirement":"recommended","caption":"Observed Pattern","type_name":"String"}},"name":"baseline","description":"Describes the baseline or expected behavior of a system, service, or component based on historical observations and measurements. It establishes reference points for comparison to detect anomalies, trends, and deviations from typical patterns.","extends":"object","caption":"Baseline"},"sso":{"attributes":{"name":{"type":"string_t","description":"The name of the SSO resource.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"A unique identifier for a SSO resource.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"protocol_name":{"type":"string_t","description":"The supported protocol for the SSO resource. E.g., SAML or OIDC.","requirement":"optional","caption":"Supported Protocol","type_name":"String"},"certificate":{"type":"object_t","description":"Digital Signature associated with the SSO resource, e.g., SAML X.509 certificate details.","requirement":"recommended","object_type":"certificate","caption":"SAML Certificate","object_name":"Digital Certificate"},"idle_timeout":{"type":"integer_t","description":"Duration (in minutes) of allowed inactivity before Single Sign-On (SSO) session expiration.","requirement":"optional","caption":"SSO Idle Timeout","type_name":"Integer"},"auth_protocol":{"type":"string_t","description":"The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.","requirement":"optional","caption":"Auth Protocol","type_name":"String"},"auth_protocol_id":{"type":"integer_t","enum":{"3":{"caption":"Digest"},"6":{"caption":"OAUTH 2.0"},"0":{"description":"The authentication protocol is unknown.","caption":"Unknown"},"1":{"caption":"NTLM"},"2":{"caption":"Kerberos"},"99":{"description":"The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"OpenID"},"5":{"caption":"SAML"},"7":{"caption":"PAP"},"8":{"caption":"CHAP"},"9":{"caption":"EAP"},"10":{"caption":"RADIUS"},"11":{"caption":"Basic Authentication"},"12":{"caption":"LDAP"}},"description":"The normalized identifier of the authentication protocol used by the SSO resource.","requirement":"optional","caption":"Auth Protocol ID","sibling":"auth_protocol","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"When the SSO resource was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"duration_mins":{"type":"integer_t","description":"The duration (in minutes) for an SSO session, after which re-authentication is required.","requirement":"optional","caption":"SSO Session Duration","type_name":"Integer"},"login_endpoint":{"type":"url_t","description":"URL for initiating an SSO login request.","requirement":"optional","caption":"SSO Login Endpoint","type_name":"URL String"},"logout_endpoint":{"type":"url_t","description":"URL for initiating an SSO logout request, allowing sessions to be terminated across applications.","requirement":"optional","caption":"SSO Logout Endpoint","type_name":"URL String"},"metadata_endpoint":{"type":"url_t","description":"URL where metadata about the SSO configuration is available (e.g., for SAML configurations).","requirement":"optional","caption":"SSO Metadata Endpoint","type_name":"URL String"},"modified_time":{"type":"timestamp_t","description":"The most recent time when the SSO resource was updated.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"scopes":{"type":"string_t","description":"Scopes define the specific permissions or actions that the client is allowed to perform on behalf of the user. Each scope represents a different set of permissions, and the user can selectively grant or deny access to specific scopes during the authorization process.","is_array":true,"requirement":"optional","caption":"Scopes","type_name":"String"},"vendor_name":{"type":"string_t","description":"Name of the vendor or service provider implementing SSO. E.g., Okta, Auth0, Microsoft.","requirement":"optional","caption":"Service Provider","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"When the SSO resource was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The most recent time when the SSO resource was updated.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"sso","description":"The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.","extends":"object","profiles":["datetime"],"caption":"SSO"},"cloud":{"attributes":{"org":{"type":"object_t","description":"The Organization object containing details about the organizational unit or management structure that governs the account, subscription, or project where the event or finding was created. This object includes properties such as the organization name, unique identifier, type, and other organizational metadata.
Examples:
name, uid (Organization ID), type, and other organizational propertiesname, uid (Management Group ID), type, and management group metadataname, uid (Organization ID), type, and organizational attributesname, uid (Tenancy OCID), type, and tenancy detailsname, uid (Account ID), type, and other account propertiesname, uid (Subscription ID), type, and subscription metadataname, uid (Project ID), type, and project attributesname, uid (Tenancy OCID), type, and compartment detailsaws, aws-cn, aws-us-gov)AzureCloud, AzureUSGovernment, AzureChinaCloud)account.uid attribute instead.","since":"1.4.0"}},"provider":{"type":"string_t","description":"The unique name of the Cloud services provider where the event or finding was created. Examples include AWS, Azure, GCP (Google Cloud Platform), Oracle Cloud, IBM Cloud, Alibaba Cloud, or other public, private, or hybrid cloud providers.","requirement":"required","caption":"Cloud Provider","type_name":"String"},"region":{"type":"string_t","description":"The cloud region where the event or finding was created, as defined by the cloud provider.us-east-1, eu-west-1)East US, West Europe)us-central1, europe-west1)us-ashburn-1, uk-london-1)us-east-1a, us-east-1b)1, 2, 3 within a region)us-central1-a, us-central1-b)AD-1, AD-2, AD-3)ai_role_id.","requirement":"optional","caption":"AI Role","type_name":"String"},"ai_role_id":{"type":"integer_t","enum":{"3":{"description":"A callable tool or API invoked by the assistant.","caption":"Tool"},"6":{"description":"A component that retrieves information or context from a knowledge source (e.g., vector DB, search system, or API).","caption":"Retriever"},"0":{"description":"Unknown role type.","caption":"Unknown"},"1":{"description":"The human user initiating a request.","caption":"User"},"2":{"description":"The AI model generating a response.","caption":"Assistant"},"99":{"description":"Other role type not covered above.","caption":"Other"},"4":{"description":"A software agent that performs tasks with autonomy or delegated intent.","caption":"Agent"},"5":{"description":"The component coordinating multiple agents or tools.","caption":"Orchestrator"}},"description":"Specifies the functional role of the AI within the context of this message, such as retrieving information, assisting reasoning, executing a tool, or generating content.","requirement":"recommended","caption":"AI Role ID","sibling":"ai_role","type_name":"Integer"},"completion_tokens":{"type":"integer_t","description":"Number of tokens in the model's response/completion for this message.","requirement":"optional","caption":"Completion Tokens","type_name":"Integer"},"prompt_tokens":{"type":"integer_t","description":"Number of tokens in the input prompt for this message.","requirement":"optional","caption":"Prompt Tokens","type_name":"Integer"},"total_tokens":{"type":"integer_t","description":"Total number of tokens used for this message (prompt + completion).","requirement":"optional","caption":"Total Tokens","type_name":"Integer"}},"name":"message_context","description":"Communication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.","extends":"_entity","constraints":{"at_least_one":["application","service"]},"references":[{"description":"OWASP AI Security and Privacy Guide - Agent Security","url":"https://owasp.org/www-project-ai-security-and-privacy-guide/"},{"description":"Model Context Protocol (MCP) Specification","url":"https://modelcontextprotocol.io/"}],"profiles":["data_classification"],"caption":"Message Context"},"port_info":{"attributes":{"port":{"type":"port_t","description":"The port number. For example: 80, 443, 22.","requirement":"required","caption":"Port","type_name":"Port"},"protocol_name":{"type":"string_t","description":"The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example: tcp or udp.","references":[{"description":"IANA Protocol Numbers","url":"https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"}],"requirement":"recommended","caption":"Protocol Name","type_name":"String"},"protocol_num":{"type":"integer_t","description":"The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: 6 for TCP and 17 for UDP.","references":[{"description":"IANA Protocol Numbers","url":"https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"}],"requirement":"optional","caption":"Protocol Number","type_name":"Integer"}},"name":"port_info","description":"The Port Information object describes a port and its associated protocol details.","extends":"object","caption":"Port Information"},"container":{"attributes":{"name":{"type":"string_t","description":"The container name.","requirement":"recommended","caption":"Name","type_name":"String"},"runtime":{"type":"string_t","description":"The backend running the container, such as containerd or cri-o.","requirement":"optional","caption":"Runtime","type_name":"String"},"size":{"type":"long_t","description":"The size of the container image.","requirement":"recommended","caption":"Size","type_name":"Long"},"tag":{"type":"string_t","description":"The tag used by the container. It can indicate version, format, OS.","requirement":"optional","caption":"Image Tag","type_name":"String","@deprecated":{"message":"Use the labels or tags attribute instead.","since":"1.4.0"}},"uid":{"type":"string_t","description":"The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"image":{"type":"object_t","description":"The container image used as a template to run the container.","requirement":"recommended","object_type":"image","caption":"Image","object_name":"Image"},"hash":{"type":"object_t","description":"Commit hash of image created for docker or the SHA256 hash of the container. For example: 13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de.","requirement":"recommended","object_type":"fingerprint","caption":"Hash","object_name":"Fingerprint"},"labels":{"type":"string_t","description":"The list of labels associated to the container.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the container.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"network_driver":{"type":"string_t","description":"The network driver used by the container. For example, bridge, overlay, host, none, etc.","requirement":"optional","caption":"Network Driver","type_name":"String"},"orchestrator":{"type":"string_t","description":"The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.","requirement":"optional","caption":"Orchestrator","type_name":"String"},"pod_uuid":{"type":"uuid_t","description":"The unique identifier of the pod (or equivalent) that the container is executing on.","requirement":"optional","caption":"Pod UUID","type_name":"UUID"}},"name":"container","description":"The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","extends":"object","constraints":{"at_least_one":["uid","name"]},"references":[{"description":"D3FEND™ Ontology d3f:ContainerProcess.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/"}],"caption":"Container","observable":27},"mitigation":{"attributes":{"name":{"type":"string_t","description":"The Mitigation name that is associated with the attack technique. For example: Password Policies, or Code Signing.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The Mitigation ID that is associated with the attack technique. For example: M1027, or AML.M0013.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"countermeasures":{"type":"object_t","description":"The D3FEND countermeasures that are associated with the attack technique. For example: ATT&CK Technique T1003 is addressed by Mitigation M1027, and D3FEND Technique D3-OTP.","is_array":true,"requirement":"optional","object_type":"d3fend","caption":"Countermeasures","object_name":"MITRE D3FEND™"},"src_url":{"type":"url_t","description":"The versioned permalink of the Mitigation. For example: https://attack.mitre.org/versions/v14/mitigations/M1027.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"mitigation","description":"The MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"},{"description":"ATT&CK® Mitigation to D3FEND™ Technique Mappings","url":"https://d3fend.mitre.org/mappings/attack-mitigations/"}],"caption":"MITRE Mitigation"},"http_header":{"attributes":{"name":{"type":"string_t","description":"The name of the HTTP header.","requirement":"required","caption":"Name","type_name":"String"},"value":{"type":"string_t","description":"The value of the HTTP header.","requirement":"required","caption":"Value","type_name":"String"}},"name":"http_header","description":"The HTTP Header object represents the headers sent in an HTTP request or response. HTTP headers are key-value pairs that convey additional information about the HTTP message, including details about the content, caching, authentication, encoding, and other aspects of the communication.","extends":"object","caption":"HTTP Header"},"idp":{"attributes":{"name":{"type":"string_t","description":"The name of the Identity Provider.","requirement":"recommended","caption":"Name","type_name":"String"},"state":{"type":"string_t","description":"The configuration state of the Identity Provider, normalized to the caption of the state_id value. In the case of Other, it is defined by the event source.","requirement":"optional","caption":"State","type_name":"String"},"domain":{"type":"string_t","description":"The primary domain associated with the Identity Provider.","requirement":"optional","caption":"Domain","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the Identity Provider.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"protocol_name":{"type":"string_t","description":"The supported protocol of the Identity Provider. E.g., SAML, OIDC, or OAuth2.","requirement":"optional","caption":"Supported Protocol","type_name":"String"},"issuer":{"type":"string_t","description":"The unique identifier (often a URL) used by the Identity Provider as its issuer.","requirement":"optional","caption":"Issuer Details","type_name":"String"},"fingerprint":{"type":"object_t","description":"The fingerprint of the X.509 certificate used by the Identity Provider.","requirement":"optional","object_type":"fingerprint","caption":"Certificate Fingerprint","object_name":"Fingerprint"},"auth_factors":{"type":"object_t","description":"The Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider.","is_array":true,"requirement":"optional","object_type":"auth_factor","caption":"Authentication Factors","object_name":"Authentication Factor"},"has_mfa":{"type":"boolean_t","description":"The Identity Provider enforces Multi Factor Authentication (MFA).","requirement":"optional","caption":"MFA Enforced","type_name":"Boolean"},"scim":{"type":"object_t","description":"The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634","references":[{"description":"System for Cross-domain Identity Management (SCIM) RFC.","url":"https://datatracker.ietf.org/doc/html/rfc7643"}],"requirement":"optional","object_type":"scim","caption":"SCIM","object_name":"SCIM"},"sso":{"type":"object_t","description":"The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.","requirement":"optional","object_type":"sso","caption":"SSO","object_name":"SSO"},"state_id":{"type":"integer_t","enum":{"3":{"description":"The Identity Provider is in a Deprecated state, or is otherwise disabled.","caption":"Deprecated"},"0":{"description":"The configuration state of the Identity Provider is unknown.","caption":"Unknown"},"1":{"description":"The Identity Provider is in an Active state, or otherwise enabled.","caption":"Active"},"2":{"description":"The Identity Provider is in a Suspended state.","caption":"Suspended"},"99":{"description":"The configuration state of the Identity Provider is not mapped. See the state attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Identity Provider is in a Deleted state.","caption":"Deleted"}},"description":"The normalized state ID of the Identity Provider to reflect its configuration or activation status.","requirement":"optional","caption":"State ID","sibling":"state","type_name":"Integer"},"tenant_uid":{"type":"string_t","description":"The tenant ID associated with the Identity Provider.","requirement":"optional","caption":"Tenant UID","type_name":"String"},"url_string":{"type":"url_t","description":"The URL for accessing the configuration or metadata of the Identity Provider.","requirement":"optional","caption":"Configuration URL","type_name":"URL String"}},"name":"idp","description":"The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["container"],"caption":"Identity Provider"},"sbom":{"attributes":{"type":{"type":"string_t","description":"The type of SBOM, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The specification (spec) version of the particular SBOM, e.g., 1.6.","requirement":"optional","caption":"Version","type_name":"String"},"product":{"type":"object_t","description":"Details about the upstream product that generated the SBOM e.g. cdxgen or Syft.","requirement":"recommended","object_type":"product","caption":"Product","object_name":"Product"},"uid":{"type":"string_t","description":"A unique identifier for the SBOM or the SBOM generation by a source tool, such as the SPDX metadata.component.bom-ref.","requirement":"optional","caption":"SBOM ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publishes, ISO/IEC 19770-2, a standard for software identification (SWID) tags that defines a structured metadata format for describing a software product. A SWID tag document is composed of a structured set of data elements that identify the software product","caption":"SWID"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"System Package Data Exchange (SPDX®) is an open standard capable of representing systems with software components in as SBOMs (Software Bill of Materials) and other AI, data and security references supporting a range of risk management use cases. The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).","caption":"SPDX"},"2":{"description":"CycloneDX is an International Standard for Bill of Materials (ECMA-424).","caption":"CycloneDX"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The type of SBOM.","references":[{"description":"SPDX","url":"https://spdx.dev/"},{"description":"ISO/IEC 5692:2021","url":"https://www.iso.org/standard/81870.html"},{"description":"CycloneDX","url":"https://cyclonedx.org/"},{"description":"ECMA-424","url":"https://ecma-international.org/publications-and-standards/standards/ecma-424/"},{"description":"SWID","url":"https://nvd.nist.gov/products/swid"},{"description":"ISO/IEC 19770-2:2015","url":"https://www.iso.org/standard/65666.html"}],"requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time when the SBOM was created.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"package":{"type":"object_t","description":"The software package or library that is being discovered or inventoried by an SBOM.","references":[{"description":"D3FEND™ Ontology d3f:SoftwarePackage.","url":"https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/"}],"requirement":"required","object_type":"package","caption":"Software Package","object_name":"Software Package"},"software_components":{"type":"object_t","description":"The list of software components used in the software package.","is_array":true,"requirement":"required","object_type":"software_component","caption":"Software Components","object_name":"Software Component"},"created_time_dt":{"type":"datetime_t","description":"The time when the SBOM was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"}},"name":"sbom","description":"The Software Bill of Materials object describes characteristics of a generated SBOM.","extends":"object","profiles":["data_classification","datetime"],"caption":"Software Bill of Materials"},"kernel":{"attributes":{"name":{"type":"string_t","description":"The name of the kernel resource.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the kernel resource.","requirement":"optional","caption":"Type","type_name":"String"},"path":{"type":"file_path_t","description":"The full path of the kernel resource.","requirement":"optional","caption":"Path","type_name":"File Path"},"type_id":{"type":"integer_t","enum":{"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"Shared Mutex"},"2":{"caption":"System Call"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The type of the kernel resource.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"is_system":{"type":"boolean_t","description":"The indication of whether the object is part of the operating system.","requirement":"optional","caption":"System","type_name":"Boolean"},"system_call":{"type":"string_t","description":"The system call that was invoked.","requirement":"optional","caption":"System Call","type_name":"String"}},"name":"kernel","description":"The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:Kernel","url":"https://d3fend.mitre.org/dao/artifact/d3f:Kernel/"}],"caption":"Kernel Resource"},"network_traffic":{"attributes":{"bytes_in":{"type":"long_t","description":"The number of bytes sent from the destination to the source (inbound direction).","requirement":"optional","caption":"Bytes In","type_name":"Long"},"bytes_out":{"type":"long_t","description":"The number of bytes sent from the source to the destination (outbound direction).","requirement":"optional","caption":"Bytes Out","type_name":"Long"},"chunks":{"type":"long_t","description":"The total number of chunks transferred in both directions (sum of chunks_in and chunks_out).","requirement":"optional","caption":"Chunks","type_name":"Long"},"bytes":{"type":"long_t","description":"The total number of bytes transferred in both directions (sum of bytes_in and bytes_out).","requirement":"recommended","caption":"Total Bytes","type_name":"Long"},"start_time":{"type":"timestamp_t","description":"The start time of the observation or reporting period.","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"end_time":{"type":"timestamp_t","description":"The end time of the observation or reporting period.","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"start_time_dt":{"type":"datetime_t","description":"The start time of the observation or reporting period.","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"end_time_dt":{"type":"datetime_t","description":"The end time of the observation or reporting period.","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"bytes_missed":{"type":"long_t","description":"The number of bytes that were missed during observation, typically due to packet loss or sampling limitations.","requirement":"optional","caption":"Bytes Missed","type_name":"Long"},"chunks_in":{"type":"long_t","description":"The number of chunks sent from the destination to the source (inbound direction).","requirement":"optional","caption":"Chunks In","type_name":"Long"},"chunks_out":{"type":"long_t","description":"The number of chunks sent from the source to the destination (outbound direction).","requirement":"optional","caption":"Chunks Out","type_name":"Long"},"packets":{"type":"long_t","description":"The total number of packets transferred in both directions (sum of packets_in and packets_out).","requirement":"recommended","caption":"Total Packets","type_name":"Long"},"packets_in":{"type":"long_t","description":"The number of packets sent from the destination to the source (inbound direction).","requirement":"optional","caption":"Packets In","type_name":"Long"},"packets_out":{"type":"long_t","description":"The number of packets sent from the source to the destination (outbound direction).","requirement":"optional","caption":"Packets Out","type_name":"Long"},"timespan":{"type":"object_t","description":"The time span object representing the duration of the observation or reporting period.","requirement":"optional","object_type":"timespan","caption":"Time Span","object_name":"Time Span"}},"name":"network_traffic","description":"The Network Traffic object describes characteristics of network traffic over a time period. The metrics represent network data transferred between source and destination during an observation window.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:NetworkTraffic","url":"https://d3fend.mitre.org/dao/artifact/d3f:NetworkTraffic/"}],"profiles":["datetime"],"caption":"Network Traffic"},"packet":{"attributes":{"value":{"type":"string_t","description":"The actual packet data, represented as a string. The format of this string is determined by the specified encoding_id (e.g., Base64, Hexadecimal, or URL Encoded).","requirement":"required","caption":"Value","type_name":"String"},"format":{"type":"string_t","description":"The human-readable name of the packet capture file format in which the packet is stored. This should match the caption associated with format_id. If format_id is 99 (Other), this field contains the original data source–specific format value.","requirement":"optional","caption":"Format","type_name":"String"},"encoding":{"type":"string_t","description":"The human-readable name of the encoding used to represent the packet data in the value field. This should match the caption associated with encoding_id. If encoding_id is 99 (Other), this field contains the original data source–specific encoding value.","requirement":"optional","caption":"Encoding","type_name":"String"},"source":{"type":"string_t","description":"The human-readable name describing how or where the packet was obtained. This should match the caption associated with source_id. If source_id is 99 (Other), this field contains the original data source–specific value.","requirement":"optional","caption":"Source","type_name":"String"},"sequence_number":{"type":"long_t","description":"The relative order number of this packet within its capture context (such as a PCAP file, network session, or reconstructed stream). This represents chronological capture order, distinct from both protocol-level sequencing (such as TCP sequence numbers).","requirement":"optional","caption":"Sequence Number","type_name":"Long"},"encoding_id":{"type":"integer_t","enum":{"3":{"description":"The packet data is encoded using percent-encoding (URL encoding).","caption":"URL Encoded"},"0":{"description":"The encoding format of the packet data is not known.","caption":"Unknown"},"1":{"description":"The packet data is encoded using Base64.","caption":"Base64"},"2":{"description":"The packet data is encoded as a hexadecimal string representation of the raw bytes.","caption":"Hexadecimal"},"99":{"description":"The encoding method is not mapped. Refer to the encoding field for the original source-specific value.","caption":"Other"}},"description":"The normalized identifier of the encoding method used to represent the packet data as a string.","requirement":"recommended","caption":"Encoding ID","sibling":"encoding","type_name":"Integer"},"end_offset":{"type":"long_t","description":"The ending byte position of this packet within a capture file or stream.","requirement":"optional","caption":"End Offset","type_name":"Long"},"format_id":{"type":"integer_t","enum":{"3":{"description":"Solaris/Unix capture format.","caption":"Snoop"},"6":{"description":"Accellent 5Views packet capture format.","caption":"5Views"},"0":{"description":"The packet format is unknown.","caption":"Unknown"},"1":{"description":"Standard libpcap/tcpdump packet capture file format.","caption":"PCAP"},"2":{"description":"Next-generation PCAP format that supports multiple interfaces and enhanced metadata.","caption":"PCAPNG"},"99":{"description":"The packet format is not mapped. Refer to the format field for the original source-specific value.","caption":"Other"},"4":{"description":"Extensible Record Format used by Endace network monitoring hardware.","caption":"ERF"},"5":{"description":"Microsoft Network Monitor capture file format.","caption":"NetMon"}},"description":"The normalized identifier of the packet capture format.","requirement":"recommended","caption":"Format ID","sibling":"format","type_name":"Integer"},"source_id":{"type":"integer_t","enum":{"3":{"description":"The packet was generated or extracted by a protocol decoder or analysis engine.","caption":"Decoder"},"6":{"description":"The packet was captured by a host-based agent or endpoint detection and response (EDR) sensor.","caption":"Endpoint"},"0":{"description":"The packet source is unknown.","caption":"Unknown"},"1":{"description":"The packet was captured directly from a network interface.","caption":"Wire"},"2":{"description":"The packet was reconstructed or derived from a stream of packets.","caption":"Stream"},"99":{"description":"The packet source is not mapped. Refer to the source field for the original source-specific value.","caption":"Other"},"4":{"description":"The packet was captured from a physical network Test Access Point (TAP) device used for passive monitoring.","caption":"TAP"},"5":{"description":"The packet was captured from a switch Switched Port Analyzer (SPAN) or mirror port.","caption":"SPAN"},"7":{"description":"The packet was captured from a virtual network interface, virtual switch, or container network.","caption":"Virtual"}},"description":"A normalized numeric identifier that specifies how the packet was obtained or generated.","requirement":"recommended","caption":"Source ID","sibling":"source","type_name":"Integer"},"start_offset":{"type":"long_t","description":"The starting byte position of this packet within a capture file or stream.","requirement":"optional","caption":"Start Offset","type_name":"Long"}},"name":"packet","description":"The Packet object represents a single captured network packet and its associated metadata. It describes where the packet came from, how it is stored or encoded, and how it can be located within a capture file or stream. This object does not interpret protocol content; it only represents the captured packet data and its positioning information.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:NetworkPacket.","url":"https://d3fend.mitre.org/dao/artifact/d3f:NetworkPacket/"},{"description":"D3FEND™ Ontology d3f:PacketCaptureFile.","url":"https://d3fend.mitre.org/dao/artifact/d3f:PacketCaptureFile/"},{"description":"D3FEND™ Ontology d3f:PacketLog.","url":"https://d3fend.mitre.org/dao/artifact/d3f:PacketLog/"}],"caption":"Packet"},"ja4_fingerprint":{"attributes":{"type":{"type":"string_t","description":"The JA4+ fingerprint type as defined by FoxIO, normalized to the caption of 'type_id'. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Type","type_name":"String"},"value":{"type":"string_t","description":"The JA4+ fingerprint value.","requirement":"required","caption":"Value","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"HTTP Client Fingerprint.","caption":"JA4HTTP"},"6":{"description":"SSH Traffic Fingerprint.","caption":"JA4SSH"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"TLS Client Fingerprint.","caption":"JA4"},"2":{"description":"TLS Server Response/Session Fingerprint.","caption":"JA4Server"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Latency Measurement/Light Distance Fingerprint.","caption":"JA4Latency"},"5":{"description":"X509 TLS Certificate Fingerprint.","caption":"JA4X509"},"7":{"description":"Passive TCP Client Fingerprint.","caption":"JA4TCP"},"8":{"description":"Passive TCP Server Fingerprint.","caption":"JA4TCPServer"},"9":{"description":"Active TCP Server Fingerprint.","caption":"JA4TCPScan"}},"description":"The identifier of the JA4+ fingerprint type.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"section_a":{"type":"string_t","description":"The 'a' section of the JA4 fingerprint.","requirement":"optional","caption":"JA4 Section A","type_name":"String"},"section_b":{"type":"string_t","description":"The 'b' section of the JA4 fingerprint.","requirement":"optional","caption":"JA4 Section B","type_name":"String"},"section_c":{"type":"string_t","description":"The 'c' section of the JA4 fingerprint.","requirement":"optional","caption":"JA4 Section C","type_name":"String"},"section_d":{"type":"string_t","description":"The 'd' section of the JA4 fingerprint.","requirement":"optional","caption":"JA4 Section D","type_name":"String"}},"name":"ja4_fingerprint","description":"The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.","extends":"object","caption":"JA4+ Fingerprint"},"module":{"attributes":{"type":{"type":"string_t","description":"The module type.","requirement":"recommended","caption":"Type","type_name":"String"},"file":{"type":"object_t","description":"The module file object.","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"base_address":{"type":"string_t","description":"The memory address where the module was loaded.","requirement":"recommended","caption":"Base Address","type_name":"String"},"function_invocation":{"type":"object_t","description":"Details about the invocation of the function given in function_name.","requirement":"optional","object_type":"function_invocation","caption":"Function Invocation","object_name":"Function Invocation"},"function_name":{"type":"string_t","description":"The invoked function in the module. For load and unload events, this is the entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.","requirement":"recommended","caption":"Function Name","type_name":"String"},"load_type":{"type":"string_t","description":"The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Load Type","type_name":"String"},"load_type_id":{"type":"integer_t","enum":{"3":{"description":"A raw module in process memory that is READWRITE_EXECUTE and had a thread started in its range.","caption":"ShellCode"},"0":{"description":"The load type is unknown.","caption":"Unknown"},"1":{"description":"A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary.","caption":"Standard"},"2":{"description":"A module loaded in a way avoidant of normal windows procedures. i.e. Bootstrapped Loading/Manual Dll Loading.","caption":"Non Standard"},"99":{"description":"The load type is not mapped. See the load_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A memory mapped file, typically created with CreatefileMapping/MapViewOfFile.","caption":"Mapped"},"5":{"description":"A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation.","caption":"NonStandard Backed"}},"description":"The normalized identifier for how the module was loaded in memory.","requirement":"recommended","caption":"Load Type ID","sibling":"load_type","type_name":"Integer"},"start_address":{"type":"string_t","description":"The start address of the execution.","requirement":"recommended","caption":"Start Address","type_name":"String"}},"name":"module","description":"The Module object describes the attributes of a module.","extends":"object","constraints":{"at_least_one":["load_type_id","function_name"]},"profiles":["data_classification"],"caption":"Module"},"vulnerability":{"attributes":{"title":{"type":"string_t","description":"A title or a brief phrase summarizing the discovered vulnerability.","requirement":"optional","caption":"Title","type_name":"String"},"desc":{"type":"string_t","description":"The description of the vulnerability.","requirement":"optional","caption":"Description","type_name":"String"},"category":{"type":"string_t","description":"The category of a vulnerability or weakness, as reported by the source tool, such as Container Security or Open Source Security.","requirement":"optional","caption":"Category","type_name":"String"},"references":{"type":"string_t","description":"A list of reference URLs with additional information about the vulnerability.","is_array":true,"requirement":"recommended","caption":"References","type_name":"String"},"severity":{"type":"string_t","description":"The vendor assigned severity of the vulnerability.","requirement":"optional","caption":"Severity","type_name":"String"},"remediation":{"type":"object_t","description":"The remediation recommendations on how to mitigate the identified vulnerability.","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"advisory":{"type":"object_t","description":"Detail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor.","requirement":"optional","object_type":"advisory","caption":"Security Advisory","object_name":"Advisory"},"affected_code":{"type":"object_t","description":"List of Affected Code objects that describe details about code blocks identified as vulnerable.","is_array":true,"requirement":"optional","object_type":"affected_code","caption":"Affected Code","object_name":"Affected Code"},"affected_packages":{"type":"object_t","description":"List of software packages identified as affected by a vulnerability/vulnerabilities.","is_array":true,"requirement":"optional","object_type":"affected_package","caption":"Affected Software Packages","object_name":"Affected Software Package"},"cve":{"type":"object_t","description":"Describes the Common Vulnerabilities and Exposures (CVE) details related to the vulnerability.","requirement":"recommended","object_type":"cve","caption":"CVE","object_name":"CVE"},"cwe":{"type":"object_t","description":"Describes the Common Weakness Enumeration (CWE) details related to the vulnerability.","requirement":"recommended","object_type":"cwe","caption":"CWE","object_name":"CWE"},"dependency_chain":{"type":"string_t","description":"Information about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. E.g., serverless-offline -> @serverless/utils -> memoizee -> es5-ext.","requirement":"optional","caption":"Dependency Chain","type_name":"String"},"exploit_last_seen_time":{"type":"timestamp_t","description":"The time when the exploit was most recently observed.","requirement":"optional","caption":"Exploit Last Seen Time","type_name":"Timestamp"},"exploit_ref_url":{"type":"url_t","description":"The URL of the exploit code or Proof-of-Concept (PoC).","requirement":"optional","caption":"Exploit URL","type_name":"URL String"},"exploit_requirement":{"type":"string_t","description":"The requirement description related to any constraints around exploit execution.","requirement":"optional","caption":"Exploit Requirement","type_name":"String"},"exploit_type":{"type":"string_t","description":"The categorization or type of Exploit. E.g., Network or Physical.","requirement":"optional","caption":"Exploit Type","type_name":"String"},"first_seen_time":{"type":"timestamp_t","description":"The time when the vulnerability was first observed.","requirement":"optional","caption":"First Seen","type_name":"Timestamp"},"fix_available":{"type":"boolean_t","description":"Indicates if a fix is available for the reported vulnerability.","requirement":"optional","caption":"Fix Availability","type_name":"Boolean","@deprecated":{"message":"Use the is_fix_available attribute instead.","since":"1.1.0"}},"fix_coverage":{"type":"string_t","description":"The fix coverage, normalized to the caption of the fix_coverage_id value.","requirement":"optional","caption":"Fix Coverage","type_name":"String"},"fix_coverage_id":{"type":"integer_t","enum":{"3":{"description":"No fixes or patches are currently available for any of the affected packages and components.","caption":"None"},"0":{"description":"The fix coverage is unknown.","caption":"Unknown"},"1":{"description":"All affected packages and components have available fixes or patches to remediate the vulnerability.","caption":"Complete"},"2":{"description":"Only some of the affected packages and components have available fixes or patches, while others remain vulnerable.","caption":"Partial"},"99":{"description":"The fix coverage is not mapped. See the fix_coverage attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier for fix coverage, applicable to this vulnerability. Typically useful, when there are multiple affected packages but only a subset have available fixes.","requirement":"optional","caption":"Fix Coverage ID","sibling":"fix_coverage","type_name":"Integer"},"is_exploit_available":{"type":"boolean_t","description":"Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.","requirement":"optional","caption":"Exploit Availability","type_name":"Boolean"},"is_fix_available":{"type":"boolean_t","description":"Indicates if a fix is available for the reported vulnerability.","requirement":"optional","caption":"Fix Availability","type_name":"Boolean"},"kb_article_list":{"type":"object_t","description":"A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.","is_array":true,"requirement":"optional","object_type":"kb_article","caption":"Knowledgebase Articles","@deprecated":{"message":"Use advisory attribute instead.","since":"1.4.0"},"object_name":"KB Article"},"kb_articles":{"type":"string_t","description":"The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.","is_array":true,"requirement":"optional","caption":"Knowledgebase Articles","type_name":"String","@deprecated":{"message":"Use the kb_article_list attribute instead.","since":"1.1.0"}},"last_seen_time":{"type":"timestamp_t","description":"The time when the vulnerability was most recently observed.","requirement":"optional","caption":"Last Seen","type_name":"Timestamp"},"packages":{"type":"object_t","description":"List of vulnerable packages as identified by the security product","is_array":true,"requirement":"optional","object_type":"package","caption":"Software Packages","@deprecated":{"message":"Use the affected_packages attribute instead.","since":"1.1.0"},"object_name":"Software Package"},"related_vulnerabilities":{"type":"string_t","description":"List of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability.","is_array":true,"requirement":"optional","caption":"Related Vulnerability IDs","type_name":"String"},"vendor_name":{"type":"string_t","description":"The name of the vendor that identified the vulnerability.","requirement":"optional","caption":"Vendor Name","type_name":"String"},"exploit_last_seen_time_dt":{"type":"datetime_t","description":"The time when the exploit was most recently observed.","requirement":"optional","profiles":["datetime"],"caption":"Exploit Last Seen Time","type_name":"Datetime"},"first_seen_time_dt":{"type":"datetime_t","description":"The time when the vulnerability was first observed.","requirement":"optional","profiles":["datetime"],"caption":"First Seen","type_name":"Datetime"},"last_seen_time_dt":{"type":"datetime_t","description":"The time when the vulnerability was most recently observed.","requirement":"optional","profiles":["datetime"],"caption":"Last Seen","type_name":"Datetime"}},"name":"vulnerability","description":"The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.","extends":"object","constraints":{"just_one":["advisory","cve","cwe"]},"profiles":["data_classification","datetime"],"caption":"Vulnerability Details"},"image":{"attributes":{"name":{"type":"string_t","description":"The image name. For example: elixir.","requirement":"recommended","caption":"Name","type_name":"String"},"tag":{"type":"string_t","description":"The image tag. For example: 1.11-alpine.","requirement":"optional","caption":"Image Tag","type_name":"String","@deprecated":{"message":"Use the labels or tags attribute instead.","since":"1.4.0"}},"path":{"type":"file_path_t","description":"The full path to the image file.","requirement":"optional","caption":"Path","type_name":"File Path"},"uid":{"type":"string_t","description":"The unique image ID. For example: 77af4d6b9913.","requirement":"required","caption":"Unique ID","type_name":"String"},"labels":{"type":"string_t","description":"The list of labels associated to the image.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the image.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"}},"name":"image","description":"The Image object provides a description of a specific Virtual Machine (VM) or Container image.","extends":"_entity","constraints":{},"references":[{"description":"D3FEND™ Ontology d3f:ContainerImage","url":"https://d3fend.mitre.org/dao/artifact/d3f:ContainerImage/"}],"caption":"Image"},"software_component":{"attributes":{"name":{"type":"string_t","description":"The software component name.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of software component, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The software component version.","requirement":"required","caption":"Version","type_name":"String"},"author":{"type":"string_t","description":"The author(s) who published the software component.","requirement":"recommended","caption":"Author","type_name":"String"},"hash":{"type":"object_t","description":"Cryptographic hash to identify the binary instance of a software component.","requirement":"optional","object_type":"fingerprint","caption":"Hash","object_name":"Fingerprint"},"relationship":{"type":"string_t","description":"The relationship between two software components, normalized to the caption of the relationship_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Relationship","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"An operating system. Useful for SBOMs of container images.","caption":"Operating System"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A software framework.","caption":"Framework"},"2":{"description":"A software library.","caption":"Library"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The type of software component.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"license":{"type":"string_t","description":"The software license applied to this component.","requirement":"optional","caption":"Software License","type_name":"String"},"purl":{"type":"string_t","description":"The Package URL (PURL) to identify the software component. This is a URL that uniquely identifies the component, including the component's name, version, and type. The URL is used to locate and retrieve the component's metadata and content.","requirement":"recommended","caption":"Package URL","type_name":"String"},"related_component":{"type":"string_t","description":"The package URL (PURL) of the component that this software component has a relationship with.","requirement":"recommended","caption":"Related Component","type_name":"String"},"relationship_id":{"type":"integer_t","enum":{"0":{"description":"The relationship is unknown.","caption":"Unknown"},"1":{"description":"The component is a dependency of another component. Can be used to define both direct and transitive dependencies.","caption":"Depends On"},"99":{"description":"The relationship is not mapped. See the relationship attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the relationship between two software components.","requirement":"recommended","caption":"Relationship ID","sibling":"relationship","type_name":"Integer"}},"name":"software_component","description":"The Software Component object describes characteristics of a software component within a software package.","extends":"object","caption":"Software Component"},"parameter":{"attributes":{"name":{"type":"string_t","description":"The parameter name.","requirement":"optional","caption":"Name","type_name":"String"},"post_value":{"type":"string_t","description":"The parameter value after function execution.","requirement":"optional","caption":"Post-Value","type_name":"String"},"pre_value":{"type":"string_t","description":"The parameter value before function execution.","requirement":"optional","caption":"Pre-Value","type_name":"String"}},"name":"parameter","description":"The Parameter object provides details regarding a parameter of a a function.","extends":"object","constraints":{"at_least_one":["name","pre_value","post_value"]},"caption":"Parameter"},"advisory":{"attributes":{"size":{"type":"long_t","description":"The size in bytes for the Advisory. Usually populated for a KB Article patch.","requirement":"optional","caption":"Size","type_name":"Long"},"os":{"type":"object_t","description":"The operating system the Advisory applies to.","requirement":"recommended","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"title":{"type":"string_t","description":"A title or a brief phrase summarizing the Advisory.","requirement":"recommended","caption":"Title","type_name":"String"},"product":{"type":"object_t","description":"The product where the vulnerability was discovered.","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"desc":{"type":"string_t","description":"A brief description of the Advisory Record.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier assigned to the advisory or disclosed vulnerability, e.g, GHSA-5mrr-rgp6-x4gr.","requirement":"required","caption":"Advisory ID","type_name":"String","observable":44},"references":{"type":"string_t","description":"A list of reference URLs with additional information about the vulnerabilities disclosed in the Advisory.","is_array":true,"requirement":"recommended","caption":"References","type_name":"String"},"avg_timespan":{"type":"object_t","description":"The average time to patch.","requirement":"optional","object_type":"timespan","caption":"Average Timespan","object_name":"Time Span"},"bulletin":{"type":"string_t","description":"The Advisory bulletin identifier.","requirement":"optional","caption":"Patch Bulletin","type_name":"String"},"classification":{"type":"string_t","description":"The vendors classification of the Advisory.","requirement":"optional","caption":"Classification","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the Advisory record was created.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"install_state":{"type":"string_t","description":"The install state of the Advisory.","requirement":"recommended","caption":"Install State","type_name":"String"},"install_state_id":{"type":"integer_t","enum":{"3":{"description":"The item is installed pending reboot operation.","caption":"Installed Pending Reboot"},"0":{"description":"The normalized install state is unknown.","caption":"Unknown"},"1":{"description":"The item is installed.","caption":"Installed"},"2":{"description":"The item is not installed.","caption":"Not Installed"},"99":{"description":"The install state is not mapped. See the install_state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized install state ID of the Advisory.","requirement":"recommended","caption":"Install State ID","sibling":"install_state","type_name":"Integer"},"is_superseded":{"type":"boolean_t","description":"The Advisory has been replaced by another.","requirement":"optional","caption":"The patch is superseded.","type_name":"Boolean"},"modified_time":{"type":"timestamp_t","description":"The time when the Advisory record was last updated.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"related_cves":{"type":"object_t","description":"A list of Common Vulnerabilities and Exposures (CVE) identifiers related to the vulnerabilities disclosed in the Advisory.","is_array":true,"requirement":"optional","object_type":"cve","caption":"Related CVEs","object_name":"CVE"},"related_cwes":{"type":"object_t","description":"A list of Common Weakness Enumeration (CWE) identifiers related to the vulnerabilities disclosed in the Advisory.","is_array":true,"requirement":"optional","object_type":"cwe","caption":"Related CWEs","object_name":"CWE"},"src_url":{"type":"url_t","description":"The Advisory link from the source vendor.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"created_time_dt":{"type":"datetime_t","description":"The time when the Advisory record was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The time when the Advisory record was last updated.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"advisory","description":"The Advisory object represents publicly disclosed cybersecurity vulnerabilities defined in a Security advisory. e.g. Microsoft KB Article, Apple Security Advisory, or a GitHub Security Advisory (GHSA)","extends":"object","profiles":["data_classification","datetime"],"caption":"Advisory"},"win/reg_value":{"attributes":{"data":{"type":"json_t","description":"The data of the registry value. Where the value type is known, implementers should instead use a type-specific attribute, i.e. reg_binary_data, reg_integer_data, reg_string_data, or reg_string_list_data.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the registry value.","requirement":"required","caption":"Name","type_name":"String","observable":43},"type":{"type":"string_t","description":"A string representation of the value type as specified in Registry Value Types.","requirement":"optional","caption":"Type","type_name":"String"},"path":{"type":"reg_key_path_t","description":"The full path to the registry key, where the value is located.","requirement":"required","caption":"Path","type_name":"Registry Key Path"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A 32-bit integer in big-endian byte order.","caption":"REG_DWORD_BIG_ENDIAN"},"6":{"description":"A sequence of zero or more strings.","caption":"REG_MULTI_SZ"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"Arbitrary binary data.","caption":"REG_BINARY"},"2":{"description":"A 32-bit integer.","caption":"REG_DWORD"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A string containing unexpanded environment variables, e.g. %USERPROFILE%\\Downloads.","caption":"REG_EXPAND_SZ"},"5":{"description":"A string containing the target path of a symbolic link created by calling RegCreateKeyEx with REG_OPTION_CREATE_LINK.","caption":"REG_LINK"},"7":{"description":"A value with no declared type.","caption":"REG_NONE"},"8":{"description":"A 64-bit integer.","caption":"REG_QWORD"},"9":{"description":"Not defined in Windows documentation and previously added to OCSF in error.","caption":"REG_QWORD_LITTLE_ENDIAN","@deprecated":{"message":"Use REG_QWORD instead.","since":"1.6.0"}},"10":{"description":"A string.","caption":"REG_SZ"}},"description":"The value type ID.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"is_default":{"type":"boolean_t","description":"The indication of whether the value is from a default value name. For example, the value name could be missing.","requirement":"optional","caption":"Default Value","type_name":"Boolean"},"is_system":{"type":"boolean_t","description":"The indication of whether the object is part of the operating system.","requirement":"optional","caption":"System","type_name":"Boolean"},"modified_time":{"type":"timestamp_t","description":"The time when the registry value was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"modified_time_dt":{"type":"datetime_t","description":"The time when the registry value was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"},"reg_binary_data":{"type":"bytestring_t","description":"The data of the registry value when type_id is REG_BINARY or REG_NONE.","extension":"win","requirement":"optional","extension_id":2,"caption":"Registry Binary Data","type_name":"Byte String"},"reg_integer_data":{"type":"long_t","description":"The data of the registry value when type_id is REG_DWORD, REG_DWORD_BIG_ENDIAN, or REG_QWORD.","extension":"win","requirement":"optional","extension_id":2,"caption":"Registry Integer Data","type_name":"Long"},"reg_string_data":{"type":"string_t","description":"The data of the registry value when type_id is REG_SZ, REG_EXPAND_SZ, or REG_LINK.","extension":"win","requirement":"optional","extension_id":2,"caption":"Registry String Data","type_name":"String"},"reg_string_list_data":{"type":"string_t","description":"The data of the registry value when type_id is REG_MULTI_SZ.","extension":"win","is_array":true,"requirement":"optional","extension_id":2,"caption":"Registry String List Data","type_name":"String"}},"name":"reg_value","description":"The registry value object describes a Windows registry value.","extension":"win","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:WindowsRegistryValue.","url":"https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/"}],"extension_id":2,"profiles":["datetime"],"caption":"Registry Value","observable":29},"managed_entity":{"attributes":{"data":{"type":"json_t","description":"The managed entity content as a JSON object.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the managed entity. It should match the name of the specific entity object's name if populated, or the name of the managed entity if the type_id is 'Other'.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The managed entity type. For example: Policy, User, Organization, Device.","requirement":"recommended","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The version of the managed entity. For example: 1.2.3.","requirement":"recommended","caption":"Version","type_name":"String"},"user":{"type":"object_t","description":"The user that pertains to the event or object.","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","requirement":"recommended","object_type":"device","caption":"Device","object_name":"Device"},"group":{"type":"object_t","description":"The group object associated with an entity such as user, policy, or rule.","requirement":"recommended","object_type":"group","caption":"Group","object_name":"Group"},"location":{"type":"object_t","description":"The detailed geographical location usually associated with an IP address.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"uid":{"type":"string_t","description":"The identifier of the managed entity. It should match the uid of the specific entity's object UID if populated, or the source specific ID if the type_id is 'Other'.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"email":{"type":"object_t","description":"The email object.","requirement":"recommended","object_type":"email","caption":"Email","object_name":"Email"},"org":{"type":"object_t","description":"The Organization object containing details about the managed organizational entity. This object includes properties such as the organization name, unique identifier, type, and other organizational metadata. This attribute should be populated when type_id is 4 (Organization).","requirement":"recommended","object_type":"organization","caption":"Organization","object_name":"Organization"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A managed Group entity. This item corresponds to population of the group attribute.","caption":"Group"},"6":{"description":"A managed Email entity. This item corresponds to population of the email attribute.","caption":"Email"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A managed Device entity. This item corresponds to population of the device attribute.","caption":"Device"},"2":{"description":"A managed User entity. This item corresponds to population of the user attribute.","caption":"User"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A managed Organization entity. This item corresponds to population of the org attribute.","caption":"Organization"},"5":{"description":"A managed Policy entity. This item corresponds to population of the policy attribute.","caption":"Policy"},"7":{"description":"A managed Network Zone entity. Populate the name attribute with the zone name and/or the uid attribute with the zone ID. Additional zone information can be added to the data attribute.","caption":"Network Zone"}},"description":"The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"policy":{"type":"object_t","description":"Describes details of a managed policy.","requirement":"recommended","object_type":"policy","caption":"Policy","object_name":"Policy"}},"name":"managed_entity","description":"The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute, type_id should be 'Other' and the type attribute should label the entity type.","extends":"_entity","constraints":{"at_least_one":["name","uid","device","group","org","policy","user"]},"profiles":["container","data_classification"],"caption":"Managed Entity"},"fingerprint":{"attributes":{"value":{"type":"file_hash_t","description":"The fingerprint value.Note: This uses type file_hash_t ("Hash"), which has been generalized for all fingerprints but retains the same name and caption for backwards compatibility.
algorithm_id. In the case of Other, it is defined by the event source.","requirement":"optional","caption":"Algorithm","type_name":"String"},"algorithm_id":{"type":"integer_t","enum":{"3":{"description":"Secure Hash Algorithm 2 producing a 256-bit (32-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-256"},"6":{"description":"The TLSH fuzzy hashing algorithm.","caption":"TLSH"},"0":{"description":"The algorithm is unknown.","caption":"Unknown"},"1":{"description":"MD5 message-digest algorithm producing a 128-bit (16-byte) hash value.","references":[{"description":"RFC 1321","url":"https://www.rfc-editor.org/rfc/rfc1321"}],"caption":"MD5"},"2":{"description":"Secure Hash Algorithm 1 producing a 160-bit (20-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-1"},"99":{"description":"The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-512"},"5":{"description":"The ssdeep generated fuzzy checksum. Also known as Context Triggered Piecewise Hash (CTPH).","caption":"CTPH"},"7":{"description":"Microsoft simple non-cryptographic hash algorithm that works by XORing the bytes in a circular-shifting fashion.","caption":"quickXorHash"},"8":{"description":"Secure Hash Algorithm 2 producing a 224-bit (28-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-224"},"9":{"description":"Secure Hash Algorithm 2 producing a 384-bit (48-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-384"},"10":{"description":"Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value truncated to a 224-bit (28-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-512/224"},"11":{"description":"Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value truncated to a 256-bit (32-byte) hash value.","references":[{"description":"FIPS 180","url":"https://csrc.nist.gov/pubs/fips/180-4/upd1/final"}],"caption":"SHA-512/256"},"12":{"description":"Secure Hash Algorithm 3 producing a 224-bit (28-byte) hash value.","references":[{"description":"FIPS 202","url":"https://csrc.nist.gov/pubs/fips/202/final"}],"caption":"SHA3-224"},"14":{"description":"Secure Hash Algorithm 3 producing a 384-bit (48-byte) hash value.","references":[{"description":"FIPS 202","url":"https://csrc.nist.gov/pubs/fips/202/final"}],"caption":"SHA3-384"},"15":{"description":"Secure Hash Algorithm 3 producing a 512-bit (64-byte) hash value.","references":[{"description":"FIPS 202","url":"https://csrc.nist.gov/pubs/fips/202/final"}],"caption":"SHA3-512"},"16":{"description":"xxHash H3 producing a 64-bit hash value.","references":[{"description":"xxHASH H3","url":"https://xxhash.com/doc/v0.8.3/group___x_x_h3__family.html"}],"caption":"xxHash H3 64-bit"},"17":{"description":"xxHash H3 producing a 128-bit hash value.","references":[{"description":"xxHASH H3","url":"https://xxhash.com/doc/v0.8.3/group___x_x_h3__family.html"}],"caption":"xxHash H3 128-bit"},"18":{"description":"Import hash (imphash) based on the import table of a Portable Executable (PE) file producing a 128-bit (16-byte) hash value.","references":[{"description":"Tracking Malware with Import Hashing","url":"https://cloud.google.com/blog/topics/threat-intelligence/tracking-malware-import-hashing/"}],"caption":"Imphash"},"20":{"description":"HASSH is a network fingerprinting standard which can be used to identify specific SSH client and server implementations.","caption":"HASSH"},"13":{"description":"Secure Hash Algorithm 3 producing a 256-bit (32-byte) hash value.","references":[{"description":"FIPS 202","url":"https://csrc.nist.gov/pubs/fips/202/final"}],"caption":"SHA3-256"},"19":{"description":"Network Protocol Fingerprint (NPF) used to identify network protocols and applications.","references":[{"description":"Mercury Network Protocol Fingerprint Documentation","url":"https://github.com/cisco/mercury/blob/main/doc/npf.md"}],"caption":"NPF"}},"description":"The identifier of the normalized algorithm or scheme, which was used to create the fingerprint.","requirement":"required","caption":"Algorithm ID","sibling":"algorithm","type_name":"Integer"}},"name":"fingerprint","description":"The Fingerprint object provides detailed information about a fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key, file content, or application implementation. It contains the algorithm or scheme and value of the fingerprint, enabling efficient and reliable identification of the associated data.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:DigitalFingerprint.","url":"https://d3fend.mitre.org/dao/artifact/d3f:DigitalFingerprint/"}],"caption":"Fingerprint","observable":30},"product":{"attributes":{"name":{"type":"string_t","description":"The name of the product.","requirement":"recommended","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The version of the product, as defined by the event source. For example: 2013.1.3-beta.","requirement":"recommended","caption":"Version","type_name":"String"},"path":{"type":"string_t","description":"The installation path of the product.","requirement":"optional","caption":"Path","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the product.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"feature":{"type":"object_t","description":"The feature that reported the event.","requirement":"optional","object_type":"feature","caption":"Feature","object_name":"Feature"},"lang":{"type":"string_t","description":"The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).","requirement":"optional","caption":"Language","type_name":"String"},"cpe_name":{"type":"string_t","description":"The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.","requirement":"optional","caption":"The product CPE identifier","type_name":"String"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"url_string":{"type":"url_t","description":"The URL pointing towards the product.","requirement":"optional","caption":"URL String","type_name":"URL String"},"vendor_name":{"type":"string_t","description":"The name of the vendor of the product.","requirement":"recommended","caption":"Vendor Name","type_name":"String"}},"name":"product","description":"The Product object describes characteristics of a software product.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["data_classification"],"caption":"Product"},"group":{"attributes":{"name":{"type":"string_t","description":"The group name.","requirement":"recommended","caption":"Name","type_name":"String","observable":32},"type":{"type":"string_t","description":"The type of the group.","requirement":"optional","caption":"Group Type","type_name":"String"},"domain":{"type":"string_t","description":"The domain where the group is defined. For example: the LDAP or Active Directory domain.","requirement":"optional","caption":"Domain","type_name":"String"},"desc":{"type":"string_t","description":"The group description.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. Another example, pool id or desktop id that the device belongs to.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":33},"privileges":{"type":"string_t","description":"The group privileges.","is_array":true,"requirement":"optional","caption":"Privileges","type_name":"String"},"uid_alt":{"type":"string_t","description":"The alternate unique identifier.","requirement":"optional","caption":"Alternate ID","type_name":"String"}},"name":"group","description":"The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:AccessControlGroup.","url":"https://d3fend.mitre.org/dao/artifact/d3f:AccessControlGroup/"}],"caption":"Group"},"peripheral_device":{"attributes":{"name":{"type":"string_t","description":"The name of the peripheral device.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The Peripheral Device type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Peripheral Device Type","type_name":"String"},"class":{"type":"string_t","description":"The class of the peripheral device.","requirement":"optional","caption":"Class","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the peripheral device.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"The peripheral device is a mouse.","caption":"Mouse"},"6":{"description":"The peripheral device is a microphone.","caption":"Microphone"},"0":{"description":"The peripheral device type is unknown.","caption":"Unknown"},"1":{"description":"The peripheral device is an external storage device.","caption":"External Storage"},"2":{"description":"The peripheral device is a keyboard.","caption":"Keyboard"},"99":{"description":"The peripheral device type is not mapped. See the type attribute which contains an event source specific value.","caption":"Other"},"4":{"description":"The peripheral device is a printer.","caption":"Printer"},"5":{"description":"The peripheral device is a monitor.","caption":"Monitor"},"7":{"description":"The peripheral device is a webcam.","caption":"Webcam"}},"description":"The normalized peripheral device type ID.","requirement":"recommended","caption":"Peripheral Device Type ID","sibling":"type","type_name":"Integer"},"model":{"type":"string_t","description":"The peripheral device model.","requirement":"recommended","caption":"Model","type_name":"String"},"serial_number":{"type":"string_t","description":"The peripheral device serial number.","requirement":"recommended","caption":"Serial Number","type_name":"String","observable":37},"vendor_id_list":{"type":"string_t","description":"The list of vendor IDs for the peripheral device.","is_array":true,"requirement":"recommended","caption":"Vendor ID List","type_name":"String"},"vendor_name":{"type":"string_t","description":"The primary vendor name for the peripheral device.","requirement":"recommended","caption":"Vendor Name","type_name":"String"}},"name":"peripheral_device","description":"The peripheral device object describes the properties of external, connectable, and detachable hardware.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Peripheral Device"},"databucket":{"attributes":{"is_backed_up":{"type":"boolean_t","description":"Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.","requirement":"optional","caption":"Back Ups Configured","type_name":"Boolean"},"modified_time":{"type":"timestamp_t","description":"The most recent time when any changes, updates, or modifications were made within the databucket.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"zone":{"type":"string_t","description":"The specific availability zone within a cloud region where the databucket is located.","requirement":"optional","profiles":["cloud"],"caption":"Cloud Availability Zone","type_name":"String"},"uid":{"type":"resource_uid_t","description":"The unique identifier of the databucket.","requirement":"recommended","caption":"Unique ID","type_name":"Resource UID"},"is_public":{"type":"boolean_t","description":"Indicates if the databucket is publicly accessible.","requirement":"recommended","caption":"Public","type_name":"Boolean"},"namespace":{"type":"string_t","description":"The namespace is useful when similar entities exist that you need to keep separate.","requirement":"optional","caption":"Namespace","type_name":"String"},"owner":{"type":"object_t","description":"The identity of the service or user account that owns the databucket.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"type":{"type":"string_t","description":"The databucket type.","requirement":"recommended","caption":"Type","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"GCP Bucket"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"S3"},"2":{"caption":"Azure Blob"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the databucket type.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"data":{"type":"json_t","description":"Additional data describing the resource.","requirement":"optional","caption":"Data","type_name":"JSON"},"modified_time_dt":{"type":"datetime_t","description":"The most recent time when any changes, updates, or modifications were made within the databucket.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"},"labels":{"type":"string_t","description":"The list of labels associated to the resource.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"group":{"type":"object_t","description":"The name of the related resource group.","requirement":"optional","object_type":"group","caption":"Group","@deprecated":{"message":"Use the groups attribute instead.","since":"1.6.0"},"object_name":"Group"},"is_encrypted":{"type":"boolean_t","description":"Indicates if the databucket is encrypted.","requirement":"optional","caption":"Encrypted","type_name":"Boolean"},"name":{"type":"string_t","description":"The databucket name.","requirement":"recommended","caption":"Name","type_name":"String"},"desc":{"type":"string_t","description":"The description of the databucket.","requirement":"optional","caption":"Description","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the databucket was known to have been created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"hostname":{"type":"hostname_t","description":"The fully qualified hostname of the databucket.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"cloud_partition":{"type":"string_t","description":"The logical grouping or isolated segment within a cloud provider's infrastructure where the databucket is located.","requirement":"optional","profiles":["cloud"],"caption":"Cloud Partition","type_name":"String"},"criticality":{"type":"string_t","description":"The criticality of the databucket as defined by the event source.","requirement":"optional","caption":"Criticality","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time when the databucket was known to have been created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"version":{"type":"string_t","description":"The version of the resource. For example 1.2.3.","requirement":"optional","caption":"Version","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the resource.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"resource_relationship":{"type":"object_t","description":"A graph representation showing how this databucket relates to and interacts with other entities in the environment. This can include parent/child relationships, dependencies, or other connections.","requirement":"optional","object_type":"graph","caption":"Resource Relationship","object_name":"Graph"},"size":{"type":"long_t","description":"The size of the databucket in bytes.","requirement":"optional","caption":"Size","type_name":"Long"},"uid_alt":{"type":"resource_uid_t","description":"The alternative unique identifier of the resource.","requirement":"optional","caption":"Alternate ID","type_name":"Resource UID"},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"requirement":"optional","object_type":"agent","caption":"Agent List","object_name":"Agent"},"encryption_details":{"type":"object_t","description":"The encryption details of the databucket. Should be populated if the databucket is encrypted.","requirement":"optional","object_type":"encryption_details","caption":"Encryption Details","object_name":"Encryption Details"},"groups":{"type":"object_t","description":"The group names to which the databucket belongs.","is_array":true,"requirement":"optional","object_type":"group","caption":"Groups","object_name":"Group"},"ip":{"type":"ip_t","description":"The IP address of the resource, in either IPv4 or IPv6 format.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"region":{"type":"string_t","description":"The cloud region of the databucket.","requirement":"optional","profiles":["cloud"],"caption":"Region","type_name":"String"},"file":{"type":"object_t","description":"Details about the file/object within a databucket.","requirement":"optional","object_type":"file","caption":"File","object_name":"File"}},"name":"databucket","description":"The databucket object is a basic container that holds data, typically organized through the use of data partitions.","extends":"_resource","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:CloudStorage.","url":"https://d3fend.mitre.org/dao/artifact/d3f:CloudStorage/"}],"profiles":["cloud","data_classification","datetime"],"caption":"Databucket"},"d3f_tactic":{"attributes":{"name":{"type":"string_t","description":"The tactic name that is associated with the defensive technique. For example: Isolate.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the defensive tactic.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"src_url":{"type":"url_t","description":"The versioned permalink of the defensive tactic. For example: https://d3fend.mitre.org/tactic/d3f:Isolate/.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"d3f_tactic","description":"The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Matrix","url":"https://d3fend.mitre.org"}],"caption":"MITRE D3FEND™ Tactic"},"evidences":{"attributes":{"data":{"type":"json_t","description":"Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.","requirement":"optional","caption":"Data","type_name":"JSON"},"http_response":{"type":"object_t","description":"Describes details about the http response associated to the activity that triggered the detection.","requirement":"recommended","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"http_request":{"type":"object_t","description":"Describes details about the http request associated to the activity that triggered the detection.","requirement":"recommended","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"name":{"type":"string_t","description":"The naming convention or type identifier of the evidence associated with the security detection. For example, the @odata.type from Microsoft Graph Alerts V2 or display_name from CrowdStrike Falcon Incident Behaviors.","requirement":"optional","caption":"Name","type_name":"String"},"process":{"type":"object_t","description":"Describes details about the process associated to the activity that triggered the detection.","requirement":"recommended","object_type":"process","caption":"Process","object_name":"Process"},"file":{"type":"object_t","description":"Describes details about the file associated to the activity that triggered the detection.","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"user":{"type":"object_t","description":"Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"script":{"type":"object_t","description":"Describes details about the script that was associated with the activity that triggered the detection.","requirement":"recommended","object_type":"script","caption":"Script","object_name":"Script"},"device":{"type":"object_t","description":"An addressable device, computer system or host associated to the activity that triggered the detection.","requirement":"recommended","object_type":"device","caption":"Device","object_name":"Device"},"uid":{"type":"string_t","description":"The unique identifier of the evidence associated with the security detection. For example, the activity_id from CrowdStrike Falcon Alerts or behavior_id from CrowdStrike Falcon Incident Behaviors.","requirement":"optional","caption":"Unique ID","type_name":"String"},"query":{"type":"object_t","description":"Describes details about the DNS query associated to the activity that triggered the detection.","requirement":"recommended","object_type":"dns_query","caption":"DNS Query","object_name":"DNS Query"},"connection_info":{"type":"object_t","description":"Describes details about the network connection associated to the activity that triggered the detection.","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"url":{"type":"object_t","description":"The URL object that pertains to the event or object associated to the activity that triggered the detection.","requirement":"recommended","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"email":{"type":"object_t","description":"The email object associated to the activity that triggered the detection.","requirement":"recommended","object_type":"email","caption":"Email","object_name":"Email"},"tls":{"type":"object_t","description":"Describes details about the Transport Layer Security (TLS) activity that triggered the detection.","requirement":"recommended","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"api":{"type":"object_t","description":"Describes details about the API call associated to the activity that triggered the detection.","requirement":"recommended","object_type":"api","caption":"API Details","object_name":"API"},"resources":{"type":"object_t","description":"Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use Affected Resources at the top-level of the finding.","is_array":true,"requirement":"recommended","object_type":"resource_details","caption":"Cloud Resources","object_name":"Resource Details"},"actor":{"type":"object_t","description":"Describes details about the user/role/process that was the source of the activity that triggered the detection.","requirement":"recommended","object_type":"actor","caption":"Actor","object_name":"Actor"},"container":{"type":"object_t","description":"Describes details about the container associated to the activity that triggered the detection.","requirement":"recommended","object_type":"container","caption":"Container","object_name":"Container"},"database":{"type":"object_t","description":"Describes details about the database associated to the activity that triggered the detection.","requirement":"recommended","object_type":"database","caption":"Database","object_name":"Database"},"databucket":{"type":"object_t","description":"Describes details about the databucket associated to the activity that triggered the detection.","requirement":"recommended","object_type":"databucket","caption":"Databucket","object_name":"Databucket"},"dst_endpoint":{"type":"object_t","description":"Describes details about the destination of the network activity that triggered the detection.","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"ja4_fingerprint_list":{"type":"object_t","description":"Describes details about the JA4+ fingerprints that triggered the detection.","is_array":true,"requirement":"recommended","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"job":{"type":"object_t","description":"Describes details about the scheduled job that was associated with the activity that triggered the detection.","requirement":"recommended","object_type":"job","caption":"Job","object_name":"Job"},"src_endpoint":{"type":"object_t","description":"Describes details about the source of the network activity that triggered the detection.","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"verdict":{"type":"string_t","description":"The normalized verdict of the evidence associated with the security detection. ","requirement":"optional","caption":"Verdict","type_name":"String"},"verdict_id":{"type":"integer_t","enum":{"3":{"description":"The verdict for the evidence is that is should be Disregarded.","caption":"Disregard"},"6":{"description":"The evidence is part of a Test, or other sanctioned behavior(s).","caption":"Test"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"The verdict for the evidence has been identified as a False Positive.","caption":"False Positive"},"2":{"description":"The verdict for the evidence has been identified as a True Positive.","caption":"True Positive"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The verdict for the evidence is that the behavior has been identified as Suspicious.","caption":"Suspicious"},"5":{"description":"The verdict for the evidence is that the behavior has been identified as Benign.","caption":"Benign"},"7":{"description":"There is insufficient data to render a verdict on the evidence.","caption":"Insufficient Data"},"8":{"description":"The verdict for the evidence is that the behavior has been identified as a Security Risk.","caption":"Security Risk"},"9":{"description":"The verdict for the evidence is Managed Externally, such as in a case management tool.","caption":"Managed Externally"},"10":{"description":"This evidence duplicates existing evidence related to this finding.","caption":"Duplicate"}},"description":"The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a verdict enumeration for each type of evidence associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.","requirement":"optional","caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"reg_key":{"type":"object_t","description":"Describes details about the registry key that triggered the detection.","extension":"win","requirement":"recommended","extension_id":2,"object_type":"win/reg_key","caption":"Registry Key","object_name":"Registry Key"},"win_service":{"type":"object_t","description":"Describes details about the Windows service that triggered the detection.","extension":"win","requirement":"recommended","extension_id":2,"object_type":"win/win_service","caption":"Windows Service","object_name":"Windows Service"},"reg_value":{"type":"object_t","description":"Describes details about the registry value that triggered the detection.","extension":"win","requirement":"recommended","extension_id":2,"object_type":"win/reg_value","caption":"Registry Value","object_name":"Registry Value"}},"name":"evidences","description":"A collection of evidence artifacts associated to the activity/activities that triggered a security detection.","extends":"_entity","constraints":{"at_least_one":["actor","api","connection_info","data","database","databucket","device","dst_endpoint","email","file","process","query","src_endpoint","url","user","job","script","reg_key","reg_value","win_service"]},"profiles":["cloud","container","data_classification","linux/linux_users","macos/macos_users"],"caption":"Evidence Artifacts"},"malware_scan_info":{"attributes":{"name":{"type":"string_t","description":"The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"","requirement":"recommended","caption":"Name","type_name":"String"},"size":{"type":"long_t","description":"The total size in bytes of all files that were scanned.","requirement":"optional","caption":"Size","type_name":"Long"},"type":{"type":"string_t","description":"The type of scan.","requirement":"optional","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The application-defined unique identifier assigned to an instance of a scan.","requirement":"recommended","caption":"Scan UID","type_name":"String"},"start_time":{"type":"timestamp_t","description":"The timestamp indicating when the scan job began execution.","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"type_id":{"type":"integer_t","enum":{"3":{"description":"The scan was triggered by a content update.","caption":"Updated Content"},"6":{"description":"The scan was started due to a user logon.","caption":"User Logon"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"The scan was manually initiated by the user or administrator.","caption":"Manual"},"2":{"description":"The scan was started based on scheduler.","caption":"Scheduled"},"99":{"description":"The scan type id is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The scan was triggered by newly quarantined items.","caption":"Quarantined Items"},"5":{"description":"The scan was triggered by the attachment of removable media.","caption":"Attached Media"},"7":{"description":"The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.","caption":"ELAM"}},"description":"The type id of the scan.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"end_time":{"type":"timestamp_t","description":"The timestamp indicating when the scan job completed execution.","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"start_time_dt":{"type":"datetime_t","description":"The timestamp indicating when the scan job began execution.","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"end_time_dt":{"type":"datetime_t","description":"The timestamp indicating when the scan job completed execution.","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"num_files":{"type":"integer_t","description":"The total number of files analyzed during the scan.","requirement":"optional","caption":"Scanned Files","type_name":"Integer"},"num_infected":{"type":"integer_t","description":"The total number of files identified as infected with malware during the scan.","requirement":"optional","caption":"Number of Infected Entities","type_name":"Integer"},"num_volumes":{"type":"integer_t","description":"The total number of storage volumes examined during the malware scan.","requirement":"optional","caption":"Number of Volumes","type_name":"Integer"},"unique_malware_count":{"type":"integer_t","description":"The number of unique malware detected across all infected files.","requirement":"optional","caption":"Unique Malware Count","type_name":"Integer"}},"name":"malware_scan_info","description":"The malware scan information object describes characteristics, metadata of a malware scanning job.","extends":"scan","constraints":{"at_least_one":["name","uid"]},"profiles":["datetime"],"caption":"Malware Scan Info"},"object":{"attributes":{},"name":"object","description":"An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.","caption":"Object"},"metadata":{"attributes":{"modified_time":{"type":"timestamp_t","description":"The time when the event was last modified or enriched.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"logged_time_dt":{"type":"datetime_t","description":"The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.","requirement":"optional","profiles":["datetime"],"caption":"Logged Time","type_name":"Datetime"},"processed_time":{"type":"timestamp_t","description":"The event processed time, such as an ETL operation.","requirement":"optional","caption":"Processed Time","type_name":"Timestamp"},"uid":{"type":"string_t","description":"A unique identifier assigned to the OCSF event. This ID is specific to the OCSF event itself and is distinct from the original event identifier in the source system (seeoriginal_event_uid).","requirement":"optional","caption":"Event UID","type_name":"String"},"tenant_uid":{"type":"string_t","description":"The unique tenant identifier.","requirement":"recommended","caption":"Tenant UID","type_name":"String"},"untruncated_size":{"type":"integer_t","description":"The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event.","requirement":"optional","caption":"Untruncated Size","type_name":"Integer"},"log_format":{"type":"string_t","description":"The format of data in the log where the data originated. For example CSV, XML, Windows Multiline, JSON, syslog or Cisco Log Schema.","requirement":"optional","caption":"Log Source Format","type_name":"String"},"extensions":{"type":"object_t","description":"The schema extensions used to create the event.","is_array":true,"requirement":"optional","object_type":"extension","caption":"Schema Extensions","object_name":"Schema Extension"},"type":{"type":"string_t","description":"The type of the event or finding as a subset of the source of the event. This can be any distinguishing characteristic of the data. For example 'Management Events' or 'Device Penetration Test'.","requirement":"optional","caption":"Type","type_name":"String"},"loggers":{"type":"object_t","description":"An array of Logger objects that describe the pipeline of devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow and/or to track the chain of custody of the data.","is_array":true,"requirement":"optional","object_type":"logger","caption":"Loggers","object_name":"Logger"},"log_version":{"type":"string_t","description":"The event log schema version of the original event. For example the syslog version or the Cisco Log Schema version","requirement":"optional","caption":"Log Version","type_name":"String"},"modified_time_dt":{"type":"datetime_t","description":"The time when the event was last modified or enriched.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"},"labels":{"type":"string_t","description":"The list of labels attached to the event. For example: [\"sample\", \"dev\"]","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"product":{"type":"object_t","description":"The product that reported the event.","requirement":"required","object_type":"product","caption":"Product","object_name":"Product"},"reporter":{"type":"object_t","description":"The entity from which the event or finding was first reported.","requirement":"recommended","object_type":"reporter","caption":"Reporter","object_name":"Reporter"},"sequence":{"type":"integer_t","description":"Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.","requirement":"optional","caption":"Sequence Number","type_name":"Integer"},"logged_time":{"type":"timestamp_t","description":"The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.","requirement":"optional","caption":"Logged Time","type_name":"Timestamp"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attributedata_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"original_event_uid":{"type":"string_t","description":"The unique identifier assigned to the event in its original logging system before transformation to OCSF format. This field preserves the source system's native event identifier, enabling traceability back to the raw log entry. For example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value, or a database transaction log sequence number.","requirement":"optional","caption":"Original Event ID","type_name":"String"},"transmit_time_dt":{"type":"datetime_t","description":"The time when the event was transmitted from the logging device to it's next destination.","requirement":"optional","profiles":["datetime"],"caption":"Transmission Time","type_name":"Datetime"},"profiles":{"type":"string_t","description":"The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.","is_array":true,"requirement":"optional","caption":"Profiles","type_name":"String"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"transformation_info_list":{"type":"object_t","description":"An array of transformation info that describes the mappings or transforms applied to the data.","is_array":true,"requirement":"optional","object_type":"transformation_info","caption":"Transformation Info","object_name":"Transformation Info"},"version":{"type":"string_t","description":"The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.","requirement":"required","caption":"Version","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the event.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"is_truncated":{"type":"boolean_t","description":"Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints.","requirement":"optional","caption":"Is Truncated","type_name":"Boolean"},"log_source":{"type":"string_t","description":"The log system or component where the data originated. For example, a file path, syslog server name or a Windows hostname and logging subsystem such as Security.","requirement":"optional","caption":"Log Source","type_name":"String"},"source":{"type":"string_t","description":"The source of the event or finding. This can be any distinguishing name for the logical origin of the data — for example, 'CloudTrail Events', or a use case like 'Attack Simulations' or 'Vulnerability Scans'.","requirement":"optional","caption":"Source","type_name":"String"},"debug":{"type":"string_t","description":"Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.","is_array":true,"requirement":"optional","caption":"Debug Information","type_name":"String"},"processed_time_dt":{"type":"datetime_t","description":"The event processed time, such as an ETL operation.","requirement":"optional","profiles":["datetime"],"caption":"Processed Time","type_name":"Datetime"},"event_code":{"type":"string_t","description":"The identifier of the original event. For example the numerical Windows Event Code or Cisco syslog code.","requirement":"optional","caption":"Event Code","type_name":"String"},"log_level":{"type":"string_t","description":"The level at which an event was logged. This can be log provider specific. For example the audit level.","requirement":"optional","caption":"Log Level","type_name":"String"},"transmit_time":{"type":"timestamp_t","description":"The time when the event was transmitted from the logging device to it's next destination.","requirement":"optional","caption":"Transmission Time","type_name":"Timestamp"},"correlation_uid":{"type":"string_t","description":"A unique identifier used to correlate this OCSF event with other related OCSF events, distinct from the event's uid value. This enables linking multiple OCSF events that are part of the same activity, transaction, or security incident across different systems or time periods.","requirement":"optional","caption":"Correlation UID","type_name":"String"},"log_provider":{"type":"string_t","description":"The logging provider or logging service that logged the event. For example AWS CloudWatch or Splunk.","requirement":"optional","caption":"Log Provider","type_name":"String"},"extension":{"type":"object_t","description":"The schema extension used to create the event.","requirement":"optional","object_type":"extension","caption":"Schema Extension","@deprecated":{"message":"Use the extensions attribute instead.","since":"1.1.0"},"object_name":"Schema Extension"},"total_queued_duration":{"type":"object_t","description":"The amount of time an event spent in a queue awaiting processing. In this case, the value is the difference between processed_time and logged_time. This duration is inclusive of all queues between the originator of the event and the intended long-term storage destination of the event.","requirement":"optional","object_type":"timespan","caption":"Total Queued Duration","object_name":"Time Span"},"original_time":{"type":"string_t","description":"The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.","requirement":"recommended","caption":"Original Time","type_name":"String"},"log_name":{"type":"string_t","description":"The event log name, typically for the consumer of the event. For example, the storage bucket name, SIEM repository index name, etc.","requirement":"recommended","caption":"Log Name","type_name":"String"}},"name":"metadata","description":"The Metadata object describes the metadata associated with the event.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:Metadata","url":"https://d3fend.mitre.org/dao/artifact/d3f:Metadata/"}],"profiles":["container","data_classification","datetime"],"caption":"Metadata"},"service_privilege_analysis":{"attributes":{"name":{"type":"string_t","description":"The service or namespace identifier. Examples: s3, ec2 (AWS); Microsoft.Storage (Azure); storage (GCP).","requirement":"required","caption":"Name","type_name":"String"},"all_privileges_unused":{"type":"boolean_t","description":"Indicates whether all privileges within this service are unused.","requirement":"optional","caption":"All Privileges Unused","type_name":"Boolean"},"analyzed_privileges_count":{"type":"integer_t","description":"The total count of privileges analyzed within this service.","requirement":"optional","caption":"Analyzed Privileges Count","type_name":"Integer"},"execute_count":{"type":"integer_t","description":"The count of execute-type privileges within this service.","requirement":"optional","caption":"Execute Privilege Count","type_name":"Integer"},"last_used_time":{"type":"timestamp_t","description":"The most recent time any privilege in this service was used.","requirement":"optional","caption":"Last Used Time","type_name":"Timestamp"},"privilege_attack_info_list":{"type":"object_t","description":"The list of privilege-to-attack mappings for this service.","is_array":true,"requirement":"optional","object_type":"privilege_attack_info","caption":"Privilege Attack Info List","object_name":"Privilege Attack Info"},"read_count":{"type":"integer_t","description":"The count of read-type privileges within this service.","requirement":"optional","caption":"Read Privilege Count","type_name":"Integer"},"unused_privileges_count":{"type":"integer_t","description":"The count of unused privileges within this service.","requirement":"optional","caption":"Unused Privileges Count","type_name":"Integer"},"write_count":{"type":"integer_t","description":"The count of write-type privileges within this service.","requirement":"optional","caption":"Write Privilege Count","type_name":"Integer"},"last_used_time_dt":{"type":"datetime_t","description":"The most recent time any privilege in this service was used.","requirement":"optional","profiles":["datetime"],"caption":"Last Used Time","type_name":"Datetime"}},"name":"service_privilege_analysis","description":"The Service Privilege Analysis object describes privilege analysis results for a single cloud service or resource namespace. It provides metrics on privilege usage, counts by type, and mappings to potential attack techniques.","extends":"object","profiles":["datetime"],"caption":"Service Privilege Analysis"},"reporter":{"attributes":{"name":{"type":"string_t","description":"The name of the entity from which the event or finding was reported.","requirement":"recommended","caption":"Name","type_name":"String"},"ip":{"type":"ip_t","description":"The IP address of the entity from which the event or finding was reported.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"hostname":{"type":"hostname_t","description":"The hostname of the entity from which the event or finding was reported.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"uid":{"type":"string_t","description":"The unique identifier of the entity from which the event or finding was reported.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"org":{"type":"object_t","description":"The organization properties of the entity that reported the event or finding.","requirement":"optional","object_type":"organization","caption":"Organization","object_name":"Organization"}},"name":"reporter","description":"The entity from which an event or finding was reported.","extends":"_entity","constraints":{"at_least_one":["hostname","ip","name","uid"]},"caption":"Reporter"},"classifier_details":{"attributes":{"name":{"type":"string_t","description":"The name of the classifier.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the classifier.","requirement":"required","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the classifier.","requirement":"recommended","caption":"Unique ID","type_name":"String"}},"name":"classifier_details","description":"The Classifier Details object describes details about the classifier used for data classification.","extends":"object","caption":"Classifier Details"},"anomaly":{"attributes":{"observation_parameter":{"type":"string_t","description":"The specific parameter, metric or property where the anomaly was observed. Examples include: CPU usage percentage, API response time in milliseconds, HTTP error rate, memory utilization, network latency, transaction volume, etc. This helps identify the exact aspect of the system exhibiting anomalous behavior.","requirement":"required","caption":"Observation Parameter","type_name":"String"},"observation_type":{"type":"string_t","description":"The type of analysis methodology used to detect the anomaly. This indicates how the anomaly was identified through different analytical approaches. Common types include: Frequency Analysis, Time Pattern Analysis, Volume Analysis, Sequence Analysis, Distribution Analysis, etc.","requirement":"recommended","caption":"Observation Type","type_name":"String"},"observations":{"type":"object_t","description":"Details about the observed anomaly or observations that were flagged as anomalous compared to expected baseline behavior.","is_array":true,"requirement":"required","object_type":"observation","caption":"Observations","object_name":"Observation"},"observed_pattern":{"type":"string_t","description":"The specific pattern identified within the observation type. For Frequency Analysis, this could be 'FREQUENT', 'INFREQUENT', 'RARE', or 'UNSEEN'. For Time Pattern Analysis, this could be 'BUSINESS_HOURS', 'OFF_HOURS', or 'UNUSUAL_TIME'. For Volume Analysis, this could be 'NORMAL_VOLUME', 'HIGH_VOLUME', or 'SURGE'. The pattern values are specific to each observation type and indicate how the observed behavior relates to the baseline.","requirement":"recommended","caption":"Observed Pattern","type_name":"String"}},"name":"anomaly","description":"Describes an anomaly or deviation detected in a system. Anomalies are unexpected activity patterns that could indicate potential issues needing attention.","extends":"object","caption":"Anomaly"},"authentication_token":{"attributes":{"name":{"type":"string_t","description":"The human-friendly name of a token or key, if available, such as the name from the Okta API Token API.","requirement":"optional","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the authentication token.","requirement":"recommended","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The unique ID of a token or key, if available, such as the Secret ID of Entra ID Application Registration Client Secrets.","requirement":"optional","caption":"Unique ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"Identity (ID) Token for OIDC.","caption":"Identity Token"},"6":{"description":"Client Token issued by an Identity Provider (IdP) for application authentication. Use this value for IdP-issued tokens used for service-to-service authentication. Examples: Microsoft Entra ID Application Registration client secrets, Okta API tokens, Auth0 Machine-to-Machine tokens. Key characteristic: These tokens are issued by Identity Providers, not by individual services.","caption":"Client Token"},"0":{"description":"The Authentication token type is unknown.","caption":"Unknown"},"1":{"description":"Ticket Granting Ticket (TGT) for Kerberos.","caption":"Ticket Granting Ticket"},"2":{"description":"Service Ticket (ST) for Kerberos.","caption":"Service Ticket"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Refresh Token for OIDC.","caption":"Refresh Token"},"5":{"description":"Authentication Assertion for SAML.","caption":"SAML Assertion"},"7":{"description":"A generic API token or API key used for authenticating API requests. Use this value for service-specific API authentication tokens that are NOT issued by Identity Providers. Examples: REST API keys, GraphQL API keys, Stripe API keys, Twilio API keys, AWS API keys. Key characteristic: These tokens are issued by individual services/platforms, not by Identity Providers.","caption":"API Token"}},"description":"The normalized authentication token type identifier. This attribute restricts the base token.type_id enum to only protocol-specific authentication token types (values 0, 1-5, 99). API tokens and client tokens (values 6-7) are not valid for authentication_token - use the base token object for those types.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time that the authentication token was created or issued. This corresponds to the token issuance time, such as the iat (issued at) claim in OIDC tokens, the issue instant in SAML assertions, or the ticket start time in Kerberos tickets.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"encryption_details":{"type":"object_t","description":"The encryption details of the authentication token.","requirement":"recommended","object_type":"encryption_details","caption":"Encryption Details","object_name":"Encryption Details"},"expiration_time":{"type":"timestamp_t","description":"The expiration time of the authentication token.","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"is_renewable":{"type":"boolean_t","description":"Indicates whether the authentication token is renewable.","requirement":"optional","caption":"Renewable","type_name":"Boolean"},"kerberos_flags":{"type":"string_t","description":"A bitmask, either in hexadecimal or decimal form, which encodes various attributes or permissions associated with a Kerberos ticket. These flags delineate specific characteristics of the ticket, such as its renewability or forwardability.","references":[{"description":"RFC 4120: 5.2.8. KerberosFlags","url":"https://www.rfc-editor.org/rfc/rfc4120#section-5.2.8"},{"description":"Microsoft Windows Security 4769 (see 'Ticket Options')","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769"}],"requirement":"recommended","caption":"Kerberos Flags","type_name":"String"},"modified_time":{"type":"timestamp_t","description":"The last time the token was updated.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"tenant_uid":{"type":"string_t","description":"The unique identifier of the tenant or organization that owns the token or key, or the tenant context in which the token is authorized for use. This is particularly relevant in multi-tenant Identity Provider scenarios where tokens are scoped to specific tenants.","requirement":"optional","caption":"Tenant UID","type_name":"String"},"zone":{"type":"string_t","description":"The network zone or geographic region that the token or key is authorized to be used from. This may represent network-based access restrictions, geographic limitations, or other zone-based authorization policies. Examples include Okta's network zone restrictions or cloud provider region restrictions.","requirement":"optional","caption":"Network Zone","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time that the authentication token was created or issued. This corresponds to the token issuance time, such as the iat (issued at) claim in OIDC tokens, the issue instant in SAML assertions, or the ticket start time in Kerberos tickets.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"expiration_time_dt":{"type":"datetime_t","description":"The expiration time of the authentication token.","requirement":"optional","profiles":["datetime"],"caption":"Expiration Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The last time the token was updated.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"authentication_token","description":"The Authentication Token object extends the base token object and represents standardized authentication tokens, tickets, or assertions that conform to established authentication protocols such as Kerberos, OIDC, and SAML. This object inherits all attributes from token and adds protocol-specific attributes (e.g., kerberos_flags, encryption_details) for authentication events. Use this object in authentication events to represent protocol-specific tokens: Kerberos Ticket Granting Tickets (TGT) and Service Tickets (ST), OIDC Identity Tokens and Refresh Tokens, and SAML Assertions. These tokens are issued by authentication servers and identity providers and carry protocol-specific metadata, lifecycle information, and security attributes defined by their respective specifications. When to use this object: Use authentication_token when representing protocol-specific authentication tokens (type_id values 1-5: Kerberos TGT/ST, OIDC ID/Refresh tokens, SAML assertions) in authentication events. When NOT to use this object: Do NOT use authentication_token for API tokens or client tokens (type_id values 6-7) used in API activity events - use the base token object instead. Do NOT use authentication_token for generic API keys - use the base token object instead.","extends":"token","profiles":["datetime"],"caption":"Authentication Token"},"analysis_target":{"attributes":{"name":{"type":"string_t","description":"The specific name or identifier of the analysis target, such as the username of a User Account, the name of a Kubernetes Cluster, the identifier of a Network Namespace, or the name of an Application Component.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The category of the analysis target, such as User Account, Kubernetes Cluster, Network Namespace, or Application Component.","requirement":"optional","caption":"Type","type_name":"String"}},"name":"analysis_target","description":"The analysis target defines the scope of monitored activities, specifying what entity, system or process is analyzed for activity patterns.","caption":"Analysis Target"},"token":{"attributes":{"name":{"type":"string_t","description":"The human-friendly name of a token or key, if available, such as the name from the Okta API Token API.","requirement":"optional","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the token, normalized to the caption of the type_id value. This indicates whether the token is a Client Token, API Token, or one of the protocol-specific token types.","requirement":"recommended","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The unique ID of a token or key, if available, such as the Secret ID of Entra ID Application Registration Client Secrets.","requirement":"optional","caption":"Unique ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"Identity (ID) Token for OIDC.","caption":"Identity Token"},"6":{"description":"Client Token issued by an Identity Provider (IdP) for application authentication. Use this value for IdP-issued tokens used for service-to-service authentication. Examples: Microsoft Entra ID Application Registration client secrets, Okta API tokens, Auth0 Machine-to-Machine tokens. Key characteristic: These tokens are issued by Identity Providers, not by individual services.","caption":"Client Token"},"0":{"description":"The token type is unknown.","caption":"Unknown"},"1":{"description":"Ticket Granting Ticket (TGT) for Kerberos.","caption":"Ticket Granting Ticket"},"2":{"description":"Service Ticket (ST) for Kerberos.","caption":"Service Ticket"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Refresh Token for OIDC.","caption":"Refresh Token"},"5":{"description":"Authentication Assertion for SAML.","caption":"SAML Assertion"},"7":{"description":"A generic API token or API key used for authenticating API requests. Use this value for service-specific API authentication tokens that are NOT issued by Identity Providers. Examples: REST API keys, GraphQL API keys, Stripe API keys, Twilio API keys, AWS API keys. Key characteristic: These tokens are issued by individual services/platforms, not by Identity Providers.","caption":"API Token"}},"description":"The normalized token type identifier. Valid values: 0 (Unknown), 1 (Ticket Granting Ticket - Kerberos), 2 (Service Ticket - Kerberos), 3 (Identity Token - OIDC), 4 (Refresh Token - OIDC), 5 (SAML Assertion), 6 (Client Token - IdP-issued), 7 (API Token - generic API keys), 99 (Other).","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time that the token was created.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"expiration_time":{"type":"timestamp_t","description":"The expiration time of the token.","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"is_renewable":{"type":"boolean_t","description":"Indicates whether the token is renewable.","requirement":"optional","caption":"Renewable","type_name":"Boolean"},"modified_time":{"type":"timestamp_t","description":"The last time the token was updated.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"tenant_uid":{"type":"string_t","description":"The unique identifier of the tenant or organization that owns the token or key, or the tenant context in which the token is authorized for use. This is particularly relevant in multi-tenant Identity Provider scenarios where tokens are scoped to specific tenants.","requirement":"optional","caption":"Tenant UID","type_name":"String"},"zone":{"type":"string_t","description":"The network zone or geographic region that the token or key is authorized to be used from. This may represent network-based access restrictions, geographic limitations, or other zone-based authorization policies. Examples include Okta's network zone restrictions or cloud provider region restrictions.","requirement":"optional","caption":"Network Zone","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time that the token was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"expiration_time_dt":{"type":"datetime_t","description":"The expiration time of the token.","requirement":"optional","profiles":["datetime"],"caption":"Expiration Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The last time the token was updated.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"token","description":"The Token object is the base object for representing tokens, API keys, and authentication credentials used across different contexts. This object provides common attributes for all token types, including protocol-specific authentication tokens (Kerberos, OIDC, SAML) and API/client tokens used for service authentication. When to use this object: Use the base token object directly in API activity events to represent API tokens, client tokens, or API keys used to authenticate API requests. Examples include: Okta API tokens, Microsoft Entra ID Application Registration client secrets, Stripe API keys, AWS API keys. When NOT to use this object: Do NOT use the base token object for protocol-specific authentication tokens in authentication events - use authentication_token instead (which extends this object). Do NOT use token for tracking credential lifecycle and usage patterns - use programmatic_credential instead.","extends":"object","profiles":["datetime"],"caption":"Token"},"load_balancer":{"attributes":{"code":{"type":"integer_t","description":"The numeric response status code detailing the connection from the load balancer to the destination target.","requirement":"recommended","caption":"Response Code","type_name":"Integer"},"message":{"type":"string_t","description":"The load balancer message.","requirement":"optional","caption":"Message","type_name":"String"},"name":{"type":"string_t","description":"The name of the load balancer.","requirement":"recommended","caption":"Name","type_name":"String"},"ip":{"type":"ip_t","description":"The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see dst_endpoint.","requirement":"optional","caption":"IP Address","type_name":"IP Address"},"uid":{"type":"string_t","description":"The unique identifier for the load balancer.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"metrics":{"type":"object_t","description":"General purpose metrics associated with the load balancer.","is_array":true,"requirement":"optional","object_type":"metric","caption":"Metrics","object_name":"Metric"},"classification":{"type":"string_t","description":"The request classification as defined by the load balancer.","requirement":"optional","caption":"Classification","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The destination to which the load balancer is distributing traffic.","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"endpoint_connections":{"type":"object_t","description":"An object detailing the load balancer connection attempts and responses.","is_array":true,"requirement":"recommended","object_type":"endpoint_connection","caption":"Endpoint Connections","object_name":"Endpoint Connection"},"error_message":{"type":"string_t","description":"The load balancer error message.","requirement":"optional","caption":"Error Message","type_name":"String"},"status_detail":{"type":"string_t","description":"The status detail contains additional status information about the load balancer distribution event.","requirement":"optional","caption":"Status Detail","type_name":"String"}},"name":"load_balancer","description":"The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["container"],"caption":"Load Balancer"},"url":{"attributes":{"port":{"type":"port_t","description":"The URL port. For example: 80.","requirement":"recommended","caption":"Port","type_name":"Port"},"scheme":{"type":"string_t","description":"The scheme portion of the URL. For example: http, https, ftp, or sftp.","requirement":"recommended","caption":"Scheme","type_name":"String"},"path":{"type":"string_t","description":"The URL path as extracted from the URL. For example: /download/trouble from www.example.com/download/trouble.","requirement":"recommended","caption":"Path","type_name":"String"},"domain":{"type":"string_t","description":"The domain portion of the URL. For example: example.com in https://sub.example.com.","requirement":"optional","caption":"Domain","type_name":"String"},"hostname":{"type":"hostname_t","description":"The URL host as extracted from the URL. For example: www.example.com from www.example.com/download/trouble.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"query_string":{"type":"string_t","description":"The query portion of the URL. For example: the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date.","requirement":"recommended","caption":"HTTP Query String","type_name":"String"},"categories":{"type":"string_t","description":"The Website categorization names, as defined by category_ids enum values.","is_array":true,"requirement":"optional","caption":"Website Categorization","type_name":"String"},"category_ids":{"type":"integer_t","enum":{"30":{"caption":"Art/Culture"},"97":{"caption":"Content Servers"},"57":{"caption":"Remote Access Tools"},"38":{"caption":"Technology/Internet"},"63":{"caption":"Personal Sites"},"29":{"caption":"Charitable Organizations"},"83":{"caption":"Peer-to-Peer (P2P)"},"45":{"caption":"Job Search/Careers"},"40":{"caption":"Search Engines/Portals"},"112":{"caption":"Media Sharing"},"22":{"caption":"Alternative Spirituality/Belief"},"56":{"caption":"File Storage/Sharing"},"51":{"caption":"Chat (IM)/SMS"},"61":{"caption":"Society/Daily Living"},"101":{"caption":"Spam"},"47":{"caption":"Personals/Dating"},"96":{"caption":"Non-Viewable/Infrastructure"},"33":{"caption":"Games"},"59":{"caption":"Auctions"},"53":{"caption":"Newsgroups/Forums"},"1":{"caption":"Adult/Mature Content"},"99":{"description":"The Domain/URL category is not mapped. See the categories attribute, which contains a data source specific value.","caption":"Other"},"68":{"caption":"Humor/Jokes"},"92":{"caption":"Suspicious"},"20":{"caption":"Entertainment"},"54":{"caption":"Religion"},"107":{"caption":"Informational"},"3":{"caption":"Pornography"},"15":{"caption":"Weapons"},"34":{"caption":"Government/Legal"},"103":{"caption":"Dynamic DNS Host"},"50":{"caption":"Mixed Content/Potentially Adult"},"110":{"caption":"Internet Telephony"},"106":{"caption":"E-Card/Invitations"},"93":{"caption":"Sexual Expression"},"64":{"caption":"Restaurants/Dining/Food"},"25":{"caption":"Controlled Substances"},"86":{"caption":"Proxy Avoidance"},"87":{"caption":"For Kids"},"71":{"caption":"Software Downloads"},"49":{"caption":"Reference"},"37":{"caption":"Health"},"114":{"caption":"TV/Video Streams"},"121":{"caption":"Marijuana"},"118":{"caption":"Piracy/Copyright Concerns"},"98":{"caption":"Placeholders"},"16":{"caption":"Abortion"},"27":{"caption":"Education"},"7":{"caption":"Extreme"},"23":{"caption":"Alcohol"},"32":{"caption":"Brokerage/Trading"},"18":{"caption":"Phishing"},"36":{"caption":"Political/Social Advocacy"},"113":{"caption":"Radio/Audio Streams"},"90":{"caption":"Uncategorized"},"84":{"caption":"Audio/Video Clips"},"17":{"caption":"Hacking"},"26":{"caption":"Child Pornography"},"35":{"caption":"Military"},"4":{"caption":"Sex Education"},"65":{"caption":"Sports/Recreation"},"95":{"caption":"Translation"},"43":{"caption":"Malicious Sources/Malnets"},"21":{"caption":"Business/Economy"},"67":{"caption":"Vehicles"},"52":{"caption":"Email"},"14":{"caption":"Violence/Hate/Racism"},"85":{"caption":"Office/Business Applications"},"55":{"caption":"Social Networking"},"6":{"caption":"Nudity"},"0":{"description":"The Domain/URL category is unknown.","caption":"Unknown"},"44":{"caption":"Malicious Outbound Data/Botnets"},"11":{"caption":"Gambling"},"109":{"caption":"Internet Connected Devices"},"88":{"caption":"Web Ads/Analytics"},"9":{"caption":"Scam/Questionable/Illegal"},"5":{"caption":"Intimate Apparel/Swimsuit"},"31":{"caption":"Financial Services"},"60":{"caption":"Real Estate"},"89":{"caption":"Web Hosting"},"24":{"caption":"Tobacco"},"66":{"caption":"Travel"},"111":{"caption":"Online Meetings"},"102":{"caption":"Potentially Unwanted Software"},"46":{"caption":"News/Media"},"108":{"caption":"Computer/Information Security"},"58":{"caption":"Shopping"}},"description":"The Website categorization identifiers.","is_array":true,"requirement":"recommended","caption":"Website Categorization IDs","sibling":"categories","type_name":"Integer"},"resource_type":{"type":"string_t","description":"The context in which a resource was retrieved in a web request.","requirement":"optional","caption":"Resource Type","type_name":"String"},"subdomain":{"type":"string_t","description":"The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.","requirement":"optional","caption":"Subdomain","type_name":"String"},"url_string":{"type":"url_t","description":"The URL string. See RFC 1738. For example: http://www.example.com/download/trouble.exe. Note: The URL path should not populate the URL string.","requirement":"recommended","caption":"URL String","type_name":"URL String"}},"name":"url","description":"The Uniform Resource Locator (URL) object describes the characteristics of a URL.","extends":"object","constraints":{"at_least_one":["url_string","path"]},"references":[{"description":"Defined in RFC 1738","url":"https://datatracker.ietf.org/doc/html/rfc1738"},{"description":"D3FEND™ Ontology d3f:URL","url":"https://d3fend.mitre.org/dao/artifact/d3f:URL/"}],"caption":"Uniform Resource Locator","observable":23},"cis_csc":{"attributes":{"control":{"type":"string_t","description":"A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.","requirement":"required","caption":"Security Control","type_name":"String"},"version":{"type":"string_t","description":"The CIS critical security control version.","requirement":"recommended","caption":"Version","type_name":"String"}},"name":"cis_csc","description":"The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC). Prioritized set of actions to protect your organization and data from cyber-attack vectors.","extends":"object","caption":"CIS CSC","@deprecated":{"message":"Use the cis_control object instead.","since":"1.5.0"}},"win/win_resource":{"attributes":{"data":{"type":"json_t","description":"Additional data describing the resource.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the resource object.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the Windows resource object.","requirement":"optional","caption":"Type","type_name":"String"},"uid":{"type":"resource_uid_t","description":"The Windows provided handle identifier for the resource object","requirement":"recommended","caption":"Unique ID","type_name":"Resource UID"},"labels":{"type":"string_t","description":"The list of labels associated to the resource.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"details":{"type":"string_t","description":"The string detailing the attributes of the resource object.","requirement":"optional","caption":"Details","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the resource.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"type_id":{"type":"integer_t","enum":{"30":{"caption":"Port"},"38":{"references":[{"description":"Atom Types","url":"https://learn.microsoft.com/en-us/windows/win32/dataxchg/about-atom-tables#atom-types"}],"caption":"Atom"},"29":{"references":[{"description":"Job objects and CreateJobObject Function","url":"https://learn.microsoft.com/en-us/windows/win32/procthread/job-objects"}],"caption":"Job"},"40":{"references":[{"description":"Windows Filtering Platform (WFP) Object Model","url":"https://learn.microsoft.com/en-us/windows/win32/fwp/object-model"}],"caption":"WFP Callout"},"22":{"references":[{"description":"Desktop objects","url":"https://learn.microsoft.com/en-us/windows/win32/winstation/desktops"}],"caption":"Desktop"},"19":{"references":[{"description":"WMI Class Qualifiers","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/wmi-class-qualifiers"}],"caption":"WmiGuid"},"8":{"references":[{"description":"Access Tokens and Token objects","url":"https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens"}],"caption":"Token"},"13":{"caption":"FilterCommunicationPort"},"33":{"references":[{"description":"Security Account Manager (SAM) objects","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sam"}],"caption":"SAM_ALIAS"},"10":{"references":[{"description":"Section object","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/section-objects-and-views"}],"caption":"Section"},"1":{"references":[{"description":"Object Manager Directory Objects","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/object-directories"}],"caption":"Directory"},"99":{"description":"The resource object type is not mapped. See the type attribute, which may contain a data source specific value.","caption":"Other"},"20":{"references":[{"description":"Process objects and CreateProcess Function","url":"https://learn.microsoft.com/en-us/windows/win32/procthread/creating-processes"}],"caption":"Process"},"3":{"references":[{"description":"Timer Objects and CreateWaitableTimer Function","url":"https://learn.microsoft.com/en-us/windows/win32/sync/waitable-timer-objects"}],"caption":"Timer"},"15":{"references":[{"description":"Driver objects","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-driver-objects"}],"caption":"Driver"},"34":{"references":[{"description":"Security Account Manager (SAM) objects","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sam"}],"caption":"SAM_GROUP"},"42":{"references":[{"description":"Windows Filtering Platform (WFP) Object Model","url":"https://learn.microsoft.com/en-us/windows/win32/fwp/object-model"}],"caption":"WFP Sub-layer"},"2":{"references":[{"description":"Event Objects and CreateEvent Function","url":"https://learn.microsoft.com/en-us/windows/win32/sync/event-objects"}],"caption":"Event"},"25":{"caption":"Key"},"37":{"references":[{"description":"Security Account Manager (SAM) Server","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/c-samserver"}],"caption":"SAM_SERVER"},"16":{"references":[{"description":"I/O Completion Ports","url":"https://learn.microsoft.com/en-us/windows/win32/fileio/i-o-completion-ports"}],"caption":"IoCompletion"},"39":{"references":[{"description":"Windows Filtering Platform (WFP) Object Model","url":"https://learn.microsoft.com/en-us/windows/win32/fwp/object-model"}],"caption":"WFP Filter"},"27":{"references":[{"description":"Callback objects","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/callback-objects"}],"caption":"Callback"},"7":{"references":[{"description":"File objects","url":"https://learn.microsoft.com/en-us/windows/win32/fileio/file-objects"}],"caption":"File"},"23":{"references":[{"description":"NTAPI Keyed Events","url":"http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FKeyedEvent%2FNtCreateKeyedEvent.html"}],"caption":"KeyedEvent"},"32":{"references":[{"description":"Advanced Local Procedure Call (ALPC) Class","url":"https://learn.microsoft.com/en-us/windows/win32/etw/alpc"}],"caption":"ALPC Port"},"18":{"references":[{"description":"mklink function","url":"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mklink"}],"caption":"SymbolicLink"},"36":{"references":[{"description":"Security Account Manager (SAM) Domain","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/c-samdomain"}],"caption":"SAM_DOMAIN"},"17":{"references":[{"description":"Controller objects","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-controller-objects"}],"caption":"Controller"},"26":{"caption":"WaitablePort"},"35":{"references":[{"description":"Security Account Manager (SAM) objects","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sam"}],"caption":"SAM_USER"},"4":{"references":[{"description":"Device Objects and I/O Manager","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/device-objects-and-device-stacks"}],"caption":"Device"},"43":{"references":[{"description":"Windows Filtering Platform (WFP) Object Model","url":"https://learn.microsoft.com/en-us/windows/win32/fwp/object-model"}],"caption":"WFP Provider"},"21":{"references":[{"description":"User Profile objects","url":"https://learn.microsoft.com/en-us/windows/win32/shell/user-profiles"}],"caption":"Profile"},"41":{"references":[{"description":"Windows Filtering Platform (WFP) Object Model","url":"https://learn.microsoft.com/en-us/windows/win32/fwp/object-model"}],"caption":"WFP Layer"},"14":{"caption":"EventPair"},"28":{"references":[{"description":"Semaphore objects and CreateSemaphore Function","url":"https://learn.microsoft.com/en-us/windows/win32/sync/semaphore-objects"}],"caption":"Semaphore"},"6":{"caption":"Type"},"0":{"description":"The resource object type is unknown.","caption":"Unknown"},"44":{"references":[{"description":"Windows Filtering Platform (WFP) Object Model","url":"https://learn.microsoft.com/en-us/windows/win32/fwp/object-model"}],"caption":"WFP Provider Context"},"11":{"references":[{"description":"Window Station objects","url":"https://learn.microsoft.com/en-us/windows/win32/winstation/window-stations"}],"caption":"WindowStation"},"9":{"references":[{"description":"Thread Objects and CreateThread Function","url":"https://learn.microsoft.com/en-us/windows/win32/procthread/creating-threads"}],"caption":"Thread"},"5":{"references":[{"description":"Mutex Objects and CreateMutex Function","url":"https://learn.microsoft.com/en-us/windows/win32/sync/mutex-objects"}],"caption":"Mutant"},"12":{"caption":"DebugObject"},"31":{"caption":"FilterConnectionPort"},"24":{"references":[{"description":"Adapter objects","url":"https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/adapter-objects-and-dma"}],"caption":"Adapter"}},"description":"The normalized type identifier of the Windows resource object accessed.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time when the resource was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"modified_time":{"type":"timestamp_t","description":"The time when the resource was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"svc_name":{"type":"string_t","description":"The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.","requirement":"optional","caption":"Service Name","type_name":"String"},"uid_alt":{"type":"resource_uid_t","description":"The alternative unique identifier of the resource.","requirement":"optional","caption":"Alternate ID","type_name":"Resource UID"},"created_time_dt":{"type":"datetime_t","description":"The time when the resource was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The time when the resource was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"win_resource","description":"The Windows resource object describes a resource object managed by Windows, such as mutant or timer.","extension":"win","extends":"_resource","constraints":{"at_least_one":["name","uid"]},"extension_id":2,"profiles":["data_classification","datetime"],"caption":"Windows Resource"},"service":{"attributes":{"name":{"type":"string_t","description":"The name of the service.","requirement":"recommended","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The version of the service.","requirement":"recommended","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the service.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"labels":{"type":"string_t","description":"The list of labels associated with the service.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the service.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"}},"name":"service","description":"The Service object describes characteristics of a service, e.g. AWS EC2. ","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:ServiceApplication.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ServiceApplication/"}],"caption":"Service"},"response":{"attributes":{"error":{"type":"string_t","description":"Error Code","requirement":"recommended","caption":"Error Code","type_name":"String"},"code":{"type":"integer_t","description":"The numeric response sent to a request.","requirement":"recommended","caption":"Response Code","type_name":"Integer"},"data":{"type":"json_t","description":"The additional data that is associated with the api response.","requirement":"optional","caption":"Data","type_name":"JSON"},"flags":{"type":"string_t","description":"The communication flags that are associated with the api response.","is_array":true,"requirement":"optional","caption":"Flags","type_name":"String"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","requirement":"recommended","caption":"Message","type_name":"String"},"containers":{"type":"object_t","description":"When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.","is_array":true,"requirement":"optional","object_type":"container","caption":"Containers","object_name":"Container"},"error_message":{"type":"string_t","description":"Error Message","requirement":"recommended","caption":"Error Message","type_name":"String"}},"name":"response","description":"The Response Elements object describes characteristics of an API response.","extends":"object","caption":"Response Elements"},"assessment":{"attributes":{"name":{"type":"string_t","description":"The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.","requirement":"recommended","caption":"Name","type_name":"String"},"desc":{"type":"string_t","description":"The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.","requirement":"recommended","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the configuration or signal being assessed. For example: the signal_id.","requirement":"optional","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The category that the assessment is part of. For example: Prevention or Windows 10.","requirement":"optional","caption":"Category","type_name":"String"},"meets_criteria":{"type":"boolean_t","description":"Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a Datastore is encrypted or not, having encryption would be evaluated as true.","requirement":"required","caption":"Meets Criteria","type_name":"Boolean"},"policy":{"type":"object_t","description":"The details of any policy associated with an assessment.","requirement":"optional","object_type":"policy","caption":"Assessment Policy","object_name":"Policy"}},"name":"assessment","description":"The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera, or capture details of Microsoft Intune configuration policies.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Assessment"},"environment_variable":{"attributes":{"name":{"type":"string_t","description":"The name of the environment variable.","requirement":"required","caption":"Name","type_name":"String"},"value":{"type":"string_t","description":"The value of the environment variable.","requirement":"required","caption":"Value","type_name":"String"}},"name":"environment_variable","description":"An environment variable.","extends":"object","caption":"Environment Variable"},"database":{"attributes":{"name":{"type":"string_t","description":"The database name, ordinarily as assigned by a database administrator.","requirement":"recommended","caption":"Name","type_name":"String"},"size":{"type":"long_t","description":"The size of the database in bytes.","requirement":"optional","caption":"Size","type_name":"Long"},"type":{"type":"string_t","description":"The database type.","requirement":"recommended","caption":"Type","type_name":"String"},"desc":{"type":"string_t","description":"The description of the database.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the database.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"groups":{"type":"object_t","description":"The group names to which the database belongs.","is_array":true,"requirement":"optional","object_type":"group","caption":"Groups","object_name":"Group"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Object Oriented"},"6":{"caption":"NoSQL"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"Relational"},"2":{"caption":"Network"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Centralized"},"5":{"caption":"Operational"},"7":{"caption":"Vector"},"8":{"caption":"Knowledge Graph"}},"description":"The normalized identifier of the database type.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time when the database was known to have been created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"embedding_model":{"type":"string_t","description":"Model used for creating embeddings (if applicable). For example: text-embedding-ada-002 or all-MiniLM-L6-v2.","requirement":"optional","caption":"Embedding Model","type_name":"String"},"modified_time":{"type":"timestamp_t","description":"The most recent time when any changes, updates, or modifications were made within the database.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"created_time_dt":{"type":"datetime_t","description":"The time when the database was known to have been created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The most recent time when any changes, updates, or modifications were made within the database.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"database","description":"The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:Database.","url":"https://d3fend.mitre.org/dao/artifact/d3f:Database/"}],"profiles":["data_classification","datetime"],"caption":"Database"},"device":{"attributes":{"is_backed_up":{"type":"boolean_t","description":"Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.","requirement":"optional","caption":"Back Ups Configured","type_name":"Boolean"},"udid":{"type":"string_t","description":"The Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS, tvOS, watchOS and visionOS devices, this is the UDID. For macOS devices, it is the Provisioning UDID. For example: 00008020-008D4548007B4F26","references":[{"description":"Apple Wiki","url":"https://theapplewiki.com/wiki/UDID"}],"requirement":"optional","caption":"Unique Device Identifier","type_name":"String"},"modified_time":{"type":"timestamp_t","description":"The time when the device was last known to have been modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"is_shared":{"type":"boolean_t","description":"The event occurred on a shared device.","requirement":"optional","caption":"Shared Device","type_name":"Boolean"},"boot_time":{"type":"timestamp_t","description":"The time the system was booted.","requirement":"optional","caption":"Boot Time","type_name":"Timestamp"},"zone":{"type":"string_t","description":"The network zone or LAN segment.","requirement":"optional","caption":"Network Zone","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":47},"os":{"type":"object_t","description":"The endpoint operating system.","requirement":"optional","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"vpc_uid":{"type":"string_t","description":"The unique identifier of the Virtual Private Cloud (VPC).","requirement":"optional","caption":"VPC UID","type_name":"String"},"owner":{"type":"object_t","description":"The identity of the service or user account that owns the endpoint or was last logged into it.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"subnet":{"type":"subnet_t","description":"The subnet mask.","requirement":"optional","caption":"Subnet","type_name":"Subnet"},"type":{"type":"string_t","description":"The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.","requirement":"recommended","caption":"Type","type_name":"String"},"is_compliant":{"type":"boolean_t","description":"The event occurred on a compliant device.","requirement":"optional","caption":"Compliant Device","type_name":"Boolean"},"imei":{"type":"string_t","description":"The International Mobile Equipment Identity that is associated with the device.","requirement":"optional","caption":"IMEI","type_name":"String","@deprecated":{"message":"Use the imei_list attribute instead.","since":"1.4.0"}},"container":{"type":"object_t","description":"The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","group":"context","requirement":"recommended","profiles":["container"],"object_type":"container","caption":"Container","object_name":"Container"},"imei_list":{"type":"string_t","description":"The International Mobile Equipment Identity values that are associated with the device.","is_array":true,"requirement":"optional","caption":"IMEI List","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A laptop computer.","caption":"Laptop"},"6":{"description":"A virtual machine.","caption":"Virtual"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A server.","caption":"Server"},"2":{"description":"A desktop computer.","caption":"Desktop"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A tablet computer.","caption":"Tablet"},"5":{"description":"A mobile phone.","caption":"Mobile"},"7":{"description":"An IOT (Internet of Things) device.","caption":"IOT"},"8":{"description":"A web browser.","caption":"Browser"},"9":{"description":"A networking firewall.","caption":"Firewall"},"10":{"description":"A networking switch.","caption":"Switch"},"11":{"description":"A networking hub.","caption":"Hub"},"12":{"description":"A networking router.","caption":"Router"},"14":{"description":"An intrusion prevention system.","caption":"IPS"},"15":{"description":"A Load Balancer device.","caption":"Load Balancer"},"13":{"description":"An intrusion detection system.","caption":"IDS"}},"description":"The device type ID.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"domain":{"type":"string_t","description":"The network domain where the device resides. For example: work.example.com.","requirement":"optional","caption":"Domain","type_name":"String"},"is_mobile_account_active":{"type":"boolean_t","description":"Indicates whether the device has an active mobile account. For example, this is indicated by the itunesStoreAccountActive value within JAMF Pro mobile devices.","requirement":"optional","caption":"Mobile Account Active","type_name":"Boolean"},"pool":{"type":"object_t","description":"The pool of desktops or virtual machines to which the endpoint belongs.","requirement":"optional","object_type":"group","caption":"Pool","object_name":"Group"},"interface_name":{"type":"string_t","description":"The name of the network interface (e.g. eth2).","requirement":"recommended","caption":"Network Interface Name","type_name":"String"},"modified_time_dt":{"type":"datetime_t","description":"The time when the device was last known to have been modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"},"is_managed":{"type":"boolean_t","description":"The event occurred on a managed device.","requirement":"optional","caption":"Managed Device","type_name":"Boolean"},"hypervisor":{"type":"string_t","description":"The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.","requirement":"optional","caption":"Hypervisor","type_name":"String"},"image":{"type":"object_t","description":"The image used as a template to run the virtual machine.","requirement":"optional","object_type":"image","caption":"Image","object_name":"Image"},"eid":{"type":"string_t","description":"An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.","requirement":"optional","caption":"EID","type_name":"String"},"last_seen_time":{"type":"timestamp_t","description":"The most recent discovery time of the device.","requirement":"optional","caption":"Last Seen","type_name":"Timestamp"},"namespace_pid":{"type":"integer_t","description":"If running under a process namespace (such as in a container), the process identifier within that process namespace.","group":"context","requirement":"recommended","profiles":["container"],"caption":"Namespace PID","type_name":"Integer"},"model":{"type":"string_t","description":"The model of the device. For example ThinkPad X1 Carbon.","requirement":"optional","caption":"Model","type_name":"String"},"mac_vendor":{"type":"string_t","description":"The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address.","references":[{"description":"IEEE Registration Authority","url":"https://standards.ieee.org/products-programs/regauth/"}],"requirement":"optional","caption":"MAC Vendor","type_name":"String"},"name":{"type":"string_t","description":"The alternate device name, ordinarily as assigned by an administrator. Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.","requirement":"optional","caption":"OS Machine UUID","type_name":"UUID"},"desc":{"type":"string_t","description":"The description of the device, ordinarily as reported by the operating system.","requirement":"optional","caption":"Description","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the device was known to have been created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"vlan_uid":{"type":"string_t","description":"The Virtual LAN identifier.","requirement":"optional","caption":"VLAN","type_name":"String"},"hostname":{"type":"hostname_t","description":"The device hostname.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"meid":{"type":"string_t","description":"The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.","requirement":"optional","caption":"MEID","type_name":"String"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","requirement":"optional","caption":"Risk Score","type_name":"Integer"},"is_personal":{"type":"boolean_t","description":"The event occurred on a personal device.","requirement":"optional","caption":"Personal Device","type_name":"Boolean"},"first_seen_time":{"type":"timestamp_t","description":"The initial discovery time of the device.","requirement":"optional","caption":"First Seen","type_name":"Timestamp"},"boot_uid":{"type":"string_t","description":"A unique identifier of the device that changes after every reboot. For example, the value of /proc/sys/kernel/random/boot_id from Linux's procfs.","references":[{"description":"Linux kernel's documentation","url":"https://docs.kernel.org/admin-guide/sysctl/kernel.html#random"}],"requirement":"optional","caption":"Boot UID","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time when the device was known to have been created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"uid_alt":{"type":"string_t","description":"An alternate unique identifier of the device if any. For example the ActiveDirectory DN.","requirement":"optional","caption":"Alternate ID","type_name":"String"},"boot_time_dt":{"type":"datetime_t","description":"The time the system was booted.","requirement":"optional","profiles":["datetime"],"caption":"Boot Time","type_name":"Datetime"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","requirement":"optional","caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"requirement":"optional","object_type":"agent","caption":"Agent List","object_name":"Agent"},"is_supervised":{"type":"boolean_t","description":"The event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.","requirement":"optional","caption":"Supervised Device","type_name":"Boolean"},"interface_uid":{"type":"string_t","description":"The unique identifier of the network interface.","requirement":"recommended","caption":"Network Interface ID","type_name":"String"},"hw_info":{"type":"object_t","description":"The endpoint hardware information.","requirement":"optional","object_type":"device_hw_info","caption":"Hardware Info","object_name":"Device Hardware Info"},"groups":{"type":"object_t","description":"The group names to which the device belongs. For example: [\"Windows Laptops\", \"Engineering\"].","is_array":true,"requirement":"optional","object_type":"group","caption":"Groups","object_name":"Group"},"last_seen_time_dt":{"type":"datetime_t","description":"The most recent discovery time of the device.","requirement":"optional","profiles":["datetime"],"caption":"Last Seen","type_name":"Datetime"},"iccid":{"type":"string_t","description":"The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.","requirement":"optional","caption":"ICCID","type_name":"String"},"org":{"type":"object_t","description":"Organization and org unit related to the device.","requirement":"optional","object_type":"organization","caption":"Organization","object_name":"Organization"},"ip":{"type":"ip_t","description":"The device IP address, in either IPv4 or IPv6 format.","requirement":"optional","caption":"IP Address","type_name":"IP Address"},"network_interfaces":{"type":"object_t","description":"The physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event.
","is_array":true,"requirement":"optional","object_type":"network_interface","caption":"Network Interfaces","object_name":"Network Interface"},"region":{"type":"string_t","description":"The region where the virtual machine is located. For example, an AWS Region.","requirement":"recommended","caption":"Region","type_name":"String"},"vendor_name":{"type":"string_t","description":"The vendor for the device. For exampleDell or Lenovo.","requirement":"recommended","caption":"Vendor Name","type_name":"String"},"location":{"type":"object_t","description":"The geographical location of the device.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"first_seen_time_dt":{"type":"datetime_t","description":"The initial discovery time of the device.","requirement":"optional","profiles":["datetime"],"caption":"First Seen","type_name":"Datetime"},"autoscale_uid":{"type":"string_t","description":"The unique identifier of the cloud autoscale configuration.","requirement":"optional","caption":"Autoscale UID","type_name":"String"}},"name":"device","description":"The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.","extends":"endpoint","constraints":{"at_least_one":["ip","uid","name","hostname","instance_uid","interface_uid","interface_name"]},"references":[{"description":"D3FEND™ Ontology d3f:Host.","url":"https://d3fend.mitre.org/dao/artifact/d3f:Host/"}],"profiles":["container","datetime"],"caption":"Device","observable":20},"d3f_technique":{"attributes":{"name":{"type":"string_t","description":"The name of the defensive technique. For example: IO Port Restriction.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the defensive technique. For example: D3-IOPR.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"src_url":{"type":"url_t","description":"The versioned permalink of the defensive technique. For example: https://d3fend.mitre.org/technique/d3f:IOPortRestriction/.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"d3f_technique","description":"The MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Matrix","url":"href='https://d3fend.mitre.org"}],"caption":"MITRE D3FEND™ Technique"},"cis_control":{"attributes":{"name":{"type":"string_t","description":"The CIS Control name. For example: 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software.","requirement":"required","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The CIS Control version. For example: v8.","requirement":"recommended","caption":"Version","type_name":"String"},"desc":{"type":"string_t","description":"The CIS Control description. For example: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.","requirement":"optional","caption":"Description","type_name":"String"}},"name":"cis_control","description":"The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The CIS Controls are defined by the Center for Internet Security.","extends":"object","caption":"CIS Control"},"cve":{"attributes":{"type":{"type":"string_t","description":"The vulnerability type as selected from a large dropdown menu during CVE refinement.
Most frequently used vulnerability types are:DoS, Code Execution, Overflow, Memory Corruption, Sql Injection, XSS, Directory Traversal, Http Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion. For more information see Vulnerabilities By Type distributions.","requirement":"recommended","caption":"Vulnerability Type","type_name":"String"},"title":{"type":"string_t","description":"A title or a brief phrase summarizing the CVE record.","requirement":"recommended","caption":"Title","type_name":"String"},"product":{"type":"object_t","description":"The product where the vulnerability was discovered.","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"desc":{"type":"string_t","description":"A brief description of the CVE Record.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.","requirement":"required","caption":"CVE ID","type_name":"String","observable":18},"references":{"type":"string_t","description":"A list of reference URLs with additional information about the CVE Record.","is_array":true,"requirement":"recommended","caption":"References","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"cvss":{"type":"object_t","description":"The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability.","is_array":true,"requirement":"recommended","object_type":"cvss","caption":"CVSS Score","object_name":"CVSS Score"},"cwe":{"type":"object_t","description":"The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.","requirement":"optional","object_type":"cwe","caption":"CWE","@deprecated":{"message":"Use related_cwes attribute instead.","since":"1.4.0"},"object_name":"CWE"},"cwe_uid":{"type":"string_t","description":"The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.","requirement":"optional","caption":"CWE UID","type_name":"String","@deprecated":{"message":"Use the related_cwes object attributes instead.","since":"1.1.0"}},"cwe_url":{"type":"url_t","description":"Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.","requirement":"optional","caption":"CWE URL","type_name":"URL String","@deprecated":{"message":"Use the related_cwes object attributes instead.","since":"1.1.0"}},"epss":{"type":"object_t","description":"The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS).","requirement":"optional","object_type":"epss","caption":"EPSS","object_name":"EPSS"},"modified_time":{"type":"timestamp_t","description":"The Record Modified Date identifies when the CVE record was last updated.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"related_cwes":{"type":"object_t","description":"Describes the Common Weakness Enumeration (CWE) details related to the CVE Record.","is_array":true,"requirement":"optional","object_type":"cwe","caption":"Related CWEs","object_name":"CWE"},"created_time_dt":{"type":"datetime_t","description":"The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The Record Modified Date identifies when the CVE record was last updated.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"cve","description":"The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE). There is one CVE Record for each vulnerability in the catalog.","extends":"object","profiles":["data_classification","datetime"],"caption":"CVE"},"osint":{"attributes":{"modified_time":{"type":"timestamp_t","description":"The timestamp of the last modification or update to the indicator.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"vulnerabilities":{"type":"object_t","description":"Any vulnerabilities related to an indicator or OSINT analysis.","is_array":true,"requirement":"optional","object_type":"vulnerability","caption":"Related Vulnerabilities","object_name":"Vulnerability Details"},"uid":{"type":"string_t","description":"The unique identifier for the OSINT object.","requirement":"optional","caption":"Unique ID","type_name":"String"},"threat_actor":{"type":"object_t","description":"A threat actor is an individual or group that conducts malicious cyber activities, often with financial, political, or ideological motives.","references":[{"description":"STIX Threat Actor definition","url":"https://stixproject.github.io/data-model/1.2/ta/ThreatActorType/"}],"requirement":"optional","object_type":"threat_actor","caption":"Threat Actor","object_name":"Threat Actor"},"expiration_time":{"type":"timestamp_t","description":"The expiration date of the indicator, after which it is no longer considered reliable.","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"category":{"type":"string_t","description":"Categorizes the threat indicator based on its functional or operational role.","requirement":"optional","caption":"Category","type_name":"String"},"email":{"type":"object_t","description":"Any email information pertinent to an indicator or OSINT analysis.","requirement":"optional","object_type":"email","caption":"Related Email","object_name":"Email"},"kill_chain":{"type":"object_t","description":"Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.","is_array":true,"requirement":"optional","object_type":"kill_chain_phase","caption":"Kill Chain","object_name":"Kill Chain Phase"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","is_array":true,"requirement":"optional","object_type":"malware","caption":"Malware","object_name":"Malware"},"script":{"type":"object_t","description":"Any pertinent script information related to an indicator or OSINT analysis.","requirement":"optional","object_type":"script","caption":"Related Script Data","object_name":"Script"},"subnet":{"type":"subnet_t","description":"A CIDR or network block related to an indicator or OSINT analysis.","requirement":"optional","caption":"Related Subnet","type_name":"Subnet"},"type":{"type":"string_t","description":"The OSINT indicator type.","requirement":"optional","caption":"Type","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A hostname or computer name.","caption":"Hostname"},"6":{"description":"A User Agent typically seen in HTTP request headers.","caption":"User Agent"},"0":{"description":"The indicator type is ambiguous or there is not a related indicator for the OSINT object.","caption":"Unknown"},"1":{"description":"An IPv4 or IPv6 address.","caption":"IP Address"},"2":{"description":"A full-qualified domain name (FQDN), subdomain, or partial domain.","caption":"Domain"},"99":{"description":"The indicator type is not directly listed.","caption":"Other"},"4":{"description":"Any type of hash e.g., MD5, SHA1, SHA2, BLAKE, BLAKE2, SSDEEP, VHASH, etc. generated from a file, malware sample, request header, or otherwise used to identify a pertinent artifact.","caption":"Hash"},"5":{"description":"A Uniform Resource Locator (URL) or Uniform Resource Indicator (URI).","caption":"URL"},"7":{"description":"The serial number, fingerprint, or full content of an X.509 digital certificate.","caption":"Digital Certificate"},"8":{"description":"The contents of an email or any related information to an email object.","caption":"Email"},"9":{"description":"An email address.","caption":"Email Address"},"10":{"description":"A CVE ID, CWE ID, or other identifier for a weakness, exploit, bug, or misconfiguration.","caption":"Vulnerability"},"11":{"description":"A file or metadata about a file.","caption":"File"},"12":{"description":"A Windows Registry Key.","caption":"Registry Key"},"14":{"description":"A partial or full Command Line used to invoke scripts or other remote commands.","caption":"Command Line"},"13":{"description":"A Windows Registry Value.","caption":"Registry Value"}},"description":"The OSINT indicator type ID.","requirement":"required","caption":"Indicator Type ID","sibling":"type","type_name":"Integer"},"detection_pattern_type":{"type":"string_t","description":"The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Detection Pattern","type_name":"String"},"modified_time_dt":{"type":"datetime_t","description":"The timestamp of the last modification or update to the indicator.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"},"labels":{"type":"string_t","description":"Tags or keywords associated with the indicator to enhance searchability.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"detection_pattern":{"type":"string_t","description":"The specific detection pattern or signature associated with the indicator.","requirement":"optional","caption":"Detection Pattern","type_name":"String"},"signatures":{"type":"object_t","description":"Any digital signatures or hashes related to an indicator or OSINT analysis.","is_array":true,"requirement":"optional","object_type":"digital_signature","caption":"Related Digital Signatures","object_name":"Digital Signature"},"name":{"type":"string_t","description":"The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name.","requirement":"optional","caption":"Name","type_name":"String"},"intrusion_sets":{"type":"string_t","description":"A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.","is_array":true,"requirement":"optional","caption":"Intrusion Sets","type_name":"String"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.","requirement":"recommended","caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"attacks":{"type":"object_t","description":"MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"uploaded_time_dt":{"type":"datetime_t","description":"The timestamp indicating when the associated indicator or intelligence was added to the system or repository.","requirement":"optional","profiles":["datetime"],"caption":"Uploaded Time","type_name":"Datetime"},"references":{"type":"string_t","description":"Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI.","is_array":true,"requirement":"optional","caption":"References","type_name":"String"},"answers":{"type":"object_t","description":"Any pertinent DNS answers information related to an indicator or OSINT analysis.","is_array":true,"requirement":"optional","object_type":"dns_answer","caption":"Related DNS Answers","object_name":"DNS Answer"},"desc":{"type":"string_t","description":"A detailed explanation of the indicator, including its context, purpose, and relevance.","requirement":"optional","caption":"Description","type_name":"String"},"src_url":{"type":"url_t","description":"The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"created_time":{"type":"timestamp_t","description":"The timestamp when the indicator was initially created or identified.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"campaign":{"type":"object_t","description":"The campaign object describes details about the campaign that was the source of the activity.","requirement":"optional","object_type":"campaign","caption":"Campaign","object_name":"Campaign"},"risk_score":{"type":"integer_t","description":"A numerical representation of the threat indicator’s risk level.","requirement":"optional","caption":"Risk Score","type_name":"Integer"},"created_time_dt":{"type":"datetime_t","description":"The timestamp when the indicator was initially created or identified.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"autonomous_system":{"type":"object_t","description":"Any pertinent autonomous system information related to an indicator or OSINT analysis.","requirement":"optional","object_type":"autonomous_system","caption":"Autonomous System","object_name":"Autonomous System"},"uploaded_time":{"type":"timestamp_t","description":"The timestamp indicating when the associated indicator or intelligence was added to the system or repository.","requirement":"optional","caption":"Uploaded Time","type_name":"Timestamp"},"subdomains":{"type":"string_t","description":"Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.","is_array":true,"requirement":"optional","caption":"Related Subdomains","type_name":"String"},"whois":{"type":"object_t","description":"Any pertinent WHOIS information related to an indicator or OSINT analysis.","requirement":"optional","object_type":"whois","caption":"WHOIS","object_name":"WHOIS"},"reputation":{"type":"object_t","description":"Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.","requirement":"optional","object_type":"reputation","caption":"Reputation Scores","object_name":"Reputation"},"value":{"type":"string_t","description":"The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.","requirement":"required","caption":"Indicator","type_name":"String"},"detection_pattern_type_id":{"type":"integer_t","enum":{"3":{"caption":"SIGMA"},"6":{"caption":"YARA"},"0":{"description":"The type is not mapped.","caption":"Unknown"},"1":{"caption":"STIX"},"2":{"caption":"PCRE"},"99":{"description":"The detection pattern type is not mapped. See the detection_pattern_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Snort"},"5":{"caption":"Suricata"}},"description":"Specifies the type of detection pattern used to identify the associated threat indicator.","requirement":"optional","caption":"Detection Pattern Type ID","sibling":"detection_pattern_type","type_name":"Integer"},"creator":{"type":"object_t","description":"The identifier of the user, system, or organization that contributed the indicator.","requirement":"optional","object_type":"user","caption":"Creator","object_name":"User"},"tlp":{"type":"string_t","enum":{"AMBER":{"description":"TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.","caption":"TLP:AMBER"},"AMBER STRICT":{"description":"TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.","caption":"TLP:AMBER+STRICT"},"CLEAR":{"description":"TLP:CLEAR denotes that recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.","caption":"TLP:CLEAR"},"GREEN":{"description":"TLP:GREEN is for limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community.","caption":"TLP:GREEN"},"RED":{"description":"TLP:RED is for the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.","caption":"TLP:RED"},"WHITE":{"description":"TLP:WHITE and TLP:CLEAR may be used interchangeably, TLP:WHITE is the most up to date (as of TLP 2.0) usage.","caption":"TLP:WHITE"}},"description":"The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.","requirement":"recommended","caption":"Traffic Light Protocol","type_name":"String"},"email_auth":{"type":"object_t","description":"Any email authentication information pertinent to an indicator or OSINT analysis.","requirement":"optional","object_type":"email_auth","caption":"Related Email Authentication","object_name":"Email Authentication"},"confidence":{"type":"string_t","description":"The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.","requirement":"optional","caption":"Confidence","type_name":"String"},"comment":{"type":"string_t","description":"Analyst commentary or source commentary about an indicator or OSINT analysis.","requirement":"optional","caption":"Analyst Comments","type_name":"String"},"expiration_time_dt":{"type":"datetime_t","description":"The expiration date of the indicator, after which it is no longer considered reliable.","requirement":"optional","profiles":["datetime"],"caption":"Expiration Time","type_name":"Datetime"},"related_analytics":{"type":"object_t","description":"Any analytics related to an indicator or OSINT analysis.","is_array":true,"requirement":"optional","object_type":"analytic","caption":"Related Analytics","object_name":"Analytic"},"external_uid":{"type":"string_t","description":"A unique identifier assigned by an external system for cross-referencing.","requirement":"optional","caption":"External ID","type_name":"String"},"vendor_name":{"type":"string_t","description":"The vendor name of a tool which generates intelligence or provides indicators.","requirement":"optional","caption":"Vendor Name","type_name":"String"},"location":{"type":"object_t","description":"Any pertinent geolocation information related to an indicator or OSINT analysis.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"file":{"type":"object_t","description":"Any pertinent file information related to an indicator or OSINT analysis.","requirement":"optional","object_type":"file","caption":"Related File","object_name":"File"},"severity":{"type":"string_t","description":"Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.","requirement":"optional","caption":"Severity","type_name":"String"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized severity level of the threat indicator, typically reflecting its potential impact or damage.","requirement":"optional","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"osint","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","extends":"object","profiles":["data_classification","datetime"],"caption":"OSINT"},"tls":{"attributes":{"version":{"type":"string_t","description":"The TLS protocol version.","requirement":"required","caption":"Version","type_name":"String"},"alert":{"type":"integer_t","description":"The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.","requirement":"optional","caption":"Client TLS Alert","type_name":"Integer"},"key_length":{"type":"integer_t","description":"The length of the encryption key.","requirement":"optional","caption":"Key Length","type_name":"Integer"},"certificate":{"type":"object_t","description":"The certificate object containing information about the digital certificate.","requirement":"recommended","object_type":"certificate","caption":"Certificate","object_name":"Digital Certificate"},"cipher":{"type":"string_t","description":"The negotiated cipher suite.","requirement":"recommended","caption":"Cipher Suite","type_name":"String"},"sni":{"type":"string_t","description":" The Server Name Indication (SNI) extension sent by the client.","requirement":"recommended","caption":"Server Name Indication","type_name":"String"},"certificate_chain":{"type":"string_t","description":"The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.","is_array":true,"requirement":"recommended","caption":"Certificate Chain","type_name":"String"},"client_ciphers":{"type":"string_t","description":"The client cipher suites that were exchanged during the TLS handshake negotiation.","is_array":true,"requirement":"recommended","caption":"Client Cipher Suites","type_name":"String"},"extension_list":{"type":"object_t","description":"The list of TLS extensions.","is_array":true,"requirement":"optional","object_type":"tls_extension","caption":"Extension List","@deprecated":{"message":"Use the tls_extension_list attribute instead.","since":"1.1.0"},"object_name":"TLS Extension"},"handshake_dur":{"type":"integer_t","description":"The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.","requirement":"optional","caption":"Handshake Duration","type_name":"Integer"},"ja3_hash":{"type":"object_t","description":"The MD5 hash of a JA3 string.","requirement":"recommended","object_type":"fingerprint","caption":"JA3 Hash","object_name":"Fingerprint"},"ja3s_hash":{"type":"object_t","description":"The MD5 hash of a JA3S string.","requirement":"recommended","object_type":"fingerprint","caption":"JA3S Hash","object_name":"Fingerprint"},"sans":{"type":"object_t","description":"The list of subject alternative names that are secured by a specific certificate.","is_array":true,"requirement":"optional","object_type":"san","caption":"Subject Alternative Names","@deprecated":{"message":"Use tls.certificate.sans attribute instead.","since":"1.4.0"},"object_name":"Subject Alternative Name"},"server_ciphers":{"type":"string_t","description":"The server cipher suites that were exchanged during the TLS handshake negotiation.","is_array":true,"requirement":"optional","caption":"Server Cipher Suites","type_name":"String"},"tls_extension_list":{"type":"object_t","description":"The list of TLS extensions.","is_array":true,"requirement":"optional","object_type":"tls_extension","caption":"TLS Extension List","object_name":"TLS Extension"}},"name":"tls","description":"The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.","extends":"object","caption":"Transport Layer Security (TLS)"},"actor":{"attributes":{"process":{"type":"object_t","description":"The process that initiated the activity.","requirement":"recommended","object_type":"process","caption":"Process","object_name":"Process"},"session":{"type":"object_t","description":"The user session from which the activity was initiated.","requirement":"optional","object_type":"session","caption":"Session","object_name":"Session"},"user":{"type":"object_t","description":"The user that initiated the activity or the user context from which the activity was initiated.","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"app_name":{"type":"string_t","description":"The client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present.","requirement":"optional","caption":"Application Name","type_name":"String"},"app_uid":{"type":"string_t","description":"The unique identifier of the client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process.pid or process.uid if present.","requirement":"optional","caption":"Application ID","type_name":"String"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","is_array":true,"requirement":"optional","object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"idp":{"type":"object_t","description":"This object describes details about the Identity Provider used.","requirement":"optional","object_type":"idp","caption":"Identity Provider","object_name":"Identity Provider"},"invoked_by":{"type":"string_t","description":"The name of the service that invoked the activity as described in the event.","requirement":"optional","caption":"Invoked by","type_name":"String","@deprecated":{"message":"Use app_name, app_uid attributes instead.","since":"1.2.0"}}},"name":"actor","description":"The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.","extends":"object","constraints":{"at_least_one":["process","user","invoked_by","session","app_name","app_uid"]},"references":[{"description":"D3FEND™ Ontology d3f:Agent.","url":"https://next.d3fend.mitre.org/agent/d3f:Agent/"}],"profiles":["container","data_classification","linux/linux_users","macos/macos_users"],"caption":"Actor"},"cis_benchmark_result":{"attributes":{"name":{"type":"string_t","description":"The CIS benchmark name.","requirement":"required","caption":"Name","type_name":"String"},"desc":{"type":"string_t","description":"The CIS benchmark description.","requirement":"optional","caption":"Description","type_name":"String"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"rule":{"type":"object_t","description":"The CIS benchmark rule.","requirement":"optional","object_type":"rule","caption":"Rule","object_name":"Rule"}},"name":"cis_benchmark_result","description":"The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result. CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.","extends":"object","profiles":["data_classification"],"caption":"CIS Benchmark Result","@deprecated":{"message":"Use the Compliance object with Checks object instead.","since":"1.5.0"}},"transformation_info":{"attributes":{"name":{"type":"string_t","description":"The name of the transformation or mapping.","requirement":"recommended","caption":"Name","type_name":"String"},"time":{"type":"timestamp_t","description":"Time of the transformation.","requirement":"recommended","caption":"Event Time","type_name":"Timestamp"},"product":{"type":"object_t","description":"The product or instance used to make the transformation","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"uid":{"type":"string_t","description":"The unique identifier of the mapping or transformation.","requirement":"optional","caption":"Unique ID","type_name":"String"},"lang":{"type":"string_t","description":"The transformation language used to transform the data.","requirement":"optional","caption":"Language","type_name":"String"},"url_string":{"type":"url_t","description":"The Uniform Resource Locator String where the mapping or transformation exists.","requirement":"recommended","caption":"URL String","type_name":"URL String"},"time_dt":{"type":"datetime_t","description":"Time of the transformation.","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"}},"name":"transformation_info","description":"The transformation_info object represents the mapping or transformation used.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["data_classification","datetime"],"caption":"Transformation Info"},"domain_contact":{"attributes":{"name":{"type":"string_t","description":"The individual or organization name for the contact.","requirement":"optional","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The Domain Contact type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source","requirement":"optional","caption":"Domain Contact Type","type_name":"String"},"location":{"type":"object_t","description":"Location details for the contract such as the city, state/province, country, etc.","requirement":"recommended","object_type":"location","caption":"Contact Location Information","object_name":"Geo Location"},"uid":{"type":"string_t","description":"The unique identifier of the contact information, typically provided in WHOIS information.","requirement":"optional","caption":"Unique ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"The contact information provided is for the domain technical lead.","caption":"Technical"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"The contact information provided is for the domain registrant.","caption":"Registrant"},"2":{"description":"The contact information provided is for the domain administrator.","caption":"Administrative"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The contact information provided is for the domain billing lead.","caption":"Billing"},"5":{"description":"The contact information provided is for the domain abuse contact.","caption":"Abuse"}},"description":"The normalized domain contact type ID.","requirement":"required","caption":"Domain Contact Type ID","sibling":"type","type_name":"Integer"},"email_addr":{"type":"email_t","description":"The user's primary email address.","requirement":"recommended","caption":"Contact Email","type_name":"Email Address"},"phone_number":{"type":"string_t","description":"The number associated with the phone.","requirement":"optional","caption":"Phone Number","type_name":"String"}},"name":"domain_contact","description":"The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.","extends":"object","caption":"Domain Contact"},"programmatic_credential":{"attributes":{"type":{"type":"string_t","description":"The type or category of programmatic credential, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source. Examples include 'API Key', 'Service Account Key', 'Access Token', 'Client Certificate', 'OAuth Token', 'Personal Access Token', etc.","requirement":"recommended","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the programmatic credential. This could be an API key ID, service account key ID, access token identifier, certificate serial number, or other unique identifier that distinguishes this credential from others. Examples: AWS Access Key ID, GCP Service Account Key ID, Azure Application ID, or OAuth2 token identifier.","requirement":"required","caption":"Unique ID","type_name":"String"},"last_used_time":{"type":"timestamp_t","description":"The timestamp when this programmatic credential was last used for authentication or API access. This helps track credential usage patterns, identify dormant credentials that may pose security risks, and support credential lifecycle management. The timestamp should reflect the most recent successful authentication or API call using this credential.","requirement":"optional","caption":"Last Used Time","type_name":"Timestamp"},"last_used_time_dt":{"type":"datetime_t","description":"The timestamp when this programmatic credential was last used for authentication or API access. This helps track credential usage patterns, identify dormant credentials that may pose security risks, and support credential lifecycle management. The timestamp should reflect the most recent successful authentication or API call using this credential.","requirement":"optional","profiles":["datetime"],"caption":"Last Used Time","type_name":"Datetime"}},"name":"programmatic_credential","description":"The Programmatic Credential object describes service-specific credentials used for direct API access and system integration. These credentials are typically issued by individual services or platforms for accessing their APIs and resources, focusing on credential lifecycle management and usage tracking. Examples include API keys, service account keys, client certificates, and vendor-specific access tokens.","extends":"object","profiles":["datetime"],"caption":"Programmatic Credential"},"dns_answer":{"attributes":{"flags":{"type":"string_t","description":"The list of DNS answer header flags.","is_array":true,"requirement":"optional","caption":"DNS Header Flags","type_name":"String"},"type":{"type":"string_t","description":"The type of data contained in this resource record. See RFC1035. For example: CNAME.","requirement":"recommended","caption":"Resource Record Type","type_name":"String"},"ttl":{"type":"integer_t","description":"The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.","requirement":"recommended","caption":"TTL","type_name":"Integer"},"class":{"type":"string_t","description":"The class of DNS data contained in this resource record. See RFC1035. For example: IN.","requirement":"recommended","caption":"Resource Record Class","type_name":"String"},"flag_ids":{"type":"integer_t","enum":{"3":{"caption":"Recursion Desired"},"6":{"caption":"Checking Disabled"},"0":{"description":"The flag is unknown.","caption":"Unknown"},"1":{"caption":"Authoritative Answer"},"2":{"caption":"Truncated Response"},"99":{"description":"The flag is not mapped. See the flags attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Recursion Available"},"5":{"caption":"Authentic Data"}},"description":"The list of DNS answer header flag IDs.","is_array":true,"requirement":"recommended","caption":"DNS Header Flags","sibling":"flags","type_name":"Integer"},"packet_uid":{"type":"integer_t","description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.","requirement":"recommended","caption":"Packet UID","type_name":"Integer"},"rdata":{"type":"string_t","description":"The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.","requirement":"required","caption":"DNS RData","type_name":"String"}},"name":"dns_answer","description":"The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation. It encapsulates the relevant details and data returned by the DNS server in response to a query.","extends":"_dns","references":[{"description":"D3FEND™ Ontology d3f:InboundInternetDNSResponseTraffic.","url":"https://d3fend.mitre.org/dao/artifact/d3f:InboundInternetDNSResponseTraffic/"}],"caption":"DNS Answer"},"metric":{"attributes":{"name":{"type":"string_t","description":"The name of the metric.","requirement":"required","caption":"Name","type_name":"String"},"value":{"type":"string_t","description":"The value of the metric.","requirement":"required","caption":"Value","type_name":"String"}},"name":"metric","description":"The Metric object defines a simple name/value pair entity for a metric.","extends":"object","caption":"Metric"},"data_classification":{"attributes":{"size":{"type":"long_t","description":"Size of the data classified.","requirement":"optional","caption":"Size","type_name":"Long"},"status":{"type":"string_t","description":"The resultant status of the classification job normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.","requirement":"recommended","caption":"Status","type_name":"String"},"total":{"type":"integer_t","description":"The total count of discovered entities, by the classification job.","requirement":"optional","caption":"Total","type_name":"Integer"},"uid":{"type":"string_t","description":"The unique identifier of the classification job.","requirement":"optional","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.","requirement":"optional","caption":"Category","type_name":"String"},"category_id":{"type":"integer_t","enum":{"3":{"description":"Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc.","caption":"Financial"},"6":{"description":"Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc.","caption":"Security"},"0":{"description":"The type is not mapped. See the data_type attribute, which contains a data source specific value.","caption":"Unknown"},"1":{"description":"Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc.","caption":"Personal"},"2":{"description":"Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc.","caption":"Governmental"},"99":{"description":"Any other type of data classification or a multi-variate classification made up of several other classification categories.","caption":"Other"},"4":{"description":"Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar.","caption":"Business"},"5":{"description":"Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data.","caption":"Military and Law Enforcement"}},"description":"The normalized identifier of the data classification category.","requirement":"recommended","caption":"Category ID","sibling":"category","type_name":"Integer"},"classifier_details":{"type":"object_t","description":"Describes details about the classifier used for data classification.","requirement":"recommended","object_type":"classifier_details","caption":"Classifier Details","object_name":"Classifier Details"},"confidentiality":{"type":"string_t","description":"The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Confidentiality","type_name":"String"},"confidentiality_id":{"type":"integer_t","enum":{"3":{"caption":"Secret"},"6":{"caption":"Restricted"},"0":{"description":"The confidentiality is unknown.","caption":"Unknown"},"1":{"caption":"Not Confidential"},"2":{"caption":"Confidential"},"99":{"description":"The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Top Secret"},"5":{"caption":"Private"}},"description":"The normalized identifier of the file content confidentiality indicator.","requirement":"recommended","caption":"Confidentiality ID","sibling":"confidentiality","type_name":"Integer"},"discovery_details":{"type":"object_t","description":"Details about the data discovered by classification job.","is_array":true,"requirement":"optional","object_type":"discovery_details","caption":"Discovery Details","object_name":"Discovery Details"},"policy":{"type":"object_t","description":"Details about the data policy that governs data handling and security measures related to classification.","requirement":"optional","object_type":"policy","caption":"Policy","object_name":"Policy"},"src_url":{"type":"url_t","description":"The source URL pointing towards the full classification job details.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"status_details":{"type":"string_t","description":"The contextual description of the status, status_id value.","is_array":true,"requirement":"optional","caption":"Status Details","type_name":"String"},"status_id":{"type":"integer_t","enum":{"3":{"description":"The classification job failed for the evaluated resource.","caption":"Fail"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"The classification job completed for the evaluated resource.","caption":"Complete"},"2":{"description":"The classification job partially completed for the evaluated resource.","caption":"Partial"},"99":{"description":"The classification job type id is not mapped.","caption":"Other"}},"description":"The normalized status identifier of the classification job.","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"}},"name":"data_classification","description":"The Data Classification object includes information about data classification levels and data category types.","extends":"object","constraints":{"at_least_one":["category_id","confidentiality_id"]},"caption":"Data Classification"},"related_event":{"attributes":{"count":{"type":"integer_t","description":"The number of times that activity in the same logical group occurred, as reported by the related Finding.","requirement":"optional","caption":"Count","type_name":"Integer"},"status":{"type":"string_t","description":"The related event status. Should correspond to the label of the status_id (or 'Other' status value for status_id = 99) of the related event.","requirement":"optional","caption":"Status","type_name":"String"},"type":{"type":"string_t","description":"The type of the related event/finding.
Populate if the related event/finding isNOT in OCSF. If it is in OCSF, then utilize type_name, type_uid instead.","requirement":"optional","caption":"Type","type_name":"String"},"title":{"type":"string_t","description":"A title or a brief phrase summarizing the related event/finding.","requirement":"optional","caption":"Title","type_name":"String"},"product":{"type":"object_t","description":"Details about the product that reported the related event/finding.","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"desc":{"type":"string_t","description":"A description of the related event/finding.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the related event/finding.
If the related event/finding is in OCSF, then this value must be equal tometadata.uid in the corresponding event.","requirement":"required","caption":"Unique ID","type_name":"String"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Severity","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated with the related event/finding.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"type_uid":{"type":"long_t","description":"The unique identifier of the related OCSF event type. For example: 100701.
type_uid.For example: Process Activity: Launch.
The time when the related event/finding was created.
If the related event/finding is in OCSF and is a Finding, then this value should be equal tofinding_info.created_time in the corresponding Finding. If the related event/finding is in OCSF and is not a Finding, then this value should be equal to time in the corresponding event.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"first_seen_time":{"type":"timestamp_t","description":"The time when the finding was first observed. e.g. The time when a vulnerability was first observed.created_time timestamp, which reflects the time this finding was created.","requirement":"optional","caption":"First Seen","type_name":"Timestamp"},"kill_chain":{"type":"object_t","description":"The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.","is_array":true,"requirement":"optional","object_type":"kill_chain_phase","caption":"Kill Chain","object_name":"Kill Chain Phase"},"last_seen_time":{"type":"timestamp_t","description":"The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.modified_time timestamp, which reflects the time this finding was last modified.","requirement":"optional","caption":"Last Seen","type_name":"Timestamp"},"modified_time":{"type":"timestamp_t","description":"The time when the related event/finding was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"product_uid":{"type":"string_t","description":"The unique identifier of the product that reported the related event.","requirement":"optional","caption":"Product Identifier","type_name":"String","@deprecated":{"message":"Use the uid attribute in the product object instead. See specific usage.","since":"1.4.0"}},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","requirement":"recommended","caption":"Severity ID","sibling":"severity","type_name":"Integer"},"traits":{"type":"object_t","description":"The list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding's outcome.","is_array":true,"requirement":"optional","object_type":"trait","caption":"Traits","object_name":"Trait"},"created_time_dt":{"type":"datetime_t","description":"The time when the related event/finding was created.
If the related event/finding is in OCSF and is a Finding, then this value should be equal tofinding_info.created_time in the corresponding Finding. If the related event/finding is in OCSF and is not a Finding, then this value should be equal to time in the corresponding event.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"first_seen_time_dt":{"type":"datetime_t","description":"The time when the finding was first observed. e.g. The time when a vulnerability was first observed.created_time timestamp, which reflects the time this finding was created.","requirement":"optional","profiles":["datetime"],"caption":"First Seen","type_name":"Datetime"},"last_seen_time_dt":{"type":"datetime_t","description":"The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.modified_time timestamp, which reflects the time this finding was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Last Seen","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The time when the related event/finding was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"related_event","description":"The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.","extends":"object","profiles":["data_classification","datetime"],"caption":"Related Event/Finding"},"win/win_service":{"attributes":{"name":{"type":"string_t","description":"The unique name of the service.","requirement":"required","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The version of the service.","requirement":"recommended","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the service.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"labels":{"type":"string_t","description":"The list of labels associated with the service.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the service.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"cmd_line":{"type":"string_t","description":"The full command line used to launch the service.","requirement":"recommended","caption":"Command Line","type_name":"String","observable":13},"hosting_process":{"type":"object_t","description":"The process that is hosting this service.","extension":"win","requirement":"optional","extension_id":2,"object_type":"process_entity","caption":"Hosting Process","object_name":"Process Entity"},"load_order_group":{"type":"string_t","description":"The name of the load ordering group of which this service is a member.","extension":"win","requirement":"recommended","extension_id":2,"caption":"Load Order Group","type_name":"String"},"service_category":{"type":"string_t","description":"The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.","extension":"win","requirement":"optional","extension_id":2,"caption":"Service Category","type_name":"String"},"service_category_id":{"type":"integer_t","enum":{"0":{"description":"The service category is unknown.","caption":"Unknown"},"1":{"description":"A kernel mode driver.","caption":"Kernel Mode"},"2":{"description":"A user mode service.","caption":"User Mode"},"99":{"description":"The service category is not mapped. See the service_category attribute, which contains an event source specific value.","caption":"Other"}},"description":"The normalized identifier of the service category.","extension":"win","requirement":"recommended","extension_id":2,"caption":"Service Category ID","sibling":"service_category","type_name":"Integer"},"service_dependencies":{"type":"string_t","description":"The names of other services upon which this service has a dependency.","extension":"win","is_array":true,"requirement":"recommended","extension_id":2,"caption":"Service Dependencies","type_name":"String"},"service_dll_file":{"type":"object_t","description":"For a shared user mode service (service_type_id is 4) this is the DLL that gets loaded by the generic service host process (e.g. svchost.exe) to implement the service.","extension":"win","requirement":"optional","extension_id":2,"object_type":"file","caption":"Service DLL","object_name":"File"},"service_error_control":{"type":"string_t","description":"The service error control, normalized to the caption of the service_error_control_id value. In the case of 'Other', it is defined by the event source.","extension":"win","requirement":"optional","extension_id":2,"caption":"Service Error Control","type_name":"String"},"service_error_control_id":{"type":"integer_t","enum":{"3":{"description":"The startup program logs the error in the event log. If the last-known-good configuration is being started, the startup operation continues. Otherwise, the system is restarted with the last-known-good configuration.","caption":"Severe"},"0":{"description":"The service error control is unknown.","caption":"Unknown"},"1":{"description":"The startup program ignores the error and continues the startup operation.","caption":"Ignore"},"2":{"description":"The startup program logs the error in the event log but continues the startup operation.","caption":"Normal"},"99":{"description":"The service error control is not mapped. See the service_error_control attribute, which contains an event source specific value.","caption":"Other"},"4":{"description":"The startup program logs the error in the event log, if possible. If the last-known-good configuration is being started, the startup operation fails. Otherwise, the system is restarted with the last-known good configuration.","caption":"Critical"}},"description":"The normalized identifier of the service error control.","extension":"win","requirement":"recommended","extension_id":2,"caption":"Service Error Control ID","sibling":"service_error_control","type_name":"Integer"},"service_file":{"type":"object_t","description":"For a user mode service (service_type_id 3 or 4) this is the executable program that the SCM launches as the service process.service_type_id 1 or 2) this is the driver file loaded into the kernel at the request of the SCM. ","extension":"win","requirement":"recommended","extension_id":2,"object_type":"file","caption":"Service File","object_name":"File"},"service_start_name":{"type":"string_t","description":"For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.","extension":"win","requirement":"recommended","extension_id":2,"caption":"Service Start Name","type_name":"String"},"service_start_type":{"type":"string_t","description":"The service start type, normalized to the caption of the service_start_type_id value. In the case of 'Other', it is defined by the event source.","extension":"win","requirement":"optional","extension_id":2,"caption":"Service Start Type","type_name":"String"},"service_start_type_id":{"type":"integer_t","enum":{"3":{"description":"A user mode service started automatically during system startup.","caption":"Auto"},"0":{"description":"The service start type is unknown.","caption":"Unknown"},"1":{"description":"A kernel mode driver loaded at boot.","caption":"Boot"},"2":{"description":"A kernel mode driver loaded during system startup.","caption":"System"},"99":{"description":"The service start type is not mapped. See the service_start_type attribute, which contains an event source specific value.","caption":"Other"},"4":{"description":"A user mode service started on demand when a process calls StartService.","caption":"Demand"},"5":{"description":"A driver or service that cannot be started.","caption":"Disabled"}},"description":"The normalized identifier of the service start type.","extension":"win","requirement":"recommended","extension_id":2,"caption":"Service Start Type ID","sibling":"service_start_type","type_name":"Integer"},"service_type":{"type":"string_t","description":"The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.","extension":"win","requirement":"optional","extension_id":2,"caption":"Service Type","type_name":"String"},"service_type_id":{"type":"integer_t","enum":{"3":{"description":"A user mode service that runs in its own process.","caption":"Own Process"},"0":{"description":"The service type is unknown.","caption":"Unknown"},"1":{"description":"A kernel mode driver.","caption":"Kernel Driver"},"2":{"description":"A kernel mode file system minifilter.","caption":"File System Driver"},"99":{"description":"The service type is not mapped. See the service_type attribute, which contains an event source specific value.","caption":"Other"},"4":{"description":"A user mode service that shares a process with other services.","caption":"Share Process"}},"description":"The normalized identifier of the service type.","extension":"win","requirement":"recommended","extension_id":2,"caption":"Service Type ID","sibling":"service_type","type_name":"Integer"}},"name":"win_service","description":"The Windows Service object describes a Windows service.","extension":"win","extends":"service","constraints":{"at_least_one":["cmd_line","service_category_id","service_dependencies","service_error_control_id","service_start_name","service_start_type_id","service_type_id"]},"references":[{"description":"D3FEND™ Ontology d3f:ServiceApplication.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ServiceApplication/"}],"extension_id":2,"profiles":["data_classification"],"caption":"Windows Service"},"network_proxy":{"attributes":{"proxy_endpoint":{"type":"object_t","description":"The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).","requirement":"optional","object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"zone":{"type":"string_t","description":"The network zone or LAN segment.","requirement":"optional","caption":"Network Zone","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the endpoint.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":48},"os":{"type":"object_t","description":"The endpoint operating system.","requirement":"optional","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"vpc_uid":{"type":"string_t","description":"The unique identifier of the Virtual Private Cloud (VPC).","requirement":"optional","caption":"VPC UID","type_name":"String"},"port":{"type":"port_t","description":"The port used for communication within the network connection.","requirement":"recommended","caption":"Port","type_name":"Port"},"network_scope_id":{"type":"integer_t","enum":{"0":{"description":"Unknown whether this endpoint resides within the customer’s network.","caption":"Unknown"},"1":{"description":"The endpoint resides inside the customer’s network.","caption":"Internal"},"2":{"description":"The endpoint is on the Internet or otherwise external to the customer’s network.","caption":"External"},"99":{"description":"The network scope is not mapped. See the network_scope attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the endpoint’s network scope. The normalized network scope identifier indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined.","requirement":"optional","caption":"Network Scope ID","sibling":"network_scope","type_name":"Integer"},"fingerprints":{"type":"object_t","description":"Fingerprints that identify the specific application implementation on this endpoint, such as Cisco NPF or HASSH.","is_array":true,"requirement":"optional","object_type":"fingerprint","caption":"Fingerprints","object_name":"Fingerprint"},"owner":{"type":"object_t","description":"The identity of the service or user account that owns the endpoint or was last logged into it.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"type":{"type":"string_t","description":"The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.","requirement":"optional","caption":"Type","type_name":"String"},"network_scope":{"type":"string_t","description":"Indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the network_scope_id.","requirement":"optional","caption":"Network Scope","type_name":"String"},"container":{"type":"object_t","description":"The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","group":"context","requirement":"recommended","profiles":["container"],"object_type":"container","caption":"Container","object_name":"Container"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A laptop computer.","caption":"Laptop"},"6":{"description":"A virtual machine.","caption":"Virtual"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A server.","caption":"Server"},"2":{"description":"A desktop computer.","caption":"Desktop"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A tablet computer.","caption":"Tablet"},"5":{"description":"A mobile phone.","caption":"Mobile"},"7":{"description":"An IOT (Internet of Things) device.","caption":"IOT"},"8":{"description":"A web browser.","caption":"Browser"},"9":{"description":"A networking firewall.","caption":"Firewall"},"10":{"description":"A networking switch.","caption":"Switch"},"11":{"description":"A networking hub.","caption":"Hub"},"12":{"description":"A networking router.","caption":"Router"},"14":{"description":"An intrusion prevention system.","caption":"IPS"},"15":{"description":"A Load Balancer device.","caption":"Load Balancer"},"13":{"description":"An intrusion detection system.","caption":"IDS"}},"description":"The network endpoint type ID.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"domain":{"type":"string_t","description":"The name of the domain that the endpoint belongs to or that corresponds to the endpoint.","requirement":"optional","caption":"Domain","type_name":"String"},"pool":{"type":"object_t","description":"The pool of desktops or virtual machines to which the endpoint belongs.","requirement":"optional","object_type":"group","caption":"Pool","object_name":"Group"},"interface_name":{"type":"string_t","description":"The name of the network interface (e.g. eth2).","requirement":"recommended","caption":"Network Interface Name","type_name":"String"},"isp":{"type":"string_t","description":"The name of the Internet Service Provider (ISP).","requirement":"optional","caption":"ISP Name","type_name":"String"},"namespace_pid":{"type":"integer_t","description":"If running under a process namespace (such as in a container), the process identifier within that process namespace.","group":"context","requirement":"recommended","profiles":["container"],"caption":"Namespace PID","type_name":"Integer"},"mac_vendor":{"type":"string_t","description":"The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address.","references":[{"description":"IEEE Registration Authority","url":"https://standards.ieee.org/products-programs/regauth/"}],"requirement":"optional","caption":"MAC Vendor","type_name":"String"},"name":{"type":"string_t","description":"The short name of the endpoint.","requirement":"recommended","caption":"Name","type_name":"String"},"mac":{"type":"mac_t","description":"The Media Access Control (MAC) address of the endpoint.","requirement":"optional","caption":"MAC Address","type_name":"MAC Address"},"instance_uid":{"type":"string_t","description":"The unique identifier of a VM instance.","requirement":"recommended","caption":"Instance ID","type_name":"String"},"subnet_uid":{"type":"string_t","description":"The unique identifier of a virtual subnet.","requirement":"optional","caption":"Subnet UID","type_name":"String"},"vlan_uid":{"type":"string_t","description":"The Virtual LAN identifier.","requirement":"optional","caption":"VLAN","type_name":"String"},"svc_name":{"type":"string_t","description":"The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.","requirement":"recommended","caption":"Service Name","type_name":"String"},"hostname":{"type":"hostname_t","description":"The fully qualified name of the endpoint.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"autonomous_system":{"type":"object_t","description":"The Autonomous System details associated with an IP address.","requirement":"optional","object_type":"autonomous_system","caption":"Autonomous System","object_name":"Autonomous System"},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"requirement":"optional","object_type":"agent","caption":"Agent List","object_name":"Agent"},"interface_uid":{"type":"string_t","description":"The unique identifier of the network interface.","requirement":"recommended","caption":"Network Interface ID","type_name":"String"},"hw_info":{"type":"object_t","description":"The endpoint hardware information.","requirement":"optional","object_type":"device_hw_info","caption":"Hardware Info","object_name":"Device Hardware Info"},"ip":{"type":"ip_t","description":"The IP address of the endpoint, in either IPv4 or IPv6 format.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"isp_org":{"type":"string_t","description":"The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.","requirement":"optional","caption":"ISP Org","type_name":"String"},"location":{"type":"object_t","description":"The geographical location of the endpoint.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"intermediate_ips":{"type":"ip_t","description":"The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.","is_array":true,"requirement":"optional","caption":"Intermediate IP Addresses","type_name":"IP Address"}},"name":"network_proxy","description":"The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.","extends":"network_endpoint","constraints":{"at_least_one":["ip","uid","name","hostname","svc_name","instance_uid","interface_uid","interface_name","domain"]},"references":[{"description":"D3FEND™ Ontology d3f:ProxyServer","url":"https://d3fend.mitre.org/dao/artifact/d3f:ProxyServer/"}],"profiles":["container"],"caption":"Network Proxy Endpoint","observable":20},"access_analysis_result":{"attributes":{"access_level":{"type":"string_t","description":"The generalized access level or permission scope granted to the identity through the analyzed policy configuration. Common examples include Read, Write, List, Delete, Admin, or custom permission levels.","requirement":"recommended","caption":"Access Level","type_name":"String"},"access_type":{"type":"string_t","description":"The type or category of access being granted to the identity. This describes the nature of the access relationship, such as cross-account access, public access, federated access, or third-party integration access. Examples include 'Cross-Account', 'Public', 'Federated', 'Service-to-Service', etc.","requirement":"optional","caption":"Access Type","type_name":"String"},"accessors":{"type":"object_t","description":"The identities that are granted access through the analyzed policy configuration. This identifies the specific entity that can exercise the permissions and helps assess the access relationship and potential security implications. Examples include user accounts, service principals, roles, account identifiers, or system identities.","is_array":true,"requirement":"required","object_type":"user","caption":"Accessors","object_name":"User"},"additional_restrictions":{"type":"object_t","description":"Details about supplementary restrictions and guardrails that may limit the granted access, applied through additional policy types such as Resource Control Policies (RCPs) and Service Control Policies (SCPs) in AWS, or other policy constraints.","is_array":true,"requirement":"optional","object_type":"additional_restriction","caption":"Additional Restrictions","object_name":"Additional Restriction"},"condition_keys":{"type":"object_t","description":"The condition keys and their values that constrain when and how the granted access can be exercised. These conditions define the circumstances under which the access relationship is valid and the privileges can be used. Examples: IP address restrictions like 'aws:SourceIp:192.0.2.0/24', time-based constraints like 'aws:RequestedRegion:us-east-1', MFA requirements like 'aws:MultiFactorAuthPresent:true', or custom conditions based on resource tags and request context.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Condition Keys","object_name":"Key:Value object"},"granted_privileges":{"type":"string_t","description":"The specific privileges, actions, or permissions that are granted through the analyzed access relationship. This includes the actual operations that the accessor can perform on the target resource. Examples: AWS actions like 'sts:AssumeRole', 's3:GetObject', 'ec2:DescribeInstances'; Azure actions like 'Microsoft.Storage/storageAccounts/read'; or GCP permissions like 'storage.objects.get'.","is_array":true,"requirement":"optional","caption":"Granted Privileges","type_name":"String"}},"name":"access_analysis_result","description":"The Access Analysis Result object describes access relationships and pathways between identities, resources, focusing on who can access what and through which mechanisms. This evaluates access levels (read/write/admin), access types (direct, cross-account, public, federated), and the conditions under which access is granted. Use this for resource-centric security assessments such as external access discovery, public exposure analysis, etc.","extends":"object","caption":"Access Analysis Result"},"trace":{"attributes":{"flags":{"type":"string_t","description":"The flags associated with the trace, used to indicate specific properties or behaviors, such as whether the trace is sampled or if it has special handling. Flags help control how traces are processed, logged, and analyzed, providing valuable context for tracing and observability tools in identifying trace characteristics or specific tracking requirements.","is_array":true,"requirement":"optional","caption":"Flags","type_name":"String"},"service":{"type":"object_t","description":"Identifies the service or component generating the trace, helping to track and correlate the flow of requests through various parts of a distributed system. This information is essential for understanding the role and performance of specific services within the broader context of system operations and for diagnosing issues across different components.","requirement":"optional","object_type":"service","caption":"Service","object_name":"Service"},"uid":{"type":"string_t","description":"The unique identifier of the trace used in distributed systems and microservices architecture to track and correlate requests across various components of an application.","requirement":"required","caption":"Unique ID","type_name":"String"},"span":{"type":"object_t","description":"Represents a single unit of work or operation within a distributed trace. A span typically tracks the execution of a request across a service, capturing important details such as the operation, timestamps, and status. Spans help break down the overall trace into smaller, manageable parts, enabling detailed analysis of the performance and behavior of specific operations within the system. They are crucial for understanding latency, dependencies, and bottlenecks in complex distributed systems.","requirement":"optional","object_type":"span","caption":"Span","object_name":"Span"},"start_time":{"type":"timestamp_t","description":"The start timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the end time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time enables accurate trace duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"duration":{"type":"long_t","description":"The total time, in milliseconds, that the trace covers, calculated as the difference between start_time and end_time. This duration helps assess the overall performance of a request as it travels across various services, and is essential for identifying latency and potential bottlenecks within the distributed system. The trace duration may differ from individual span durations due to the propagation and processing times of the trace as it spans multiple components.","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"end_time":{"type":"timestamp_t","description":"The end timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate trace duration calculations and helps observability tools track overall performance across services, regardless of the individual system time settings.","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"start_time_dt":{"type":"datetime_t","description":"The start timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the end time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time enables accurate trace duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"end_time_dt":{"type":"datetime_t","description":"The end timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate trace duration calculations and helps observability tools track overall performance across services, regardless of the individual system time settings.","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"}},"name":"trace","description":"The trace object contains information about a distributed trace, which is crucial for observability. Traces are made up of one or more spans, which are individual units of work in application activity. Traces track the journey of a request as it moves through various services in a system, capturing key details like timing, status, and dependencies at each step. Traces provide insights into system performance, helping to identify latency, bottlenecks, and issues in complex, distributed environments.","extends":"object","profiles":["datetime"],"caption":"Trace"},"campaign":{"attributes":{"name":{"type":"string_t","description":"The name of a specific campaign associated with a cyber threat.","requirement":"required","caption":"Name","type_name":"String"}},"name":"campaign","description":"Campaign represent organized efforts by threat actors to achieve malicious objectives over a period, often characterized by shared tactics, techniques, and procedures (TTPs).","extends":"object","caption":"Campaign"},"additional_restriction":{"attributes":{"status":{"type":"string_t","description":"The current status of the policy restriction, normalized to the caption of the status_id enum value.","requirement":"optional","caption":"Status","type_name":"String"},"policy":{"type":"object_t","description":"Detailed information about the policy document that defines this restriction, including policy metadata, type, scope, and the specific rules or conditions that implement the access control.","requirement":"required","object_type":"policy","caption":"Policy","object_name":"Policy"},"status_id":{"type":"integer_t","enum":{"3":{"description":"This restriction could not be properly evaluated due to an error.","caption":"Evaluation Error"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"This restriction is currently applicable and being enforced.","caption":"Applicable"},"2":{"description":"This restriction is not applicable.","caption":"Inapplicable"},"99":{"description":"The status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized status identifier indicating the applicability of this policy restriction.","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"}},"name":"additional_restriction","description":"The Additional Restriction object describes supplementary access controls and guardrails that constrain or limit granted permissions beyond the primary policy. These restrictions are typically applied through hierarchical policy frameworks, organizational controls, or conditional access mechanisms. Examples include AWS Service Control Policies (SCPs), Resource Control Policies (RCPs), Azure Management Group policies, GCP Organization policies, conditional access policies, IP restrictions, time-based constraints, and MFA requirements.","extends":"object","caption":"Additional Restriction"},"finding":{"attributes":{"title":{"type":"string_t","description":"A title or a brief phrase summarizing the reported finding.","requirement":"required","caption":"Title","type_name":"String"},"product":{"type":"object_t","description":"Details about the product that reported the finding.","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"desc":{"type":"string_t","description":"The description of the reported finding.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the reported finding.","requirement":"required","caption":"Unique ID","type_name":"String"},"types":{"type":"string_t","description":"One or more types of the reported finding.","is_array":true,"requirement":"optional","caption":"Types","type_name":"String"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"created_time":{"type":"timestamp_t","description":"The time when the finding was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"first_seen_time":{"type":"timestamp_t","description":"The time when the finding was first observed.","requirement":"optional","caption":"First Seen","type_name":"Timestamp"},"last_seen_time":{"type":"timestamp_t","description":"The time when the finding was most recently observed.","requirement":"optional","caption":"Last Seen","type_name":"Timestamp"},"modified_time":{"type":"timestamp_t","description":"The time when the finding was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"product_uid":{"type":"string_t","description":"The unique identifier of the product that reported the finding.","requirement":"optional","caption":"Product Identifier","type_name":"String","@deprecated":{"message":"Use the uid attribute in the product object instead. See specific usage.","since":"1.4.0"}},"related_events":{"type":"object_t","description":"Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.","is_array":true,"requirement":"optional","object_type":"related_event","caption":"Related Events/Findings","object_name":"Related Event/Finding"},"src_url":{"type":"url_t","description":"The URL pointing to the source of the finding.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"supporting_data":{"type":"json_t","description":"Additional data supporting a finding as provided by security tool","requirement":"optional","caption":"Supporting Data","type_name":"JSON"},"created_time_dt":{"type":"datetime_t","description":"The time when the finding was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"first_seen_time_dt":{"type":"datetime_t","description":"The time when the finding was first observed.","requirement":"optional","profiles":["datetime"],"caption":"First Seen","type_name":"Datetime"},"last_seen_time_dt":{"type":"datetime_t","description":"The time when the finding was most recently observed.","requirement":"optional","profiles":["datetime"],"caption":"Last Seen","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The time when the finding was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"finding","description":"The Finding object describes metadata related to a security finding generated by a security tool or system.","extends":"object","profiles":["data_classification","datetime"],"caption":"Finding","@deprecated":{"message":"Use the new finding_info object.","since":"1.0.0"}},"job":{"attributes":{"name":{"type":"string_t","description":"The name of the job.","requirement":"required","caption":"Name","type_name":"String"},"file":{"type":"object_t","description":"The file that pertains to the job.","requirement":"optional","object_type":"file","caption":"File","object_name":"File"},"user":{"type":"object_t","description":"The user that created the job.","requirement":"optional","object_type":"user","caption":"User","object_name":"User"},"desc":{"type":"string_t","description":"The description of the job.","requirement":"recommended","caption":"Description","type_name":"String"},"cmd_line":{"type":"string_t","description":"The job command line.","requirement":"recommended","caption":"Command Line","type_name":"String","observable":13},"created_time":{"type":"timestamp_t","description":"The time when the job was created.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"last_run_time":{"type":"timestamp_t","description":"The time when the job was last run.","requirement":"recommended","caption":"Last Run","type_name":"Timestamp"},"next_run_time":{"type":"timestamp_t","description":"The time when the job will next be run.","requirement":"optional","caption":"Next Run","type_name":"Timestamp"},"run_state":{"type":"string_t","description":"The run state of the job.","requirement":"optional","caption":"Run State","type_name":"String"},"run_state_id":{"type":"integer_t","enum":{"3":{"caption":"Running"},"0":{"description":"The run state is unknown.","caption":"Unknown"},"1":{"caption":"Ready"},"2":{"caption":"Queued"},"99":{"description":"The run state is not mapped. See the run_state attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Stopped"}},"description":"The run state ID of the job.","requirement":"recommended","caption":"Run State ID","sibling":"run_state","type_name":"Integer"},"created_time_dt":{"type":"datetime_t","description":"The time when the job was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"last_run_time_dt":{"type":"datetime_t","description":"The time when the job was last run.","requirement":"optional","profiles":["datetime"],"caption":"Last Run","type_name":"Datetime"},"next_run_time_dt":{"type":"datetime_t","description":"The time when the job will next be run.","requirement":"optional","profiles":["datetime"],"caption":"Next Run","type_name":"Datetime"}},"name":"job","description":"The Job object provides information about a scheduled job or task, including its name, command line, and state. It encompasses attributes that describe the properties and status of the scheduled job.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:ScheduledJob.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ScheduledJob/"}],"profiles":["data_classification","datetime"],"caption":"Job"},"tls_extension":{"attributes":{"data":{"type":"json_t","description":"The data contains information specific to the particular extension type.","requirement":"recommended","caption":"Data","type_name":"JSON"},"type":{"type":"string_t","description":"The TLS extension type. For example: Server Name.","requirement":"optional","caption":"Type","type_name":"String"},"type_id":{"type":"integer_t","enum":{"0":{"description":"The Server Name Indication extension.","caption":"server_name"},"1":{"description":"The Maximum Fragment Length Negotiation extension.","caption":"maximum_fragment_length"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"5":{"description":"The Certificate Status Request extension.","caption":"status_request"},"10":{"description":"The Supported Groups extension.","caption":"supported_groups"},"14":{"description":"The Use SRTP data protection extension.","caption":"use_srtp"},"15":{"description":"The Heartbeat extension.","caption":"heartbeat"},"16":{"description":"The Application-Layer Protocol Negotiation extension.","caption":"application_layer_protocol_negotiation"},"18":{"description":"The Signed Certificate Timestamp extension.","caption":"signed_certificate_timestamp"},"20":{"description":"The Server Certificate Type extension.","caption":"server_certificate_type"},"21":{"description":"The Padding extension.","caption":"padding"},"43":{"description":"The Supported Versions extension.","caption":"supported_versions"},"44":{"description":"The Cookie extension.","caption":"cookie"},"45":{"description":"The Pre-Shared Key Exchange Modes extension.","caption":"psk_key_exchange_modes"},"47":{"description":"The Certificate Authorities extension.","caption":"certificate_authorities"},"49":{"description":"The Post-Handshake Client Authentication extension.","caption":"post_handshake_auth"},"50":{"description":"The Signature Algorithms extension.","caption":"signature_algorithms_cert"},"51":{"description":"The Key Share extension.","caption":"key_share"},"13":{"description":"The Signature Algorithms extension.","caption":"signature_algorithms"},"19":{"description":"The Client Certificate Type extension.","caption":"client_certificate_type"},"48":{"description":"The OID Filters extension.","caption":"oid_filters"},"41":{"description":"The Pre Shared Key extension.","caption":"pre_shared_key"},"42":{"description":"The Early Data extension.","caption":"early_data"}},"description":"The TLS extension type identifier. See The Transport Layer Security (TLS) extension page.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"}},"name":"tls_extension","description":"The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.","extends":"object","caption":"TLS Extension"},"observation":{"attributes":{"count":{"type":"integer_t","description":"Integer representing the total number of times this specific value/event was observed across all occurrences. Helps establish prevalence and patterns.","requirement":"recommended","caption":"Count","type_name":"Integer"},"value":{"type":"string_t","description":"The specific value, event, indicator or data point that was observed and recorded. This is the core piece of information being tracked.","requirement":"required","caption":"Value","type_name":"String"},"timespan":{"type":"object_t","description":"The time window when the value or event was first observed. It is used to analyze activity patterns, detect trends, or correlate events within a specific timeframe.","requirement":"recommended","object_type":"timespan","caption":"Time Span","object_name":"Time Span"}},"name":"observation","description":"A record of an observed value or event that captures the timing and frequency of its occurrence. Used to track when values/events were first detected, last detected, and their total occurrence count.","extends":"object","caption":"Observation"},"tactic":{"attributes":{"name":{"type":"string_t","description":"The Tactic name that is associated with the attack technique. For example: Reconnaissance or ML Model Access.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The Tactic ID that is associated with the attack technique. For example: TA0043, or AML.TA0000.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"src_url":{"type":"url_t","description":"The versioned permalink of the Tactic. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"tactic","description":"The MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"caption":"MITRE Tactic"},"trait":{"attributes":{"name":{"type":"string_t","description":"The name of the trait.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the trait. For example, this can be used to indicate if the trait acts as a contributing factor (increases risk/severity) or a mitigating factor (decreases risk/severity), in the context of the related finding.","requirement":"optional","caption":"Type","type_name":"String"},"values":{"type":"string_t","description":"The values of the trait.","is_array":true,"requirement":"optional","caption":"Values","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the trait.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The high-level grouping or classification this trait belongs to.","requirement":"optional","caption":"Category","type_name":"String"}},"name":"trait","description":"Describes a characteristic or feature of an entity that was observed. For example, this object can be used to represent specific characteristics derived from events or findings that can be surfaced as distinguishing traits of the entity in question.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Trait"},"keyboard_info":{"attributes":{"function_keys":{"type":"integer_t","description":"The number of function keys on client keyboard.","requirement":"optional","caption":"Function Keys","type_name":"Integer"},"ime":{"type":"string_t","description":"The Input Method Editor (IME) file name.","requirement":"optional","caption":"IME","type_name":"String"},"keyboard_layout":{"type":"string_t","description":"The keyboard locale identifier name (e.g., en-US).","requirement":"optional","caption":"Keyboard Layout","type_name":"String"},"keyboard_subtype":{"type":"integer_t","description":"The keyboard numeric code.","requirement":"optional","caption":"Keyboard Subtype","type_name":"Integer"},"keyboard_type":{"type":"string_t","description":"The keyboard type (e.g., xt, ico).","requirement":"optional","caption":"Keyboard Type","type_name":"String"}},"name":"keyboard_info","description":"The Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard.","extends":"object","caption":"Keyboard Information"},"autonomous_system":{"attributes":{"name":{"type":"string_t","description":"Organization name for the Autonomous System.","group":"context","requirement":"recommended","caption":"Name","type_name":"String"},"number":{"type":"integer_t","description":"Unique number that the AS is identified by.","group":"context","requirement":"recommended","caption":"Number","type_name":"Integer"}},"name":"autonomous_system","description":"An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.","extends":"object","constraints":{"at_least_one":["number","name"]},"caption":"Autonomous System"},"affected_package":{"attributes":{"name":{"type":"string_t","description":"The software package name.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The software package version.","requirement":"required","caption":"Version","type_name":"String"},"path":{"type":"file_path_t","description":"The installation path of the affected package.","requirement":"optional","caption":"Path","type_name":"File Path"},"uid":{"type":"string_t","description":"A unique identifier for the package or library reported by the source tool. E.g., the libId within the sbom field of an OX Security Issue or the SPDX components.*.bom-ref.","requirement":"optional","caption":"Package UID","type_name":"String"},"hash":{"type":"object_t","description":"Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.","requirement":"optional","object_type":"fingerprint","caption":"Hash","object_name":"Fingerprint"},"release":{"type":"string_t","description":"Release is the number of times a version of the software has been packaged.","requirement":"optional","caption":"Software Release Details","type_name":"String"},"epoch":{"type":"integer_t","description":"The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.","requirement":"optional","caption":"Epoch","type_name":"Integer"},"type_id":{"type":"integer_t","enum":{"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"An application software package.","caption":"Application"},"2":{"description":"An operating system software package.","caption":"Operating System"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The type of software package.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"license":{"type":"string_t","description":"The software license applied to this package.","requirement":"optional","caption":"Software License","type_name":"String"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"architecture":{"type":"string_t","description":"Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.","requirement":"recommended","caption":"Architecture","type_name":"String"},"cpe_name":{"type":"string_t","description":"The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.","requirement":"optional","caption":"The product CPE identifier","type_name":"String"},"fixed_in_version":{"type":"string_t","description":"The software package version in which a reported vulnerability was patched/fixed.","requirement":"optional","caption":"Fixed In Version","type_name":"String"},"license_url":{"type":"url_t","description":"The URL pointing to the license applied on package or software. This is typically a LICENSE.md file within a repository.","requirement":"optional","caption":"Software License URL","type_name":"URL String"},"package_manager":{"type":"string_t","description":"The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.","requirement":"optional","caption":"Package Manager","type_name":"String"},"package_manager_url":{"type":"url_t","description":"The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as AWS CodeArtifact or Artifactory.","requirement":"optional","caption":"Package Manager URL","type_name":"URL String"},"purl":{"type":"string_t","description":"A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.","requirement":"optional","caption":"Package URL","type_name":"String"},"src_url":{"type":"url_t","description":"The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"vendor_name":{"type":"string_t","description":"The name of the vendor who published the software package.","requirement":"optional","caption":"Vendor Name","type_name":"String"}},"name":"affected_package","description":"The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.","extends":"package","references":[{"description":"D3FEND™ Ontology d3f:SoftwarePackage.","url":"https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/"}],"profiles":["data_classification"],"caption":"Affected Software Package"},"unmanned_aerial_system":{"attributes":{"name":{"type":"string_t","description":"The name of the unmanned system as reported by tracking or sensing hardware.","requirement":"optional","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of the UAS. For example, Helicopter, Gyroplane, Rocket, etc.","requirement":"optional","caption":"Type","type_name":"String"},"speed":{"type":"string_t","description":"Ground speed of flight. This value is provided in meters per second with a minimum resolution of 0.25 m/s. Special Values: Invalid, No Value, or Unknown: 255 m/s.","requirement":"optional","caption":"Speed","type_name":"String"},"location":{"type":"object_t","description":"The detailed geographical location usually associated with an IP address.","requirement":"recommended","object_type":"location","caption":"UAS Position Location Information","object_name":"Geo Location"},"uid":{"type":"string_t","description":"The primary identification identifier for an unmanned system. This can be a Serial Number (in CTA-2063-A format, the Registration ID (provided by the CAA, a UTM, or a unique Session ID.","requirement":"recommended","caption":"UAS ID","type_name":"String"},"uuid":{"type":"uuid_t","description":"The Unmanned Aircraft System Traffic Management (UTM) provided universal unique ID (UUID) traceable to a non-obfuscated ID where this UTM UUID acts as a 'session id' to protect exposure of operationally sensitive information.","requirement":"recommended","caption":"UTM UUID","type_name":"UUID"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Gyroplane"},"6":{"caption":"Glider"},"0":{"description":"The UAS type is empty or not declared.","caption":"Unknown/Undeclared"},"1":{"caption":"Airplane"},"2":{"description":"Can also be a Multi-rotor Unmanned Aircraft (e.g., Quad-copter).","caption":"Helicopter"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Fixed wing aircraft that can take off vertically.","caption":"Hybrid Lift"},"5":{"caption":"Ornithopter"},"7":{"caption":"Kite"},"8":{"caption":"Free Balloon"},"9":{"caption":"Captive Balloon"},"10":{"description":"E.g., a blimp.","caption":"Airship"},"11":{"description":"Parachutes, or objects without any power or propulsion mechanism.","caption":"Free Fall/Parachute"},"12":{"caption":"Rocket"},"14":{"caption":"Ground Obstacle"},"13":{"caption":"Tethered Powered Aircraft"}},"description":"The UAS type identifier.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"hw_info":{"type":"object_t","description":"The endpoint hardware information.","requirement":"optional","object_type":"device_hw_info","caption":"UAS Hardware Information","object_name":"Device Hardware Info"},"model":{"type":"string_t","description":"The model name of the aircraft or unmanned system.","requirement":"optional","caption":"Model","type_name":"String"},"serial_number":{"type":"string_t","description":"The serial number of the unmanned system. This is expressed in CTA-2063-A format.","requirement":"recommended","caption":"Serial Number","type_name":"String","observable":37},"speed_accuracy":{"type":"string_t","description":"Provides quality/containment on horizontal ground speed. Measured in meters/second.","requirement":"optional","caption":"Speed Accuracy","type_name":"String"},"track_direction":{"type":"string_t","description":"Direction of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value","requirement":"optional","caption":"Track Direction","type_name":"String"},"uid_alt":{"type":"string_t","description":"A secondary identification identifier for an unmanned system. This can be a Serial Number (in CTA-2063-A format, the Registration ID (provided by the CAA, a UTM, or a unique Session ID.","requirement":"recommended","caption":"UAS Alternate ID","type_name":"String"},"vertical_speed":{"type":"string_t","description":"Vertical speed upward relative to the WGS-84 datum, measured in meters per second. Special Values: Invalid, No Value, or Unknown: 63 m/s.","requirement":"optional","caption":"Vertical Speed","type_name":"String"}},"name":"unmanned_aerial_system","description":"The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.","extends":"aircraft","constraints":{"at_least_one":["name","serial_number","uid","uid_alt"]},"caption":"Unmanned Aerial System"},"graph":{"attributes":{"name":{"type":"string_t","description":"The graph name - a human readable identifier for the graph.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The graph type. Typically useful to represent the specific type of graph that is used.","requirement":"optional","caption":"Type","type_name":"String"},"nodes":{"type":"object_t","description":"The nodes/vertices of the graph - contains the collection of node objects that make up the graph.","is_array":true,"requirement":"required","object_type":"node","caption":"Nodes","object_name":"Node"},"desc":{"type":"string_t","description":"The graph description - provides additional details about the graph's purpose and contents.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"Unique identifier of the graph - a unique ID to reference this specific graph.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"edges":{"type":"object_t","description":"The edges/connections between nodes in the graph - contains the collection of edge objects defining relationships between nodes.","is_array":true,"requirement":"optional","object_type":"edge","caption":"Edges","object_name":"Edge"},"is_directed":{"type":"boolean_t","description":"Indicates if the graph is directed (true) or undirected (false).","requirement":"optional","caption":"Directed","type_name":"Boolean"},"query_language":{"type":"string_t","description":"The graph query language, normalized to the caption of the query_language_id value.","requirement":"optional","caption":"Query Language","type_name":"String"},"query_language_id":{"type":"integer_t","enum":{"3":{"description":"A graph traversal language and virtual machine developed by Apache TinkerPop that enables graph computing across different graph databases.","caption":"Gremlin"},"6":{"description":"Property Graph Query Language developed by Oracle that provides SQL-like syntax for querying property graphs.","caption":"PGQL"},"0":{"description":"The Query Language is unknown.","caption":"Unknown"},"1":{"description":"A declarative graph query language developed by Neo4j that allows for expressive and efficient querying of graph databases.","caption":"Cypher"},"2":{"description":"A query language for APIs that enables declarative data fetching and provides a complete description of the data in the API.","caption":"GraphQL"},"99":{"description":"The Query Language is not mapped. See the query_language attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"An ISO standard graph query language designed to provide a unified way to query graph databases.","caption":"GQL"},"5":{"description":"A graph query language that combines features from existing languages while adding support for paths as first-class citizens.","caption":"G-CORE"},"7":{"description":"A semantic query language for databases that enables querying and manipulating data stored in RDF format.","caption":"SPARQL"}},"description":"The normalized identifier of a graph query language that can be used to interact with the graph.","requirement":"recommended","caption":"Query Language ID","sibling":"query_language","type_name":"Integer"}},"name":"graph","description":"A graph data structure representation with nodes and edges.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"JSON graph specification.","url":"https://github.com/jsongraph/json-graph-specification/"}],"caption":"Graph"},"technique":{"attributes":{"name":{"type":"string_t","description":"The name of the attack technique. For example: Active Scanning or AI Model Inference API Access.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the attack technique. For example: T1595 or AML.T0040.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"src_url":{"type":"url_t","description":"The versioned permalink of the attack technique. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"technique","description":"The MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"caption":"MITRE Technique"},"agent":{"attributes":{"name":{"type":"string_t","description":"The name of the agent or sensor. For example: AWS SSM Agent.","requirement":"recommended","caption":"Agent Name","type_name":"String"},"type":{"type":"string_t","description":"The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.","requirement":"optional","caption":"Agent Type","type_name":"String"},"version":{"type":"string_t","description":"The semantic version of the agent or sensor, e.g., 7.101.50.0.","requirement":"optional","caption":"Agent Version","type_name":"String"},"uid":{"type":"string_t","description":"The UID of the agent or sensor, sometimes known as a Sensor ID or aid.","requirement":"recommended","caption":"Agent ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent.","caption":"Backup & Recovery"},"6":{"description":"Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent.","caption":"Log Forwarding"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh.","caption":"Endpoint Detection and Response"},"2":{"description":"Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP.","caption":"Data Loss Prevention"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent.","caption":"Performance Monitoring & Observability"},"5":{"description":"Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent.","caption":"Vulnerability Management"},"7":{"description":"Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary.","caption":"Mobile Device Management"},"8":{"description":"Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server.","caption":"Configuration Management"},"9":{"description":"Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent.","caption":"Remote Access"}},"description":"The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"policies":{"type":"object_t","description":"Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.","is_array":true,"requirement":"optional","object_type":"policy","caption":"Agent Policies","object_name":"Policy"},"uid_alt":{"type":"string_t","description":"An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.","requirement":"optional","caption":"Alternate Agent ID","type_name":"String"},"vendor_name":{"type":"string_t","description":"The company or author who created the agent or sensor. For example: Crowdstrike.","requirement":"optional","caption":"Vendor Name","type_name":"String"}},"name":"agent","description":"An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.","extends":"object","constraints":{"at_least_one":["uid","name"]},"references":[{"description":"D3FEND™ Ontology d3f:Sensor.","url":"https://d3fend.mitre.org/dao/artifact/d3f:Sensor/"}],"caption":"Agent"},"digital_signature":{"attributes":{"state":{"type":"string_t","description":"The digital signature state defines the signature state, normalized to the caption of 'state_id'. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"State","type_name":"String"},"digest":{"type":"object_t","description":"The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.","requirement":"optional","object_type":"fingerprint","caption":"Message Digest","object_name":"Fingerprint"},"certificate":{"type":"object_t","description":"The certificate object containing information about the digital certificate.","requirement":"recommended","object_type":"certificate","caption":"Certificate","object_name":"Digital Certificate"},"algorithm":{"type":"string_t","description":"The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Algorithm","type_name":"String"},"algorithm_id":{"type":"integer_t","enum":{"3":{"description":"Elliptic Curve Digital Signature Algorithm.","caption":"ECDSA"},"0":{"description":"The algorithm is unknown.","caption":"Unknown"},"1":{"description":"Digital Signature Algorithm (DSA).","caption":"DSA"},"2":{"description":"Rivest-Shamir-Adleman (RSA) Algorithm.","caption":"RSA"},"99":{"description":"The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Microsoft Authenticode Digital Signature Algorithm.","caption":"Authenticode"}},"description":"The identifier of the normalized digital signature algorithm.","requirement":"required","caption":"Algorithm ID","sibling":"algorithm","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"The time when the digital signature was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"developer_uid":{"type":"string_t","description":"The developer ID on the certificate that signed the file.","requirement":"optional","caption":"Developer UID","type_name":"String"},"state_id":{"type":"integer_t","enum":{"3":{"description":"The digital signature is invalid due to certificate revocation.","caption":"Revoked"},"6":{"description":"The digital signature is invalid because the certificate is rooted in an untrusted CA or is an untrusted self-signed certificate.","caption":"Untrusted"},"0":{"description":"The state is unknown.","caption":"Unknown"},"1":{"description":"The digital signature is valid.","caption":"Valid"},"2":{"description":"The digital signature is invalid because its timestamp does not fall within the certificate's validity period.","caption":"Expired"},"99":{"description":"The state is not mapped. See the state attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The digital signature is invalid due to certificate suspension.","caption":"Suspended"},"5":{"description":"The digital signature state is pending.","caption":"Pending"},"7":{"description":"The digital signature is invalid because the certificate is explicitly distrusted. Note that whereas revocation is global, distrust reflects local IT/security policy.","caption":"Distrusted"},"8":{"description":"The digital signature is invalid because the certificate is not intended for code signing purposes.","caption":"WrongUsage"},"9":{"description":"The digital signature is cryptographically invalid, e.g. a mismatched digest. This indicates possible tampering.","caption":"Bad"},"10":{"description":"The digital signature is malformed and could not be processed.","caption":"Broken"}},"description":"The normalized identifier of the signature state.","requirement":"optional","caption":"State ID","sibling":"state","type_name":"Integer"},"created_time_dt":{"type":"datetime_t","description":"The time when the digital signature was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"}},"name":"digital_signature","description":"The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.","extends":"object","profiles":["datetime"],"caption":"Digital Signature"},"table":{"attributes":{"name":{"type":"string_t","description":"The table name, ordinarily as assigned by a database administrator.","requirement":"recommended","caption":"Name","type_name":"String"},"size":{"type":"long_t","description":"The size of the data table in bytes.","requirement":"optional","caption":"Size","type_name":"Long"},"desc":{"type":"string_t","description":"The description of the table.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the table.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"groups":{"type":"object_t","description":"The group names to which the table belongs.","is_array":true,"requirement":"optional","object_type":"group","caption":"Groups","object_name":"Group"},"created_time":{"type":"timestamp_t","description":"The time when the table was known to have been created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"modified_time":{"type":"timestamp_t","description":"The most recent time when any changes, updates, or modifications were made within the table.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"created_time_dt":{"type":"datetime_t","description":"The time when the table was known to have been created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The most recent time when any changes, updates, or modifications were made within the table.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"table","description":"The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["datetime"],"caption":"Table"},"device_hw_info":{"attributes":{"uuid":{"type":"uuid_t","description":"The device manufacturer assigned universally unique hardware identifier. For SMBIOS compatible devices such as those running Linux and Windows, it is the UUID member of the System Information structure in the SMBIOS information. For macOS devices, it is the Hardware UUID (also known as IOPlatformUUID in the I/O Registry).","references":[{"description":"SMBIOS Specification","url":"https://www.dmtf.org/standards/smbios"},{"description":"Linux DMI Table Decoder documentation","url":"https://linux.die.net/man/8/dmidecode"},{"description":"Windows Win32_ComputerSystemProduct documentation","url":"https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-computersystemproduct"},{"description":"Apple Wiki (Mac Hardware UUID)","url":"https://theapplewiki.com/wiki/UDID#Mac"},{"description":"macOS I/O Registry source code reference to IOPlatformUUID","url":"https://github.com/apple-oss-distributions/xnu/blob/8d741a5de7ff4191bf97d57b9f54c2f6d4a15585/iokit/IOKit/IOKitKeys.h#L264-L265"}],"requirement":"optional","caption":"UUID","type_name":"UUID"},"bios_date":{"type":"string_t","description":"The BIOS date. For example: 03/31/16.","requirement":"optional","caption":"BIOS Date","type_name":"String"},"bios_manufacturer":{"type":"string_t","description":"The BIOS manufacturer. For example: LENOVO.","requirement":"optional","caption":"BIOS Manufacturer","type_name":"String"},"bios_ver":{"type":"string_t","description":"The BIOS version. For example: LENOVO G5ETA2WW (2.62).","requirement":"optional","caption":"BIOS Version","type_name":"String"},"chassis":{"type":"string_t","description":"The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types","requirement":"optional","caption":"Chassis","type_name":"String"},"cpu_architecture":{"type":"string_t","description":"The CPU architecture, normalized to the caption of the cpu_architecture_id value. In the case of Other, it is defined by the source.","requirement":"optional","caption":"CPU Architecture","type_name":"String"},"cpu_architecture_id":{"type":"integer_t","enum":{"3":{"description":"CPU uses the RISC-V ISA. For bitness, refer to cpu_bits.","caption":"RISC-V"},"0":{"description":"The CPU architecture is unknown.","caption":"Unknown"},"1":{"description":"CPU uses the x86 ISA. For bitness, refer to cpu_bits.","caption":"x86"},"2":{"description":"CPU uses the ARM ISA. For bitness, refer to cpu_bits.","caption":"ARM"},"99":{"description":"The CPU architecture is not mapped. See the cpu_architecture attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the CPU architecture.","requirement":"optional","caption":"CPU Architecture ID","sibling":"cpu_architecture","type_name":"Integer"},"cpu_bits":{"type":"integer_t","description":"The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.","requirement":"optional","caption":"CPU Bits","type_name":"Integer"},"cpu_cores":{"type":"integer_t","description":"The number of processor cores in all installed processors. For Example: 42.","requirement":"optional","caption":"CPU Cores","type_name":"Integer"},"cpu_count":{"type":"integer_t","description":"The number of physical processors on a system. For example: 1.","requirement":"optional","caption":"CPU Count","type_name":"Integer"},"cpu_speed":{"type":"integer_t","description":"The speed of the processor in Mhz. For Example: 4200.","requirement":"optional","caption":"Processor Speed","type_name":"Integer"},"cpu_type":{"type":"string_t","description":"The processor type. For example: x86 Family 6 Model 37 Stepping 5.","requirement":"optional","caption":"Processor Type","type_name":"String"},"desktop_display":{"type":"object_t","description":"The desktop display affiliated with the event","requirement":"optional","object_type":"display","caption":"Desktop Display","object_name":"Display"},"gpu_count":{"type":"integer_t","description":"The number of GPU's on a system. For example: 1.","requirement":"optional","caption":"GPU Count","type_name":"Integer"},"gpu_info_list":{"type":"object_t","description":"A list of GPU objects describing the hardware properties of each graphics processor installed on the device.","is_array":true,"requirement":"optional","object_type":"gpu_info","caption":"GPU information","object_name":"GPU Information"},"keyboard_info":{"type":"object_t","description":"The keyboard detailed information.","requirement":"optional","object_type":"keyboard_info","caption":"Keyboard Information","object_name":"Keyboard Information"},"ram_size":{"type":"integer_t","description":"The total amount of installed RAM, in Megabytes. For example: 2048.","requirement":"optional","caption":"RAM Size","type_name":"Integer"},"serial_number":{"type":"string_t","description":"The device manufacturer serial number.","requirement":"optional","caption":"Serial Number","type_name":"String","observable":37},"vendor_name":{"type":"string_t","description":"The device manufacturer.","requirement":"optional","caption":"Vendor Name","type_name":"String"}},"name":"device_hw_info","description":"The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.","extends":"object","caption":"Device Hardware Info"},"scim":{"attributes":{"name":{"type":"string_t","description":"The name of the SCIM resource.","requirement":"recommended","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"SCIM protocol version supported e.g., SCIM 2.0.","requirement":"recommended","caption":"SCIM Version","type_name":"String"},"state":{"type":"string_t","description":"The provisioning state of the SCIM resource, normalized to the caption of the state_id value. In the case of Other, it is defined by the event source.","requirement":"optional","caption":"State","type_name":"String"},"uid":{"type":"string_t","description":"A unique identifier for a SCIM resource as defined by the service provider.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"protocol_name":{"type":"string_t","description":"The supported protocol for the SCIM resource. E.g., SAML, OIDC, or OAuth2.","requirement":"optional","caption":"Supported Protocol","type_name":"String"},"auth_protocol":{"type":"string_t","description":"The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.","requirement":"optional","caption":"Auth Protocol","type_name":"String"},"auth_protocol_id":{"type":"integer_t","enum":{"3":{"caption":"Digest"},"6":{"caption":"OAUTH 2.0"},"0":{"description":"The authentication protocol is unknown.","caption":"Unknown"},"1":{"caption":"NTLM"},"2":{"caption":"Kerberos"},"99":{"description":"The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"OpenID"},"5":{"caption":"SAML"},"7":{"caption":"PAP"},"8":{"caption":"CHAP"},"9":{"caption":"EAP"},"10":{"caption":"RADIUS"},"11":{"caption":"Basic Authentication"},"12":{"caption":"LDAP"}},"description":"The normalized identifier of the authorization protocol used by the SCIM resource.","requirement":"optional","caption":"Auth Protocol ID","sibling":"auth_protocol","type_name":"Integer"},"created_time":{"type":"timestamp_t","description":"When the SCIM resource was added to the service provider.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"error_message":{"type":"string_t","description":"Message or code associated with the last encountered error.","requirement":"optional","caption":"Last Error Message","type_name":"String"},"is_group_provisioning_enabled":{"type":"boolean_t","description":"Indicates whether the SCIM resource is configured to provision groups, automatically or otherwise.","requirement":"optional","caption":"SCIM Group Provisioning Enabled","type_name":"Boolean"},"is_user_provisioning_enabled":{"type":"boolean_t","description":"Indicates whether the SCIM resource is configured to provision users, automatically or otherwise.","requirement":"optional","caption":"SCIM User Provisioning Enabled","type_name":"Boolean"},"last_run_time":{"type":"timestamp_t","description":"Timestamp of the most recent successful synchronization.","requirement":"optional","caption":"Last Sync Time","type_name":"Timestamp"},"modified_time":{"type":"timestamp_t","description":"The most recent time when the SCIM resource was updated at the service provider.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"rate_limit":{"type":"integer_t","description":"Maximum number of requests allowed by the SCIM resource within a specified time frame to avoid throttling.","requirement":"optional","caption":"Rate Limit","type_name":"Integer"},"scim_group_schema":{"type":"json_t","description":"SCIM provides a schema for representing groups, identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:Group as defined in RFC-7634. This attribute will capture key-value pairs for the scheme implemented in a SCIM resource.","references":[{"description":"System for Cross-domain Identity Management (SCIM) RFC spec.","url":"https://datatracker.ietf.org/doc/html/rfc7643"}],"requirement":"recommended","caption":"SCIM Group Schema","type_name":"JSON"},"scim_user_schema":{"type":"json_t","description":"SCIM provides a resource type for user resources. The core schema for user is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User as defined in RFC-7634. his attribute will capture key-value pairs for the scheme implemented in a SCIM resource. This object is inclusive of both the basic and Enterprise User Schema Extension.","references":[{"description":"System for Cross-domain Identity Management (SCIM) RFC spec.","url":"https://datatracker.ietf.org/doc/html/rfc7643"}],"requirement":"recommended","caption":"SCIM User Schema","type_name":"JSON"},"state_id":{"type":"integer_t","enum":{"3":{"description":"The SCIM resource is in a Failed state.","caption":"Failed"},"0":{"description":"The provisioning state of the SCIM resource is unknown.","caption":"Unknown"},"1":{"description":"The SCIM resource is Pending activation or creation.","caption":"Pending"},"2":{"description":"The SCIM resource is in an Active state, or otherwise enabled.","caption":"Active"},"99":{"description":"The provisioning state of the SCIM resource is not mapped. See the state attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The SCIM resource is in a Deleted state, or otherwise disabled.","caption":"Deleted"}},"description":"The normalized state ID of the SCIM resource to reflect its activation status.","requirement":"optional","caption":"State ID","sibling":"state","type_name":"Integer"},"uid_alt":{"type":"string_t","description":"A String that is an identifier for the resource as defined by the provisioning client. The externalId may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider.","requirement":"optional","caption":"External ID","type_name":"String"},"url_string":{"type":"url_t","description":"The primary URL for SCIM API requests.","requirement":"optional","caption":"SCIM Endpoint URL","type_name":"URL String"},"vendor_name":{"type":"string_t","description":"Name of the vendor or service provider implementing SCIM. E.g., Okta, Auth0, Microsoft.","requirement":"optional","caption":"Service Provider","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"When the SCIM resource was added to the service provider.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"last_run_time_dt":{"type":"datetime_t","description":"Timestamp of the most recent successful synchronization.","requirement":"optional","profiles":["datetime"],"caption":"Last Sync Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The most recent time when the SCIM resource was updated at the service provider.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"scim","description":"The System for Cross-domain Identity Management (SCIM) Configuration object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634","extends":"object","profiles":["datetime"],"caption":"SCIM"},"endpoint":{"attributes":{"name":{"type":"string_t","description":"The short name of the endpoint.","requirement":"recommended","caption":"Name","type_name":"String"},"owner":{"type":"object_t","description":"The identity of the service or user account that owns the endpoint or was last logged into it.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"type":{"type":"string_t","description":"The endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.","requirement":"optional","caption":"Type","type_name":"String"},"os":{"type":"object_t","description":"The endpoint operating system.","requirement":"optional","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"domain":{"type":"string_t","description":"The name of the domain that the endpoint belongs to or that corresponds to the endpoint.","requirement":"optional","caption":"Domain","type_name":"String"},"ip":{"type":"ip_t","description":"The IP address of the endpoint, in either IPv4 or IPv6 format.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"pool":{"type":"object_t","description":"The pool of desktops or virtual machines to which the endpoint belongs.","requirement":"optional","object_type":"group","caption":"Pool","object_name":"Group"},"location":{"type":"object_t","description":"The geographical location of the endpoint.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"hostname":{"type":"hostname_t","description":"The fully qualified name of the endpoint.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"uid":{"type":"string_t","description":"The unique identifier of the endpoint.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"mac":{"type":"mac_t","description":"The Media Access Control (MAC) address of the endpoint.","requirement":"optional","caption":"MAC Address","type_name":"MAC Address"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A laptop computer.","caption":"Laptop"},"6":{"description":"A virtual machine.","caption":"Virtual"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A server.","caption":"Server"},"2":{"description":"A desktop computer.","caption":"Desktop"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A tablet computer.","caption":"Tablet"},"5":{"description":"A mobile phone.","caption":"Mobile"},"7":{"description":"An IOT (Internet of Things) device.","caption":"IOT"},"8":{"description":"A web browser.","caption":"Browser"},"9":{"description":"A networking firewall.","caption":"Firewall"},"10":{"description":"A networking switch.","caption":"Switch"},"11":{"description":"A networking hub.","caption":"Hub"},"12":{"description":"A networking router.","caption":"Router"},"14":{"description":"An intrusion prevention system.","caption":"IPS"},"15":{"description":"A Load Balancer device.","caption":"Load Balancer"},"13":{"description":"An intrusion detection system.","caption":"IDS"}},"description":"The endpoint type ID.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"requirement":"optional","object_type":"agent","caption":"Agent List","object_name":"Agent"},"container":{"type":"object_t","description":"The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","group":"context","requirement":"recommended","profiles":["container"],"object_type":"container","caption":"Container","object_name":"Container"},"hw_info":{"type":"object_t","description":"The endpoint hardware information.","requirement":"optional","object_type":"device_hw_info","caption":"Hardware Info","object_name":"Device Hardware Info"},"instance_uid":{"type":"string_t","description":"The unique identifier of a VM instance.","requirement":"recommended","caption":"Instance ID","type_name":"String"},"interface_name":{"type":"string_t","description":"The name of the network interface (e.g. eth2).","requirement":"recommended","caption":"Network Interface Name","type_name":"String"},"interface_uid":{"type":"string_t","description":"The unique identifier of the network interface.","requirement":"recommended","caption":"Network Interface ID","type_name":"String"},"mac_vendor":{"type":"string_t","description":"The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address.","references":[{"description":"IEEE Registration Authority","url":"https://standards.ieee.org/products-programs/regauth/"}],"requirement":"optional","caption":"MAC Vendor","type_name":"String"},"namespace_pid":{"type":"integer_t","description":"If running under a process namespace (such as in a container), the process identifier within that process namespace.","group":"context","requirement":"recommended","profiles":["container"],"caption":"Namespace PID","type_name":"Integer"},"subnet_uid":{"type":"string_t","description":"The unique identifier of a virtual subnet.","requirement":"optional","caption":"Subnet UID","type_name":"String"},"vlan_uid":{"type":"string_t","description":"The Virtual LAN identifier.","requirement":"optional","caption":"VLAN","type_name":"String"},"vpc_uid":{"type":"string_t","description":"The unique identifier of the Virtual Private Cloud (VPC).","requirement":"optional","caption":"VPC UID","type_name":"String"},"zone":{"type":"string_t","description":"The network zone or LAN segment.","requirement":"optional","caption":"Network Zone","type_name":"String"}},"name":"endpoint","description":"The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.","extends":"_entity","constraints":{"at_least_one":["ip","uid","name","hostname","instance_uid","interface_uid","interface_name"]},"references":[{"description":"D3FEND™ Ontology d3f:Host.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/"}],"profiles":["container"],"caption":"Endpoint","observable":20},"web_resource":{"attributes":{"data":{"type":"json_t","description":"Details of the web resource, e.g, file details, search results or application-defined resource.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the web resource.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The web resource type as defined by the event source.","requirement":"optional","caption":"Type","type_name":"String"},"desc":{"type":"string_t","description":"Description of the web resource.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"resource_uid_t","description":"The unique identifier of the web resource.","requirement":"recommended","caption":"Unique ID","type_name":"Resource UID"},"labels":{"type":"string_t","description":"The list of labels associated to the resource.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the resource.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"created_time":{"type":"timestamp_t","description":"The time when the resource was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"modified_time":{"type":"timestamp_t","description":"The time when the resource was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"uid_alt":{"type":"resource_uid_t","description":"The alternative unique identifier of the resource.","requirement":"optional","caption":"Alternate ID","type_name":"Resource UID"},"url_string":{"type":"url_t","description":"The URL pointing towards the source of the web resource.","requirement":"recommended","caption":"URL String","type_name":"URL String"},"created_time_dt":{"type":"datetime_t","description":"The time when the resource was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The time when the resource was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"web_resource","description":"The Web Resource object describes characteristics of a web resource that was affected by the activity/event.","extends":"_resource","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:WebResource.","url":"https://d3fend.mitre.org/dao/artifact/d3f:WebResource/"}],"profiles":["data_classification","datetime"],"caption":"Web Resource"},"network_connection_info":{"attributes":{"session":{"type":"object_t","description":"The authenticated user or service session.","requirement":"optional","object_type":"session","caption":"Session","object_name":"Session"},"uid":{"type":"string_t","description":"The unique identifier of the connection.","requirement":"recommended","caption":"Connection UID","type_name":"String"},"boundary":{"type":"string_t","description":"The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
","requirement":"optional","caption":"Boundary","type_name":"String"},"protocol_name":{"type":"string_t","description":"The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example:tcp or udp.","references":[{"description":"IANA Protocol Numbers","url":"https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"}],"requirement":"recommended","caption":"Protocol Name","type_name":"String"},"direction":{"type":"string_t","description":"The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Direction","type_name":"String"},"boundary_id":{"type":"integer_t","enum":{"3":{"description":"External network traffic between two endpoints on the Internet or outside the network.","caption":"External"},"6":{"description":"Through a virtual private gateway","caption":"Virtual Private Gateway"},"0":{"description":"The connection boundary is unknown.","caption":"Unknown"},"1":{"description":"Local network traffic on the same endpoint.","caption":"Localhost"},"2":{"description":"Internal network traffic between two endpoints inside network.","caption":"Internal"},"99":{"description":"The boundary is not mapped. See the boundary attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Through another resource in the same VPC","caption":"Same VPC"},"5":{"description":"Through an Internet gateway or a gateway VPC endpoint","caption":"Internet/VPC Gateway"},"7":{"description":"Through an intra-region VPC peering connection","caption":"Intra-region VPC"},"8":{"description":"Through an inter-region VPC peering connection","caption":"Inter-region VPC"},"9":{"description":"Through a local gateway","caption":"Local Gateway"},"10":{"description":"Through a gateway VPC endpoint (Nitro-based instances only)","caption":"Gateway VPC"},"11":{"description":"Through an Internet gateway (Nitro-based instances only)","caption":"Internet Gateway"}},"description":"The normalized identifier of the boundary of the connection.
For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.
","requirement":"recommended","caption":"Boundary ID","sibling":"boundary","type_name":"Integer"},"community_uid":{"type":"string_t","description":"The Community ID of the network connection.","source":"community_id","references":[{"description":"Community ID definition.","url":"https://github.com/corelight/community-id-spec"}],"requirement":"optional","caption":"Community ID","type_name":"String"},"direction_id":{"type":"integer_t","enum":{"3":{"description":"Lateral network connection. The connection originated from inside the network, destined for services on the inside network.","caption":"Lateral"},"0":{"description":"The connection direction is unknown.","caption":"Unknown"},"1":{"description":"Inbound network connection. The connection originated from the Internet or outside network, destined for services on the inside network.","caption":"Inbound"},"2":{"description":"Outbound network connection. The connection originated from inside the network, destined for services on the Internet or outside network.","caption":"Outbound"},"99":{"description":"The direction is not mapped. See thedirection attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Local network connection (localhost). The connection is intra-device, originating from and destined for services running on the same device.","caption":"Local"}},"description":"The normalized identifier of the direction of the initiated connection, traffic, or email.","requirement":"required","caption":"Direction ID","sibling":"direction","type_name":"Integer"},"flag_history":{"type":"string_t","description":"The Connection Flag History summarizes events in a network connection. For example flags ShAD representing SYN, SYN/ACK, ACK and Data exchange.","references":[{"description":"Zeek History","url":"https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html#detailed-interface:~:text=Records%20the%20state%20history%20of%20connections%20as%20a%20string%20of%20letters.%20The%20meaning%20of%20those%20letters%20is"}],"requirement":"optional","caption":"Connection Flag History","type_name":"String"},"protocol_num":{"type":"integer_t","description":"The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: 6 for TCP and 17 for UDP.","references":[{"description":"IANA Protocol Numbers","url":"https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"}],"requirement":"recommended","caption":"Protocol Number","type_name":"Integer"},"protocol_ver":{"type":"string_t","description":"The Internet Protocol version.","requirement":"optional","caption":"IP Version","type_name":"String"},"protocol_ver_id":{"type":"integer_t","enum":{"6":{"caption":"Internet Protocol version 6 (IPv6)"},"0":{"description":"The protocol version is unknown.","caption":"Unknown"},"99":{"description":"The protocol version is not mapped. See the protocol_ver attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Internet Protocol version 4 (IPv4)"}},"description":"The Internet Protocol version identifier.","requirement":"recommended","caption":"IP Version ID","sibling":"protocol_ver","type_name":"Integer"},"tcp_flags":{"type":"integer_t","description":"The network connection TCP header flags (i.e., control bits).","requirement":"optional","caption":"TCP Flags","type_name":"Integer"}},"name":"network_connection_info","description":"The Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:NetworkSession","url":"https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/"}],"caption":"Network Connection Information"},"cwe":{"attributes":{"uid":{"type":"string_t","description":"The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123.","requirement":"required","caption":"CWE ID","type_name":"String","observable":17},"caption":{"type":"string_t","description":"The caption assigned to the Common Weakness Enumeration unique identifier.","requirement":"optional","caption":"Caption","type_name":"String"},"src_url":{"type":"url_t","description":"URL pointing to the CWE Specification. For more information see CWE.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"cwe","description":"The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.","extends":"object","caption":"CWE"},"whois":{"attributes":{"status":{"type":"string_t","description":"The status of a domain and its ability to be transferred, e.g., clientTransferProhibited.","requirement":"recommended","caption":"Domain Status","type_name":"String"},"domain":{"type":"string_t","description":"The domain name corresponding to the WHOIS record.","requirement":"recommended","caption":"Domain","type_name":"String"},"registrar":{"type":"string_t","description":"The domain registrar.","requirement":"recommended","caption":"Domain Registrar","type_name":"String"},"subdomains":{"type":"string_t","description":"An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).","is_array":true,"requirement":"optional","caption":"Subdomains","type_name":"String"},"subnet":{"type":"subnet_t","description":"The IP address block (CIDR) associated with a domain.","requirement":"optional","caption":"Subnet Block","type_name":"Subnet"},"autonomous_system":{"type":"object_t","description":"The autonomous system information associated with a domain.","requirement":"optional","object_type":"autonomous_system","caption":"Autonomous System","object_name":"Autonomous System"},"created_time":{"type":"timestamp_t","description":"When the domain was registered or WHOIS entry was created.","requirement":"recommended","caption":"Registered At","type_name":"Timestamp"},"dnssec_status":{"type":"string_t","description":"The normalized value of dnssec_status_id.","requirement":"optional","caption":"DNSSEC Status","type_name":"String"},"dnssec_status_id":{"type":"integer_t","enum":{"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"The related domain enables the signing of DNS records using DNSSEC.","caption":"Signed"},"2":{"description":"The related domain does not enable the signing of DNS records using DNSSEC.","caption":"Unsigned"},"99":{"description":"The DNSSEC status is not mapped. See the dnssec_status attribute, which contains a data source specific value.","caption":"Other"}},"description":"Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.","requirement":"recommended","caption":"DNSSEC Status ID","sibling":"dnssec_status","type_name":"Integer"},"domain_contacts":{"type":"object_t","description":"An array of Domain Contact objects.","is_array":true,"requirement":"recommended","object_type":"domain_contact","caption":"Domain Contacts","object_name":"Domain Contact"},"email_addr":{"type":"email_t","description":"The email address for the registrar's abuse contact","requirement":"optional","caption":"Registrar Abuse Email Address","type_name":"Email Address"},"isp":{"type":"string_t","description":"The name of the Internet Service Provider (ISP).","requirement":"optional","caption":"ISP Name","type_name":"String"},"isp_org":{"type":"string_t","description":"The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.","requirement":"optional","caption":"ISP Org","type_name":"String"},"last_seen_time":{"type":"timestamp_t","description":"When the WHOIS record was last updated or seen at.","requirement":"recommended","caption":"Last Updated At","type_name":"Timestamp"},"name_servers":{"type":"string_t","description":"A collection of name servers related to a domain registration or other record.","is_array":true,"requirement":"recommended","caption":"Name Servers","type_name":"String"},"phone_number":{"type":"string_t","description":"The phone number for the registrar's abuse contact","requirement":"optional","caption":"Registrar Abuse Phone Number","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"When the domain was registered or WHOIS entry was created.","requirement":"optional","profiles":["datetime"],"caption":"Registered At","type_name":"Datetime"},"last_seen_time_dt":{"type":"datetime_t","description":"When the WHOIS record was last updated or seen at.","requirement":"optional","profiles":["datetime"],"caption":"Last Updated At","type_name":"Datetime"}},"name":"whois","description":"The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.","extends":"object","profiles":["datetime"],"caption":"WHOIS"},"reputation":{"attributes":{"base_score":{"type":"float_t","description":"The reputation score as reported by the event source.","requirement":"required","caption":"Reputation Score","type_name":"Float"},"provider":{"type":"string_t","description":"The provider of the reputation information.","requirement":"recommended","caption":"Provider","type_name":"String"},"score":{"type":"string_t","description":"The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Reputation Score","type_name":"String"},"score_id":{"type":"integer_t","enum":{"3":{"description":"Reasonable history of good behavior.","caption":"Probably Safe"},"6":{"description":"Starting to establish a history of suspicious or risky behavior.","caption":"Exercise Caution"},"0":{"description":"The reputation score is unknown.","caption":"Unknown"},"1":{"description":"Long history of good behavior.","caption":"Very Safe"},"2":{"description":"Consistently good behavior.","caption":"Safe"},"99":{"description":"The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Starting to establish a history of normal behavior.","caption":"Leans Safe"},"5":{"description":"No established history of normal behavior.","caption":"May not be Safe"},"7":{"description":"A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious).","caption":"Suspicious/Risky"},"8":{"description":"Strong possibility of maliciousness.","caption":"Possibly Malicious"},"9":{"description":"Indicators of maliciousness.","caption":"Probably Malicious"},"10":{"description":"Proven evidence of maliciousness.","caption":"Malicious"}},"description":"The normalized reputation score identifier.","requirement":"required","caption":"Reputation Score ID","sibling":"score","type_name":"Integer"}},"name":"reputation","description":"The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).","extends":"object","caption":"Reputation"},"network_interface":{"attributes":{"name":{"type":"string_t","description":"The name of the network interface.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of network interface.","requirement":"optional","caption":"Type","type_name":"String"},"ip":{"type":"ip_t","description":"The IP address associated with the network interface.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"hostname":{"type":"hostname_t","description":"The hostname associated with the network interface.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"uid":{"type":"string_t","description":"The unique identifier for the network interface.","requirement":"optional","caption":"Unique ID","type_name":"String"},"mac":{"type":"mac_t","description":"The MAC address of the network interface.","requirement":"recommended","caption":"MAC Address","type_name":"MAC Address"},"namespace":{"type":"string_t","description":"The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate.","requirement":"optional","caption":"Namespace","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Mobile"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"Wired"},"2":{"caption":"Wireless"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Tunnel"}},"description":"The network interface type identifier.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"open_ports":{"type":"object_t","description":"The list of open ports on a network interface, including port numbers and associated protocol information.","is_array":true,"requirement":"optional","object_type":"port_info","caption":"Open Ports","object_name":"Port Information"},"subnet_prefix":{"type":"integer_t","description":"The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.","requirement":"optional","caption":"Subnet Prefix Length","type_name":"Integer"}},"name":"network_interface","description":"The Network Interface object describes the type and associated attributes of a physical or virtual network interface.","extends":"_entity","constraints":{"at_least_one":["ip","mac","name","hostname","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:NetworkInterfaceCard.","url":"https://d3fend.mitre.org/dao/artifact/d3f:NetworkInterfaceCard/"}],"caption":"Network Interface"},"observable":{"attributes":{"name":{"type":"string_t","description":"The full name of the observable attribute. The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name. Array attributes may be represented in one of three ways. For example: resources.uid, resources[].uid, resources[0].uid.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The observable value type name.","requirement":"optional","caption":"Type","type_name":"String"},"value":{"type":"string_t","description":"The value associated with the observable attribute. The meaning of the value depends on the observable type.name refers to a scalar attribute, then the value is the value of the attribute.name refers to an object attribute, then the value is not populated.","requirement":"optional","caption":"Value","type_name":"String"},"type_uid":{"type":"long_t","description":"The OCSF event type UID (type_uid) of the source event that this observable was extracted from. This field enables filtering and categorizing observables by their originating event type. For example: 300101 for Network Activity (class_uid 3001) with activity_id 1.","requirement":"optional","caption":"Type ID","sibling":"type_name","type_name":"Long"},"type_id":{"type":"integer_t","enum":{"30":{"description":"Observable by Object.c:\\windows\\system32\\svchost.exe.","caption":"File Path"},"40":{"description":"Observable by Object-Specific Attribute.Note about name. The type name file_hast_t and the caption "Hash" are used for legacy reasons. This type has been generalized from a file hash to a general fingerprint. The existing type name and caption were retained for backwards compatibility.","caption":"Hash"},"47":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the Device Object.","caption":"Device Object: uid"},"13":{"description":"Observable by Dictionary Attribute.
The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.","caption":"Command Line"},"33":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the Group Object.","caption":"Group Object: uid"},"10":{"description":"Observable by Dictionary Type.
Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.","caption":"Resource UID"},"1":{"description":"Observable by Dictionary Type.
Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com","caption":"Hostname"},"99":{"description":"The observable data type is not mapped. See the type attribute, which may contain data source specific value.","caption":"Other"},"20":{"description":"Observable by Object.
The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.","caption":"Endpoint"},"3":{"description":"Observable by Dictionary Type.
Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A.","caption":"MAC Address"},"15":{"description":"Observable by Dictionary Attribute.
The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.","caption":"Process ID"},"34":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"name\" for the Account Object.","caption":"Account Object: name"},"42":{"description":"Observable by Dictionary Attribute.
The email header Message-ID value, as defined by RFC 5322.","caption":"Message UID"},"2":{"description":"Observable by Dictionary Type.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24,
2001:0db8:85a3:0000:0000:8a2e:0370:7334.","caption":"IP Address"},"25":{"description":"Observable by Object.
The Process object describes a running instance of a launched program.","caption":"Process"},"37":{"description":"Observable by Dictionary Attribute.
The serial number that pertains to the object. See specific usage.","caption":"Serial Number"},"16":{"description":"Observable by Dictionary Attribute.
The request header that identifies the operating system and web browser.","caption":"HTTP User-Agent"},"39":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the Process Entity Object.","caption":"Process Entity Object: uid"},"27":{"description":"Observable by Object.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","caption":"Container"},"7":{"description":"Observable by Dictionary Type.
File name. For example:text-file.txt.","caption":"File Name"},"23":{"description":"Observable by Object.
The Uniform Resource Locator (URL) object describes the characteristics of a URL.","caption":"Uniform Resource Locator"},"32":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"name\" for the Group Object.","caption":"Group Object: name"},"18":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the CVE Object.","caption":"CVE Object: uid"},"36":{"description":"Observable by Dictionary Attribute.
The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.","caption":"Script Content"},"48":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the Network Endpoint Object.","caption":"Network Endpoint Object: uid"},"17":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the CWE Object.","caption":"CWE Object: uid"},"26":{"description":"Observable by Object.
The Geo Location object describes a geographical location, usually associated with an IP address.","caption":"Geo Location"},"35":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the Account Object.","caption":"Account Object: uid"},"4":{"description":"Observable by Dictionary Type.
User name. For example:john_doe.","caption":"User Name"},"43":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"name\" for the Registry Value Object.","caption":"Registry Value Object: name"},"21":{"description":"Observable by Object.
The User object describes the characteristics of a user/person or a security principal.","caption":"User"},"41":{"description":"Observable by Object-Specific Attribute.
Object-specific attribute \"uid\" for the Email Object.","caption":"Email Object: uid"},"14":{"description":"Observable by Dictionary Attribute.
The ISO 3166-1 Alpha-2 country code.
Note: The two letter country code should be capitalized. For example: US or CA.
http://www.example.com/download/trouble.exe.","caption":"URL String"},"0":{"description":"Unknown observable data type.","caption":"Unknown"},"44":{"description":"Observable by Object-Specific Attribute.80,22.","caption":"Port"},"9":{"description":"Observable by Dictionary Type.Notepad.","caption":"Process Name"},"5":{"description":"Observable by Dictionary Type.john_doe@example.com.","caption":"Email Address"},"12":{"description":"Observable by Dictionary Type.192.168.1.0/24,2001:0db8:85a3:0000::/64","caption":"Subnet"},"31":{"description":"Observable by Object-Specific Attribute.metadata.uid) of the source OCSF event from which this observable was extracted. This field enables linking observables back to their originating event data when observables are stored in a separate location or system.","requirement":"optional","caption":"Event UID","type_name":"String"},"reputation":{"type":"object_t","description":"Contains the original and normalized reputation scores.","requirement":"optional","object_type":"reputation","caption":"Reputation Scores","object_name":"Reputation"}},"name":"observable","description":"The observable object is a pivot element that contains related information found in many places in the event.","extends":"object","references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using Observables.md"}],"caption":"Observable"},"ticket":{"attributes":{"status":{"type":"string_t","description":"The status of the ticket normalized to the caption of the status_id value. In the case of 99, this value should as defined by the source.","requirement":"optional","caption":"Ticket Status","type_name":"String"},"type":{"type":"string_t","description":"The linked ticket type determines whether the ticket is internal or in an external ticketing system.","requirement":"optional","caption":"Ticket Type","type_name":"String"},"title":{"type":"string_t","description":"The title of the ticket.","requirement":"optional","caption":"Title","type_name":"String"},"uid":{"type":"string_t","description":"Unique identifier of the ticket.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"type_id":{"type":"integer_t","enum":{"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"Internal"},"2":{"caption":"External"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier for the ticket type.","requirement":"optional","caption":"Ticket Type ID","sibling":"type","type_name":"Integer"},"src_url":{"type":"url_t","description":"The url of a ticket in the ticket system.","requirement":"recommended","caption":"Source URL","type_name":"URL String"},"status_details":{"type":"string_t","description":"A list of contextual descriptions of the status, status_id values.","is_array":true,"requirement":"optional","caption":"Status Details","type_name":"String"},"status_id":{"type":"integer_t","enum":{"3":{"description":"Relevant parties have been notified about the ticket.","caption":"Notified"},"6":{"description":"The ticket has been completed and closed.","caption":"Closed"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"The ticket is new and yet to be reviewed.","caption":"New"},"2":{"description":"The ticket is actively being worked on.","caption":"In Progress"},"99":{"description":"The status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Work on the ticket is temporarily suspended.","caption":"On Hold"},"5":{"description":"The ticket is resolved and a solution is implemented, pending confirmation or verification from the requestor.","caption":"Resolved"},"7":{"description":"The ticket has been canceled and will not be processed.","caption":"Canceled"},"8":{"description":"The ticket was previously closed, but has been reopened.","caption":"Reopened"}},"description":"The normalized identifier for the ticket status.","requirement":"optional","caption":"Ticket Status ID","sibling":"status","type_name":"Integer"}},"name":"ticket","description":"The Ticket object represents ticket in the customer's IT Service Management (ITSM) systems like ServiceNow, Jira, etc.","extends":"object","constraints":{"at_least_one":["src_url","uid"]},"caption":"Ticket"},"feature":{"attributes":{"name":{"type":"string_t","description":"The name of the feature.","requirement":"recommended","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The version of the feature.","requirement":"recommended","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the feature.","requirement":"recommended","caption":"Unique ID","type_name":"String"}},"name":"feature","description":"The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Feature"},"affected_code":{"attributes":{"owner":{"type":"object_t","description":"Details about the user that owns the affected file.","requirement":"optional","object_type":"user","caption":"Owner","object_name":"User"},"file":{"type":"object_t","description":"Details about the file that contains the affected code block.","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"end_line":{"type":"integer_t","description":"The line number of the last line of code block identified as vulnerable.","requirement":"recommended","caption":"End Line","type_name":"Integer"},"end_column":{"type":"integer_t","description":"The column number of the last part of the assessed code identified as vulnerable.","requirement":"recommended","caption":"End Column","type_name":"Integer"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"rule":{"type":"object_t","description":"Details about the specific rule, e.g., those defined as part of a larger policy, that triggered the finding.","requirement":"recommended","object_type":"rule","caption":"Related Rule","object_name":"Rule"},"start_column":{"type":"integer_t","description":"The column number of the first part of the assessed code identified as vulnerable.","requirement":"recommended","caption":"Start Column","type_name":"Integer"},"start_line":{"type":"integer_t","description":"The line number of the first line of code block identified as vulnerable.","requirement":"recommended","caption":"Start Line","type_name":"Integer"}},"name":"affected_code","description":"The Affected Code object describes details about a code block identified as vulnerable.","extends":"object","profiles":["data_classification"],"caption":"Affected Code"},"finding_info":{"attributes":{"title":{"type":"string_t","description":"A title or a brief phrase summarizing the reported finding.","requirement":"recommended","caption":"Title","type_name":"String"},"product":{"type":"object_t","description":"Details about the product that reported the finding.","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"desc":{"type":"string_t","description":"The description of the reported finding.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the reported finding.","requirement":"required","caption":"Unique ID","type_name":"String"},"types":{"type":"string_t","description":"One or more types of the reported finding.","is_array":true,"requirement":"optional","caption":"Types","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated with the finding.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"attacks":{"type":"object_t","description":"The MITRE ATT&CK® technique and associated tactics related to the finding.","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"analytic":{"type":"object_t","description":"The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.","requirement":"recommended","object_type":"analytic","caption":"Analytic","object_name":"Analytic"},"attack_graph":{"type":"object_t","description":"An Attack Graph describes possible routes an attacker could take through an environment. It describes relationships between resources and their findings, such as malware detections, vulnerabilities, misconfigurations, and other security actions.","group":"context","references":[{"description":"MS Defender description of Attack Path","url":"https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-attack-path"},{"description":"SentinelOne Attack Path documentation","url":"https://www.sentinelone.com/cybersecurity-101/cybersecurity/attack-path-analysis/"}],"requirement":"optional","object_type":"graph","caption":"Attack Graph","object_name":"Graph"},"created_time":{"type":"timestamp_t","description":"The time when the finding was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"data_sources":{"type":"string_t","description":"A list of data sources utilized in generation of the finding.","is_array":true,"requirement":"optional","caption":"Data Sources","type_name":"String"},"first_seen_time":{"type":"timestamp_t","description":"The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
uid attribute in the product object instead. See specific usage.","since":"1.4.0"}},"related_analytics":{"type":"object_t","description":"Other analytics related to this finding.","is_array":true,"requirement":"optional","object_type":"analytic","caption":"Related Analytics","object_name":"Analytic"},"related_events":{"type":"object_t","description":"Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.","is_array":true,"requirement":"optional","object_type":"related_event","caption":"Related Events/Findings","object_name":"Related Event/Finding"},"related_events_count":{"type":"integer_t","description":"Number of related events or findings.","requirement":"optional","caption":"Related Events/Findings Count","type_name":"Integer"},"src_url":{"type":"url_t","description":"The URL pointing to the source of the finding.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"traits":{"type":"object_t","description":"The list of key traits or characteristics extracted from the finding.","is_array":true,"requirement":"optional","object_type":"trait","caption":"Traits","object_name":"Trait"},"uid_alt":{"type":"string_t","description":"The alternative unique identifier of the reported finding.","requirement":"optional","caption":"Alternate ID","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time when the finding was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"first_seen_time_dt":{"type":"datetime_t","description":"The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
true) or undirected (false).","requirement":"optional","caption":"Directed","type_name":"Boolean"}},"name":"edge","description":"Represents a connection or relationship between two nodes in a graph.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"JSON graph specification.","url":"https://github.com/jsongraph/json-graph-specification/"}],"caption":"Edge"},"resource_details":{"attributes":{"data":{"type":"json_t","description":"Additional data describing the resource.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the resource.","requirement":"recommended","caption":"Name","type_name":"String","observable":38},"owner":{"type":"object_t","description":"The details of the entity that owns the resource. This object includes properties such as the owner's name, unique identifier, type, domain, and other relevant attributes that help identify the resource owner within the environment.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"type":{"type":"string_t","description":"The resource type as defined by the event source.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The version of the resource. For example 1.2.3.","requirement":"optional","caption":"Version","type_name":"String"},"ip":{"type":"ip_t","description":"The IP address of the resource, in either IPv4 or IPv6 format.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"group":{"type":"object_t","description":"The name of the related resource group.","requirement":"optional","object_type":"group","caption":"Group","object_name":"Group"},"hostname":{"type":"hostname_t","description":"The fully qualified name of the resource.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"uid":{"type":"resource_uid_t","description":"The unique identifier of the resource.","requirement":"recommended","caption":"Unique ID","type_name":"Resource UID"},"labels":{"type":"string_t","description":"The list of labels associated to the resource.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"namespace":{"type":"string_t","description":"The namespace is useful when similar entities exist that you need to keep separate.","requirement":"optional","caption":"Namespace","type_name":"String"},"role":{"type":"string_t","description":"The role of the resource in the context of the event or finding, normalized to the caption of the role_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Role","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the resource.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"requirement":"optional","object_type":"agent","caption":"Agent List","object_name":"Agent"},"cloud_partition":{"type":"string_t","description":"The logical grouping or isolated segment within a cloud provider's infrastructure where the resource is located. Examples include AWS partitions (aws, aws-cn, aws-us-gov), Azure cloud environments (AzureCloud, AzureUSGovernment, AzureChinaCloud), or similar logical divisions in other cloud providers.","requirement":"optional","profiles":["cloud"],"caption":"Cloud Partition","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the resource was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"criticality":{"type":"string_t","description":"The criticality of the resource as defined by the event source.","requirement":"optional","caption":"Criticality","type_name":"String"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"is_backed_up":{"type":"boolean_t","description":"Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the cloudBackupEnabled value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.","requirement":"optional","caption":"Back Ups Configured","type_name":"Boolean"},"modified_time":{"type":"timestamp_t","description":"The time when the resource was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"provider":{"type":"string_t","description":"The cloud service provider that hosts or manages the resource. This field is typically used when the resource is managed by a different provider than the one generating the event or finding. Examples include AWS, Azure, GCP (Google Cloud Platform), Oracle Cloud, IBM Cloud, Alibaba Cloud, or other public, private, or hybrid cloud providers.","requirement":"optional","profiles":["cloud"],"caption":"Cloud Provider","type_name":"String"},"region":{"type":"string_t","description":"The cloud region where the resource is hosted, as defined by the cloud provider. This represents the physical or logical geographic area containing the infrastructure supporting the resource. Examples include AWS regions (us-east-1, eu-west-1), Azure regions (East US, West Europe), GCP regions (us-central1, europe-west1), or Oracle Cloud regions (us-ashburn-1, uk-london-1).","requirement":"optional","profiles":["cloud"],"caption":"Region","type_name":"String"},"resource_relationship":{"type":"object_t","description":"A graph representation showing how this resource relates to and interacts with other entities in the environment. This can include parent/child relationships, dependencies, or other connections.","requirement":"optional","object_type":"graph","caption":"Resource Relationship","object_name":"Graph"},"role_id":{"type":"integer_t","enum":{"3":{"description":"The resource was impacted or affected by the event/finding.","caption":"Affected"},"0":{"description":"The role is unknown.","caption":"Unknown"},"1":{"description":"The resource is the primary target or subject of the event/finding.","caption":"Target"},"2":{"description":"The resource is acting as the initiator or performer in the context of the event/finding.","caption":"Actor"},"99":{"description":"The role is not mapped. See the role attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The resource is related to or associated with the event/finding.","caption":"Related"}},"description":"The normalized identifier of the resource's role in the context of the event or finding.","requirement":"recommended","caption":"Role ID","sibling":"role","type_name":"Integer"},"uid_alt":{"type":"resource_uid_t","description":"The alternative unique identifier of the resource.","requirement":"optional","caption":"Alternate ID","type_name":"Resource UID"},"zone":{"type":"string_t","description":"The availability zone within a cloud region where the resource is located. Examples include AWS availability zones (us-east-1a, us-east-1b), Azure availability zones (1, 2, 3 within a region), GCP zones (us-central1-a, us-central1-b), or Oracle Cloud availability domains (AD-1, AD-2, AD-3).","requirement":"optional","profiles":["cloud"],"caption":"Cloud Availability Zone","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time when the resource was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The time when the resource was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"resource_details","description":"The Resource Details object describes details about resources that were affected by the activity/event.","extends":"_resource","constraints":{"at_least_one":["name","uid"]},"profiles":["cloud","data_classification","datetime"],"caption":"Resource Details"},"gpu_info":{"attributes":{"bus_type":{"type":"string_t","description":"The attachment bus or interface standard, normalized to the caption of the bus_type_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Bus Type","type_name":"String"},"bus_type_id":{"type":"integer_t","enum":{"3":{"description":"Peripheral Component Interconnect Express slot with 8 lanes; common for high‑performance NICs, storage controllers, and accelerators.","caption":"PCIe x8"},"6":{"description":"M.2 (NGFF) internal module form factor/connector exposing PCIe (and/or SATA/USB) for SSDs and add‑in modules.","caption":"M.2"},"0":{"description":"The bus type is unknown or not reported.","caption":"Unknown"},"1":{"description":"The device is attached directly on the motherboard or SoC (often referred to as 'integrated' or 'onboard').","caption":"Onboard"},"2":{"description":"Peripheral Component Interconnect Express slot with 16 lanes, typically used for high‑bandwidth add‑in devices.","caption":"PCIe x16"},"99":{"description":"A bus or interface standard not covered by the defined values; the exact value is reported by the event source.","caption":"Other"},"4":{"description":"Mobile PCI Express Module (MXM) Type A form factor (compact laptop/embedded GPU module).","caption":"MXM Type A"},"5":{"description":"Mobile PCI Express Module (MXM) Type B form factor (larger laptop/embedded GPU module).","caption":"MXM Type B"},"7":{"description":"Compute Express Link (CXL), an open cache‑coherent interconnect for processors, memory expansion, and accelerators built on the PCIe physical layer.","caption":"CXL"}},"description":"The normalized identifier of the attachment bus or interface standard.","requirement":"optional","caption":"Bus Type ID","sibling":"bus_type","type_name":"Integer"},"cores":{"type":"integer_t","description":"The number of processing cores or compute units for the component.","requirement":"optional","caption":"Cores","type_name":"Integer"},"model":{"type":"string_t","description":"The model name of the GPU. For example: GeForce RTX A6000, Radeon PRO W7900, or Intel Data Center GPU Max 1550.","requirement":"recommended","caption":"Model","type_name":"String"},"vendor_name":{"type":"string_t","description":"The name of the vendor of the GPU. For example: NVIDIA, AMD, or Intel.","requirement":"recommended","caption":"Vendor Name","type_name":"String"},"vram_mode":{"type":"string_t","description":"The video memory attachment mode, indicating how the VRAM hardware is integrated with the system (e.g., shared or dedicated), normalized to the caption of the vram_mode_id value. For 'Other', the exact attachment mode is defined by the event source.","requirement":"recommended","caption":"VRAM Mode","type_name":"String"},"vram_mode_id":{"type":"integer_t","enum":{"0":{"description":"The VRAM mode is unknown or not reported.","caption":"Unknown"},"1":{"description":"Video memory is allocated from system memory.","caption":"Shared"},"2":{"description":"Video memory is physically separate from system memory.","caption":"Dedicated"},"99":{"description":"A VRAM mode not covered by the defined values; the exact value is reported by the event source.","caption":"Other"}},"description":"The normalized identifier of the video memory attachment mode.","requirement":"recommended","caption":"VRAM Mode ID","sibling":"vram_mode","type_name":"Integer"},"vram_size":{"type":"integer_t","description":"The total amount of installed video RAM.","requirement":"recommended","caption":"VRAM Size","type_name":"Integer"}},"name":"gpu_info","description":"The GPU information object contains attributes describing graphical processing hardware.","extends":"object","caption":"GPU Information"},"check":{"attributes":{"name":{"type":"string_t","description":"The name or title of the compliance check. For example, CIS: Ensure mounting of cramfs filesystems is disabled or DISA STIG: The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.","references":[{"description":"CIS Benchmark Rules","url":"https://www.cisecurity.org/cis-benchmarks"},{"description":"DISA STIG Requirements","url":"https://public.cyber.mil/stigs/downloads"}],"requirement":"recommended","caption":"Name","type_name":"String"},"status":{"type":"string_t","description":"The resultant status of the compliance check normalized to the caption of the status_id value. For example, CIS Benchmark: Pass when all requirements are met, Fail when requirements are not met, or DISA STIG: NotAFinding (maps to status_id 1/Pass), Open (maps to status_id 3/Fail).","references":[{"description":"CIS Benchmark Compliance Status","url":"https://www.cisecurity.org/cis-benchmarks"},{"description":"DISA STIG Status Types","url":"https://public.cyber.mil/stigs/srg-stig-tools/"}],"requirement":"recommended","caption":"Status","type_name":"String"},"version":{"type":"string_t","description":"The check version. For example, CIS Benchmark: 1.1.0 for Amazon Linux 2 or DISA STIG: V2R1 for Windows 10.","references":[{"description":"CIS Benchmark Versioning","url":"https://www.cisecurity.org/cis-benchmarks"},{"description":"DISA STIG Version Numbering","url":"https://public.cyber.mil/stigs/downloads"}],"requirement":"optional","caption":"Version","type_name":"String"},"desc":{"type":"string_t","description":"The detailed description of the compliance check, explaining the security requirement, vulnerability, or configuration being assessed. For example, CIS: The cramfs filesystem type is a compressed read-only Linux filesystem. Removing support for unneeded filesystem types reduces the local attack surface. or DISA STIG: Unauthorized access to the information system by foreign entities may result in loss or compromise of data.","references":[{"description":"CIS Benchmark Rationales","url":"https://www.cisecurity.org/cis-benchmarks"},{"description":"DISA STIG Vulnerability Discussions","url":"https://public.cyber.mil/stigs/downloads"}],"requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the compliance check within its standard or framework. For example, CIS Benchmark identifier 1.1.1.1, DISA STIG identifier V-230234, or NIST control identifier AC-17(2).","references":[{"description":"CIS Benchmark ID Format","url":"https://www.cisecurity.org/cis-benchmarks"},{"description":"DISA STIG ID Format","url":"https://public.cyber.mil/stigs/downloads"},{"description":"NIST SP 800-53 Control IDs","url":"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"}],"requirement":"recommended","caption":"Unique ID","type_name":"String"},"resource":{"type":"object_t","description":"Describes details about the resource that this check evaluated.","requirement":"optional","object_type":"resource_details","caption":"Resource","object_name":"Resource Details"},"severity":{"type":"string_t","description":"The severity level as defined in the source document. For example CIS Benchmarks, valid values are: Level 1 (security-forward, essential settings), Level 2 (security-focused environment, more restrictive), or Scored/Not Scored (whether compliance can be automatically checked). For DISA STIG, valid values are: CAT I (maps to severity_id 5/Critical), CAT II (maps to severity_id 4/High), or CAT III (maps to severity_id 3/Medium).","references":[{"description":"CIS Benchmarks Levels","url":"https://www.cisecurity.org/cis-benchmarks"},{"description":"DISA STIGs Category Guide","url":"https://public.cyber.mil/stigs"}],"requirement":"optional","caption":"Severity","type_name":"String"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Maps to CIS Benchmark Level 1 - Essential security settings recommended for all systems, or DISA STIG CAT III - Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Maps to CIS Benchmark Level 2 - More restrictive and security-focused settings for sensitive environments, or DISA STIG CAT II - Action is required immediately.","caption":"High"},"5":{"description":"Maps to DISA STIG CAT I - Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized severity identifier that maps severity levels to standard severity levels. For example CIS Benchmark: Level 2 maps to 4 (High), Level 1 maps to 3 (Medium). For DISA STIG: CAT I maps to 5 (Critical), CAT II maps to 4 (High), and CAT III maps to 3 (Medium).","requirement":"optional","caption":"Severity ID","sibling":"severity","type_name":"Integer"},"standards":{"type":"string_t","description":"The regulatory or industry standard this check is associated with. E.g., PCI DSS 3.2.1, HIPAA Security Rule, NIST SP 800-53 Rev. 5, or ISO/IEC 27001:2013.","is_array":true,"references":[{"description":"PCI DSS 3.2.1","url":"https://www.pcisecuritystandards.org/document_library"},{"description":"HIPAA Security Rule","url":"https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html"},{"description":"NIST SP 800-53 Rev. 5","url":"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"},{"description":"ISO/IEC 27001:2013","url":"https://www.iso.org/standard/54534.html"}],"requirement":"recommended","caption":"Compliance Standards: List","type_name":"String"},"status_id":{"type":"integer_t","enum":{"3":{"description":"The compliance check failed for at least one of the evaluated resources.","caption":"Fail"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"The compliance check passed for all the evaluated resources.","caption":"Pass"},"2":{"description":"The compliance check did not yield a result due to missing information.","caption":"Warning"},"99":{"description":"The event status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized status identifier of the compliance check.","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"}},"name":"check","description":"The check object defines a specific, testable compliance verification point that evaluates a target device against a standard, framework, or custom requirement. While checks are typically associated with formal standards (like CIS, NIST, or ISO), they can also represent custom or organizational requirements. When mapped to controls, checks can evaluate specific control_parameters to determine compliance status, but neither the control mapping nor control_parameters are required for a valid check.","extends":"object","profiles":["cloud","data_classification"],"caption":"Check"},"account":{"attributes":{"name":{"type":"string_t","description":"The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name).","requirement":"recommended","caption":"Name","type_name":"String","observable":34},"type":{"type":"string_t","description":"The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Type","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID).","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":35},"labels":{"type":"string_t","description":"The list of labels associated to the account.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the account.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"AWS IAM User","@deprecated":{"message":"Utilize user.type_id to represent this information.","since":"1.6.0"}},"6":{"description":"Note: The new product name for Azure AD is Microsoft Entra ID.","caption":"Azure AD Account"},"0":{"description":"The account type is unknown.","caption":"Unknown"},"1":{"caption":"LDAP Account"},"2":{"caption":"Windows Account"},"99":{"description":"The account type is not mapped.","caption":"Other"},"4":{"caption":"AWS IAM Role","@deprecated":{"message":"Utilize user.type_id to represent this information.","since":"1.6.0"}},"5":{"caption":"GCP Account"},"7":{"caption":"Mac OS Account"},"8":{"caption":"Apple Account"},"9":{"caption":"Linux Account"},"10":{"caption":"AWS Account"},"11":{"caption":"GCP Project"},"12":{"caption":"OCI Compartment"},"14":{"caption":"Salesforce Account"},"15":{"caption":"Google Workspace"},"16":{"caption":"Servicenow Instance"},"17":{"caption":"M365 Tenant"},"18":{"caption":"Email Account"},"13":{"caption":"Azure Subscription"},"19":{"caption":"ActiveDirectory Account"}},"description":"The normalized account type identifier.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"is_disabled":{"type":"boolean_t","description":"Indicates if the account is disabled.","requirement":"optional","caption":"Disabled","type_name":"Boolean"},"is_locked":{"type":"boolean_t","description":"Indicates if the account is locked. For example, due to the amount of failed logins.","requirement":"optional","caption":"Locked","type_name":"Boolean"},"is_on_premises_sync_enabled":{"type":"boolean_t","description":"Indicates whether synchronization with an on-premises directory service is enabled. For example, Microsoft Entra Connect.","requirement":"optional","caption":"On-Premises Sync Enabled","type_name":"Boolean"}},"name":"account","description":"The Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"D3FEND™ Ontology d3f:UserAccount.","url":"https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/"},{"description":"D3FEND™ Ontology d3f:CloudUserAccount.","url":"https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/"}],"caption":"Account"},"email_auth":{"attributes":{"spf":{"type":"string_t","description":"The Sender Policy Framework (SPF) status of the email.","requirement":"recommended","caption":"SPF Status","type_name":"String"},"dkim":{"type":"string_t","description":"The DomainKeys Identified Mail (DKIM) status of the email.","requirement":"recommended","caption":"DKIM Status","type_name":"String"},"dkim_domain":{"type":"string_t","description":"The DomainKeys Identified Mail (DKIM) signing domain of the email.","requirement":"recommended","caption":"DKIM Domain","type_name":"String"},"dkim_signature":{"type":"string_t","description":"The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.","requirement":"recommended","caption":"DKIM Signature","type_name":"String"},"dmarc":{"type":"string_t","description":"The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.","requirement":"recommended","caption":"DMARC Status","type_name":"String"},"dmarc_override":{"type":"string_t","description":"The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.","requirement":"recommended","caption":"DMARC Override","type_name":"String"},"dmarc_policy":{"type":"string_t","description":"The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.","requirement":"recommended","caption":"DMARC Policy","type_name":"String"}},"name":"email_auth","description":"The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.","extends":"object","caption":"Email Authentication"},"api":{"attributes":{"version":{"type":"string_t","description":"The version of the API service.","requirement":"optional","caption":"Version","type_name":"String"},"request":{"type":"object_t","description":"Details pertaining to the API request.","requirement":"recommended","object_type":"request","caption":"API Request Details","object_name":"Request Elements"},"service":{"type":"object_t","description":"The information pertaining to the API service.","requirement":"optional","object_type":"service","caption":"Service","object_name":"Service"},"group":{"type":"object_t","description":"The information pertaining to the API group.","requirement":"optional","object_type":"group","caption":"Group","object_name":"Group"},"response":{"type":"object_t","description":"Details pertaining to the API response.","requirement":"recommended","object_type":"response","caption":"API Response Details","object_name":"Response Elements"},"operation":{"type":"string_t","description":"Verb/Operation associated with the request","requirement":"required","caption":"Operation","type_name":"String"},"token":{"type":"object_t","description":"The API or client token used to authenticate or authorize the API request. This attribute contains the base token object that represents: (1) IdP-issued client tokens (type_id: 6) such as Okta API tokens or Microsoft Entra ID Application Registration client secrets, or (2) generic API tokens/keys (type_id: 7) used for SaaS application authentication. Use this attribute when the API request was authenticated using a token that should be tracked as part of the API activity event. Note: Protocol-specific authentication tokens (Kerberos, OIDC, SAML) should be represented using authentication_token in authentication events, not in API activity events.","requirement":"optional","object_type":"token","caption":"Token","object_name":"Token"}},"name":"api","description":"The API, or Application Programming Interface, object represents information pertaining to an API request and response.","extends":"object","caption":"API"},"epss":{"attributes":{"version":{"type":"string_t","description":"The version of the EPSS model used to calculate the score.","requirement":"recommended","caption":"Version","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The timestamp indicating when the EPSS score was calculated.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"percentile":{"type":"float_t","description":"The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset.","requirement":"optional","caption":"EPSS Percentile","type_name":"Float"},"score":{"type":"string_t","description":"The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication).","requirement":"required","caption":"EPPS Score","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The timestamp indicating when the EPSS score was calculated.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"}},"name":"epss","description":"The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS).","extends":"object","profiles":["datetime"],"caption":"EPSS"},"policy":{"attributes":{"data":{"type":"json_t","description":"Additional data about the policy such as the underlying JSON policy itself or other details.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The policy name. For example: AdministratorAccess Policy.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The policy type. For example: Identity Policy, Resource Policy, Service Control Policy, etc..","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The policy version number.","requirement":"recommended","caption":"Version","type_name":"String"},"group":{"type":"object_t","description":"The policy group.","requirement":"optional","object_type":"group","caption":"Group","object_name":"Group"},"desc":{"type":"string_t","description":"The description of the policy.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"A unique identifier of the policy instance.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"is_applied":{"type":"boolean_t","description":"A determination if the content of a policy was applied to a target or request, or not.","requirement":"recommended","caption":"Applied","type_name":"Boolean"}},"name":"policy","description":"The Policy object describes the policies that are applicable. Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
","extends":"_entity","constraints":{"at_least_one":["name","type","uid"]},"caption":"Policy"},"organization":{"attributes":{"name":{"type":"string_t","description":"The name of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, Widget, Inc. or the AWS Organization name .","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, an AWS Org ID or Oracle Cloud Domain ID .","requirement":"recommended","caption":"Unique ID","type_name":"String"},"ou_name":{"type":"string_t","description":"The name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the GCP Project Name , or Dev_Prod_OU .","requirement":"recommended","caption":"Org Unit Name","type_name":"String"},"ou_uid":{"type":"string_t","description":"The unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an Oracle Cloud Tenancy ID , AWS OU ID , or GCP Folder ID .","requirement":"optional","caption":"Org Unit ID","type_name":"String"}},"name":"organization","description":"The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Organization"},"application":{"attributes":{"data":{"type":"json_t","description":"Additional data describing the application.","requirement":"optional","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the application.","requirement":"recommended","caption":"Application Name","type_name":"String"},"owner":{"type":"object_t","description":"The identity of the service or user account that owns the application.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"type":{"type":"string_t","description":"The type of application as defined by the event source, e.g., GitHub, Azure Logic App, or Amazon Elastic BeanStalk.","requirement":"optional","caption":"Application Type","type_name":"String"},"version":{"type":"string_t","description":"The semantic version of the application, e.g., 1.7.4.","requirement":"optional","caption":"Application Version","type_name":"String"},"group":{"type":"object_t","description":"The name of the related application or associated resource group.","requirement":"optional","object_type":"group","caption":"Group","object_name":"Group"},"desc":{"type":"string_t","description":"A description or commentary for an application, usually retrieved from an upstream system.","requirement":"optional","caption":"Application Description","type_name":"String"},"hostname":{"type":"hostname_t","description":"The fully qualified name of the application.","requirement":"optional","caption":"Hostname","type_name":"Hostname"},"uid":{"type":"string_t","description":"The unique identifier for the application.","requirement":"recommended","caption":"Application ID","type_name":"String"},"labels":{"type":"string_t","description":"The list of labels associated to the application.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"url":{"type":"object_t","description":"The URL of the application.","requirement":"optional","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the application.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"criticality":{"type":"string_t","description":"The criticality of the application as defined by the event source.","requirement":"optional","caption":"Business Criticality","type_name":"String"},"region":{"type":"string_t","description":"The cloud region of the resource.","requirement":"optional","profiles":["cloud"],"caption":"Region","type_name":"String"},"resource_relationship":{"type":"object_t","description":"A graph representation showing how this application relates to and interacts with other entities in the environment. This can include parent/child relationships, dependencies, or other connections.","requirement":"optional","object_type":"graph","caption":"Application Relationship","object_name":"Graph"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","requirement":"optional","caption":"Risk Level","type_name":"String"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","requirement":"optional","caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","requirement":"optional","caption":"Risk Score","type_name":"Integer"},"sbom":{"type":"object_t","description":"The Software Bill of Materials (SBOM) associated with the application","requirement":"optional","object_type":"sbom","caption":"Related SBOM","object_name":"Software Bill of Materials"},"uid_alt":{"type":"string_t","description":"An alternative or contextual identifier for the application, such as a configuration, organization, or license UID.","requirement":"optional","caption":"Application Alternative ID","type_name":"String"}},"name":"application","description":"An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.","extends":"object","constraints":{"at_least_one":["uid","name"]},"references":[{"description":"D3FEND™ Ontology d3f:Application.","url":"https://d3fend.mitre.org/dao/artifact/d3f:Application/"}],"profiles":["data_classification"],"caption":"Application"},"http_request":{"attributes":{"args":{"type":"string_t","description":"The arguments sent along with the HTTP request.","requirement":"optional","caption":"HTTP Arguments","type_name":"String"},"version":{"type":"string_t","description":"The Hypertext Transfer Protocol (HTTP) version.","requirement":"recommended","caption":"HTTP Version","type_name":"String"},"length":{"type":"integer_t","description":"The length of the entire HTTP request, in number of bytes.","requirement":"optional","caption":"Request Length","type_name":"Integer"},"uid":{"type":"string_t","description":"The unique identifier of the http request.","requirement":"optional","caption":"Unique ID","type_name":"String"},"url":{"type":"object_t","description":"The URL object that pertains to the request.","requirement":"recommended","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"x_forwarded_for":{"type":"ip_t","description":"The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.","is_array":true,"requirement":"optional","caption":"X-Forwarded-For","type_name":"IP Address"},"body_length":{"type":"integer_t","description":"The actual length of the HTTP request body, in number of bytes, independent of a potentially existing Content-Length header.","requirement":"optional","caption":"Request Body Length","type_name":"Integer"},"user_agent":{"type":"string_t","description":"The request header that identifies the operating system and web browser.","requirement":"recommended","caption":"HTTP User-Agent","type_name":"String","observable":16},"http_headers":{"type":"object_t","description":"Additional HTTP headers of an HTTP request or response.","is_array":true,"requirement":"recommended","object_type":"http_header","caption":"HTTP Headers","object_name":"HTTP Header"},"http_method":{"type":"string_t","enum":{"OPTIONS":{"description":"The OPTIONS method describes the communication options for the target resource.","caption":"Options"},"GET":{"description":"The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.","caption":"Get"},"HEAD":{"description":"The HEAD method asks for a response identical to a GET request, but without the response body.","caption":"Head"},"POST":{"description":"The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.","caption":"Post"},"PUT":{"description":"The PUT method replaces all current representations of the target resource with the request payload.","caption":"Put"},"DELETE":{"description":"The DELETE method deletes the specified resource.","caption":"Delete"},"TRACE":{"description":"The TRACE method performs a message loop-back test along the path to the target resource.","caption":"Trace"},"CONNECT":{"description":"The CONNECT method establishes a tunnel to the server identified by the target resource.","caption":"Connect"},"PATCH":{"description":"The PATCH method applies partial modifications to a resource.","caption":"Patch"}},"description":"The HTTP request method indicates the desired action to be performed for a given resource.","requirement":"recommended","caption":"HTTP Method","type_name":"String"},"referrer":{"type":"string_t","description":"The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.","requirement":"optional","caption":"HTTP Referrer","type_name":"String"}},"name":"http_request","description":"The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:OutboundInternetNetworkTraffic.","url":"https://d3fend.mitre.org/dao/artifact/d3f:OutboundInternetNetworkTraffic/"}],"caption":"HTTP Request"},"function_invocation":{"attributes":{"error":{"type":"string_t","description":"The error indication returned from the function. This may differ from the return value (e.g. when errno is used).","requirement":"optional","caption":"Error Code","type_name":"String"},"parameters":{"type":"object_t","description":"The parameters passed into a function invocation.","is_array":true,"requirement":"optional","object_type":"parameter","caption":"Parameters","object_name":"Parameter"},"return_value":{"type":"string_t","description":"The value returned from a function.","requirement":"optional","caption":"Return Value","type_name":"String"}},"name":"function_invocation","description":"The Function Invocation object provides details regarding the invocation of a function.","extends":"object","constraints":{"at_least_one":["parameters","return_value","error"]},"caption":"Function Invocation"},"process":{"attributes":{"name":{"type":"process_name_t","description":"The friendly name of the process, for example: Notepad++.","requirement":"recommended","caption":"Name","type_name":"Process Name"},"pid":{"type":"integer_t","description":"The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.","requirement":"recommended","caption":"Process ID","type_name":"Integer","observable":15},"session":{"type":"object_t","description":"The user session under which this process is running.","requirement":"optional","object_type":"session","caption":"Session","object_name":"Session"},"file":{"type":"object_t","description":"The process file object.","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"user":{"type":"object_t","description":"The user under which this process is running.","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"path":{"type":"string_t","description":"The process file path.","requirement":"optional","caption":"Path","type_name":"String"},"group":{"type":"object_t","description":"The group under which this process is running.","requirement":"recommended","profiles":["linux/linux_users"],"object_type":"group","caption":"Group","object_name":"Group"},"tid":{"type":"integer_t","description":"The identifier of the thread associated with the event, as returned by the operating system.","requirement":"optional","caption":"Thread ID","type_name":"Integer","@deprecated":{"message":"tid is deprecated in favor of ptid. ptid has type long_t which can accommodate the thread identifiers returned by all platforms (e.g. 64-bit on MacOS).","since":"1.6.0"}},"uid":{"type":"string_t","description":"A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":39},"loaded_modules":{"type":"string_t","description":"The list of loaded module names.","is_array":true,"requirement":"optional","caption":"Loaded Modules","type_name":"String"},"ancestry":{"type":"object_t","description":"An array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.","is_array":true,"references":[{"description":"Guidance on Representing Process Parentage","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md"}],"requirement":"optional","object_type":"process_entity","caption":"Ancestry","object_name":"Process Entity"},"auid":{"type":"integer_t","description":"The audit user assigned at login by the audit subsystem.","requirement":"optional","profiles":["linux/linux_users"],"caption":"Audit User ID","type_name":"Integer"},"cmd_line":{"type":"string_t","description":"The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.","requirement":"recommended","caption":"Command Line","type_name":"String","observable":13},"container":{"type":"object_t","description":"The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","group":"context","requirement":"recommended","profiles":["container"],"object_type":"container","caption":"Container","object_name":"Container"},"cpid":{"type":"uuid_t","description":"A unique process identifier that can be assigned deterministically by multiple system data producers.","source":"cpid","references":[{"description":"OCSF Common Process Identifier (CPID) Specification","url":"https://github.com/ocsf/common-process-id"}],"requirement":"recommended","caption":"Common Process Identifier","type_name":"UUID"},"created_time":{"type":"timestamp_t","description":"The time when the process was created/started.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"egid":{"type":"integer_t","description":"The effective group under which this process is running.","requirement":"optional","profiles":["linux/linux_users","macos/macos_users"],"caption":"Effective Group ID","type_name":"Integer"},"environment_variables":{"type":"object_t","description":"Environment variables associated with the process.","is_array":true,"requirement":"optional","object_type":"environment_variable","caption":"Environment Variables","object_name":"Environment Variable"},"euid":{"type":"integer_t","description":"The effective user under which this process is running.","requirement":"optional","profiles":["linux/linux_users","macos/macos_users"],"caption":"Effective User ID","type_name":"Integer"},"integrity":{"type":"string_t","description":"The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).","requirement":"optional","caption":"Integrity","type_name":"String"},"integrity_id":{"type":"integer_t","enum":{"3":{"caption":"Medium"},"6":{"caption":"Protected"},"0":{"description":"The integrity level is unknown.","caption":"Unknown"},"1":{"caption":"Untrusted"},"2":{"caption":"Low"},"99":{"description":"The integrity level is not mapped. See the integrity attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"High"},"5":{"caption":"System"}},"description":"The normalized identifier of the process integrity level (Windows only).","requirement":"optional","caption":"Integrity Level","sibling":"integrity","type_name":"Integer"},"lineage":{"type":"file_path_t","description":"The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].","is_array":true,"requirement":"optional","caption":"Lineage","type_name":"File Path","@deprecated":{"message":"Use the ancestry attribute.","since":"1.4.0"}},"namespace_pid":{"type":"integer_t","description":"If running under a process namespace (such as in a container), the process identifier within that process namespace.","group":"context","requirement":"recommended","profiles":["container"],"caption":"Namespace PID","type_name":"Integer"},"parent_process":{"type":"object_t","description":"The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.","references":[{"description":"Guidance on Representing Process Parentage","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md"}],"requirement":"recommended","object_type":"process","caption":"Parent Process","object_name":"Process"},"ptid":{"type":"long_t","description":"The identifier of the process thread associated with the event, as returned by the operating system.","requirement":"optional","caption":"Process Thread ID","type_name":"Long"},"sandbox":{"type":"string_t","description":"The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.","requirement":"optional","caption":"Sandbox","type_name":"String"},"terminated_time":{"type":"timestamp_t","description":"The time when the process was terminated.","requirement":"optional","caption":"Terminated Time","type_name":"Timestamp"},"working_directory":{"type":"string_t","description":"The working directory of a process.","requirement":"optional","caption":"Working Directory","type_name":"String"},"xattributes":{"type":"object_t","description":"An unordered collection of zero or more name/value pairs that represent a process extended attribute.","requirement":"optional","object_type":"object","caption":"Extended Attributes","object_name":"Object"},"created_time_dt":{"type":"datetime_t","description":"The time when the process was created/started.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"terminated_time_dt":{"type":"datetime_t","description":"The time when the process was terminated.","requirement":"optional","profiles":["datetime"],"caption":"Terminated Time","type_name":"Datetime"},"hosted_services":{"type":"object_t","description":"The Windows services that this process is hosting.","extension":"win","is_array":true,"requirement":"optional","extension_id":2,"object_type":"win/win_service","caption":"Hosted Services","object_name":"Windows Service"}},"name":"process","description":"The Process object describes a running instance of a launched program.","extends":"process_entity","constraints":{"at_least_one":["pid","uid","cpid"]},"references":[{"description":"D3FEND™ Ontology d3f:Process","url":"https://d3fend.mitre.org/dao/artifact/d3f:Process/"}],"profiles":["container","data_classification","datetime","linux/linux_users","macos/macos_users"],"caption":"Process","observable":25},"request":{"attributes":{"data":{"type":"json_t","description":"The additional data that is associated with the api request.","requirement":"optional","caption":"Data","type_name":"JSON"},"flags":{"type":"string_t","description":"The communication flags that are associated with the api request.","is_array":true,"requirement":"optional","caption":"Flags","type_name":"String"},"uid":{"type":"string_t","description":"The unique request identifier.","requirement":"required","caption":"Unique ID","type_name":"String"},"containers":{"type":"object_t","description":"When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.","is_array":true,"requirement":"optional","object_type":"container","caption":"Containers","object_name":"Container"}},"name":"request","description":"The Request Elements object describes characteristics of an API request.","extends":"object","caption":"Request Elements"},"rpc_interface":{"attributes":{"version":{"type":"string_t","description":"The version of the DCE/RPC protocol being used in the session.","requirement":"required","caption":"Version","type_name":"String"},"uuid":{"type":"uuid_t","description":"The unique identifier of the particular remote procedure or service.","requirement":"required","caption":"UUID","type_name":"UUID"},"ack_reason":{"type":"integer_t","description":"An integer that provides a reason code or additional information about the acknowledgment result.","requirement":"recommended","caption":"Acknowledgement Reason","type_name":"Integer"},"ack_result":{"type":"integer_t","description":"An integer that denotes the acknowledgment result of the DCE/RPC call.","requirement":"recommended","caption":"Acknowledgement Result","type_name":"Integer"}},"name":"rpc_interface","description":"The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.","extends":"object","caption":"RPC Interface"},"auth_factor":{"attributes":{"device":{"type":"object_t","description":"Device used to complete an authentication request.","group":"primary","requirement":"recommended","object_type":"device","caption":"Device","object_name":"Device"},"email_addr":{"type":"email_t","description":"The email address used in an email-based authentication factor.","group":"context","requirement":"optional","caption":"Email Address","type_name":"Email Address"},"factor_type":{"type":"string_t","description":"The type of authentication factor used in an authentication attempt.","group":"primary","requirement":"recommended","caption":"Factor Type","type_name":"String"},"factor_type_id":{"type":"integer_t","enum":{"3":{"description":"System calls the user's registered phone number and requires the user to answer and provide a response.","caption":"Phone Call"},"6":{"description":"Physical device that generates a code to be used for authentication.","caption":"Hardware Token"},"0":{"caption":"Unknown"},"1":{"description":"User receives and inputs a code sent to their mobile device via SMS text message.","caption":"SMS"},"2":{"description":"The user responds to a security question as part of a question-based authentication factor","caption":"Security Question"},"99":{"caption":"Other"},"4":{"description":"Devices that verify identity-based on user's physical identifiers, such as fingerprint scanners or retina scanners.","caption":"Biometric"},"5":{"description":"Push notification is sent to user's registered device and requires the user to acknowledge.","caption":"Push Notification"},"7":{"description":"Application generates a one-time password (OTP) for use in authentication.","caption":"OTP"},"8":{"description":"A code or link is sent to a user's registered email address.","caption":"Email"},"9":{"description":"Typically involves a hardware token, which the user physically interacts with to authenticate.","caption":"U2F"},"10":{"description":"Web-based API that enables users to register devices as authentication factors.","caption":"WebAuthn"},"11":{"description":"The user enters a password that they have previously established.","caption":"Password"}},"description":"The normalized identifier for the authentication factor.","group":"primary","requirement":"required","caption":"Factor Type ID","sibling":"factor_type","type_name":"Integer"},"is_hotp":{"type":"boolean_t","description":"Whether the authentication factor is an HMAC-based One-time Password (HOTP).","group":"context","requirement":"recommended","caption":"HMAC-based One-time Password (HOTP)","type_name":"Boolean"},"is_totp":{"type":"boolean_t","description":"Whether the authentication factor is a Time-based One-time Password (TOTP).","group":"context","requirement":"recommended","caption":"Time-based One-time Password (TOTP)","type_name":"Boolean"},"phone_number":{"type":"string_t","description":"The phone number used for a telephony-based authentication request.","group":"context","requirement":"optional","caption":"Phone Number","type_name":"String"},"provider":{"type":"string_t","description":"The name of provider for an authentication factor.","group":"context","requirement":"recommended","caption":"Provider","type_name":"String"},"security_questions":{"type":"string_t","description":"The question(s) provided to user for a question-based authentication factor.","group":"context","is_array":true,"requirement":"optional","caption":"Security Questions","type_name":"String"}},"name":"auth_factor","description":"An Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.","extends":"object","profiles":["container"],"caption":"Authentication Factor"},"san":{"attributes":{"name":{"type":"string_t","description":"Name of SAN (e.g. The actual IP Address or domain.)","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"Type descriptor of SAN (e.g. IP Address/domain/etc.)","requirement":"required","caption":"Type","type_name":"String"}},"name":"san","description":"The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate","extends":"object","caption":"Subject Alternative Name"},"unmanned_system_operating_area":{"attributes":{"count":{"type":"integer_t","description":"Indicates the number of UAS in the operating area.","requirement":"recommended","caption":"Count","type_name":"Integer"},"type":{"type":"string_t","description":"The type of operating area. For example, Takeoff Location, Fixed Location, Dynamic Location.","requirement":"optional","caption":"Type","type_name":"String"},"desc":{"type":"string_t","description":"The description of the geographical location.","requirement":"optional","caption":"Description","type_name":"String"},"long":{"type":"float_t","description":"The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083.","requirement":"optional","caption":"Longitude","type_name":"Float"},"start_time":{"type":"timestamp_t","description":"The date and time at which a group or an Intent-Based Network Participant operation starts. (This field is only applicable to Network Remote ID.)","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"city":{"type":"string_t","description":"The name of the city.","requirement":"recommended","caption":"City","type_name":"String"},"country":{"type":"string_t","description":"The ISO 3166-1 Alpha-2 country code.Note: The two letter country code should be capitalized. For example: US or CA.
[-73.983, 40.719].","is_array":true,"requirement":"optional","caption":"Coordinates","type_name":"Float","@deprecated":{"message":"Use specific lat, long attributes instead.","since":"1.2.0"}},"continent":{"type":"string_t","description":"The name of the continent.","requirement":"recommended","caption":"Continent","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Dynamic Location"},"0":{"description":"The UA type is empty or not declared.","caption":"Unknown/Undeclared"},"1":{"caption":"Takeoff Location"},"2":{"caption":"Fixed Location"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The operating area type identifier.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"end_time":{"type":"timestamp_t","description":"The date and time at which a group or an Intent-Based Network Participant operation ends. (This field is only applicable to Network Remote ID.)","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"start_time_dt":{"type":"datetime_t","description":"The date and time at which a group or an Intent-Based Network Participant operation starts. (This field is only applicable to Network Remote ID.)","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"end_time_dt":{"type":"datetime_t","description":"The date and time at which a group or an Intent-Based Network Participant operation ends. (This field is only applicable to Network Remote ID.)","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"aerial_height":{"type":"string_t","description":"Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Aerial Height","type_name":"String"},"altitude_ceiling":{"type":"string_t","description":"Maximum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Altitude Ceiling","type_name":"String"},"altitude_floor":{"type":"string_t","description":"Minimum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Altitude Floor","type_name":"String"},"geodetic_altitude":{"type":"string_t","description":"The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Geodetic Altitude","type_name":"String"},"geodetic_vertical_accuracy":{"type":"string_t","description":"Provides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters.","requirement":"optional","caption":"Geodetic Vertical Accuracy","type_name":"String"},"geohash":{"type":"string_t","description":"Geohash of the geo-coordinates (latitude and longitude).
Geohashing is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.","requirement":"optional","caption":"Geohash","type_name":"String"},"horizontal_accuracy":{"type":"string_t","description":"Provides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters.","requirement":"optional","caption":"Horizontal Accuracy","type_name":"String"},"is_on_premises":{"type":"boolean_t","description":"Indicates whether the location is on-premises.","requirement":"optional","caption":"On-Premises","type_name":"Boolean"},"isp":{"type":"string_t","description":"The name of the Internet Service Provider (ISP).","requirement":"optional","caption":"ISP Name","type_name":"String","@deprecated":{"message":"Utilizeisp attribute available in network_endpoint, whois objects according to your use-case.","since":"1.5.0"}},"lat":{"type":"float_t","description":"The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: 42.361145.","requirement":"optional","caption":"Latitude","type_name":"Float"},"locations":{"type":"object_t","description":"A list of Position Location Information (PLI) (latitude/longitude pairs) defining the area where a group or Intent-Based Network Participant operation is taking place. (This field is only applicable to Network Remote ID.)","is_array":true,"requirement":"recommended","object_type":"location","caption":"Operating Polygon","object_name":"Geo Location"},"postal_code":{"type":"string_t","description":"The postal code of the location.","requirement":"optional","caption":"Postal Code","type_name":"String"},"pressure_altitude":{"type":"string_t","description":"The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Pressure Altitude","type_name":"String"},"provider":{"type":"string_t","description":"The provider of the geographical location data.","requirement":"optional","caption":"Provider","type_name":"String"},"radius":{"type":"string_t","description":"Farthest horizontal distance from the reported location at which any UA in a group may be located (meters). Also allows defining the area where an Intent-Based Network Participant operation is taking place. Default: 0 m.","requirement":"optional","caption":"Operating Area Radius","type_name":"String"},"region":{"type":"string_t","description":"The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland","references":[{"description":"ISO Region Codes","url":"https://www.iso.org/iso-3166-country-codes.html"},{"description":"U.S. Region Codes","url":"https://www.iso.org/obp/ui/#iso:code:3166:US"}],"requirement":"optional","caption":"Region","type_name":"String"}},"name":"unmanned_system_operating_area","description":"The Unmanned System Operating Area object describes details about a precise area of operations for a UAS flight or mission.","extends":"location","constraints":{"at_least_one":["city","country","postal_code","region"]},"profiles":["datetime"],"caption":"Unmanned System Operating Area","observable":26},"hassh":{"attributes":{"algorithm":{"type":"string_t","description":"The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation.","requirement":"recommended","caption":"Algorithm","type_name":"String"},"fingerprint":{"type":"object_t","description":"The hash of the key exchange, encryption, authentication and compression algorithms.","requirement":"required","object_type":"fingerprint","caption":"Fingerprint","object_name":"Fingerprint"}},"name":"hassh","description":"The HASSH object contains SSH network fingerprinting values for specific client/server implementations. It provides a standardized way of identifying and categorizing SSH connections based on their unique characteristics and behavior.","extends":"object","caption":"HASSH"},"analytic":{"attributes":{"name":{"type":"string_t","description":"The name of the analytic that generated the finding.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The analytic type.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The analytic version. For example: 1.1.","requirement":"optional","caption":"Version","type_name":"String"},"state":{"type":"string_t","description":"The Analytic state.","requirement":"optional","caption":"State","type_name":"String"},"desc":{"type":"string_t","description":"The description of the analytic that generated the finding.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the analytic that generated the finding.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The analytic category.","requirement":"optional","caption":"Category","type_name":"String"},"algorithm":{"type":"string_t","description":"The algorithm used by the underlying analytic to generate the finding.","requirement":"optional","caption":"Algorithm","type_name":"String"},"type_id":{"type":"integer_t","enum":{"3":{"description":"Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making.","caption":"Statistical"},"6":{"description":"Tagging refers to the practice of assigning labels or identifiers to data, users, assets, or activities to monitor, control access, and facilitate incident response across various security domains such as DLP and EDR.","caption":"Tagging"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A Rule in security analytics refers to predefined criteria or conditions set to monitor, alert, or enforce policies, playing a crucial role in access control, threat detection, and regulatory compliance across security systems.","caption":"Rule"},"2":{"description":"Behavioral analytics focus on monitoring and analyzing user or system actions to identify deviations from established patterns, aiding in the detection of insider threats, fraud, and advanced persistent threats (APTs).","caption":"Behavioral"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Learning (ML/DL) encompasses techniques that can \"learn\" from known data to create analytics that generalize to new data. There may be a statistical component to these techniques, but it is not a requirement.","caption":"Learning (ML/DL)"},"5":{"description":"Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities.","caption":"Fingerprinting"},"7":{"description":"Keyword Match involves scanning content for specific terms to identify sensitive information, potential threats, or policy violations, aiding in DLP and compliance monitoring.","caption":"Keyword Match"},"8":{"description":"Regular Expressions are used to define complex search patterns for identifying, validating, and extracting specific data sets or threats within digital content, enhancing DLP, EDR, and threat detection mechanisms.","caption":"Regular Expressions"},"9":{"description":"Exact Data Match is a precise comparison technique used to detect the unauthorized use or exposure of specific, sensitive information, crucial for enforcing DLP policies and protecting against data breaches.","caption":"Exact Data Match"},"10":{"description":"Partial Data Match involves identifying instances where segments of sensitive information or patterns match, facilitating nuanced DLP and threat detection without requiring complete data conformity.","caption":"Partial Data Match"},"11":{"description":"Indexed Data Match refers to comparing content against a pre-compiled index of sensitive information to efficiently detect and prevent unauthorized access or breaches, streamlining DLP and compliance efforts.","caption":"Indexed Data Match"}},"description":"The analytic type ID.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"related_analytics":{"type":"object_t","description":"Other analytics related to this analytic.","is_array":true,"requirement":"optional","object_type":"analytic","caption":"Related Analytics","@deprecated":{"message":"Related Analytics has been decoupled from this object, instead use finding_info.related_analytics.","since":"1.0.0"},"object_name":"Analytic"},"state_id":{"type":"integer_t","enum":{"3":{"description":"The Analytic is still under development and considered experimental.","caption":"Experimental"},"0":{"description":"The state is unknown.","caption":"Unknown"},"1":{"description":"The Analytic is active.","caption":"Active"},"2":{"description":"The Analytic is suppressed. For example, a user/customer has suppressed a particular detection signature in a security product.","caption":"Suppressed"},"99":{"description":"The state is not mapped. See the state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The Analytic state identifier.","requirement":"optional","caption":"State ID","sibling":"state","type_name":"Integer"}},"name":"analytic","description":"The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Analytic"},"package":{"attributes":{"name":{"type":"string_t","description":"The software package name.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The type of software package, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The software package version.","requirement":"required","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"A unique identifier for the package or library reported by the source tool. E.g., the libId within the sbom field of an OX Security Issue or the SPDX components.*.bom-ref.","requirement":"optional","caption":"Package UID","type_name":"String"},"hash":{"type":"object_t","description":"Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.","requirement":"optional","object_type":"fingerprint","caption":"Hash","object_name":"Fingerprint"},"release":{"type":"string_t","description":"Release is the number of times a version of the software has been packaged.","requirement":"optional","caption":"Software Release Details","type_name":"String"},"epoch":{"type":"integer_t","description":"The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.","requirement":"optional","caption":"Epoch","type_name":"Integer"},"type_id":{"type":"integer_t","enum":{"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"An application software package.","caption":"Application"},"2":{"description":"An operating system software package.","caption":"Operating System"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The type of software package.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"license":{"type":"string_t","description":"The software license applied to this package.","requirement":"optional","caption":"Software License","type_name":"String"},"architecture":{"type":"string_t","description":"Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.","requirement":"recommended","caption":"Architecture","type_name":"String"},"cpe_name":{"type":"string_t","description":"The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.","requirement":"optional","caption":"The product CPE identifier","type_name":"String"},"license_url":{"type":"url_t","description":"The URL pointing to the license applied on package or software. This is typically a LICENSE.md file within a repository.","requirement":"optional","caption":"Software License URL","type_name":"URL String"},"package_manager":{"type":"string_t","description":"The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.","requirement":"optional","caption":"Package Manager","type_name":"String"},"package_manager_url":{"type":"url_t","description":"The URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as AWS CodeArtifact or Artifactory.","requirement":"optional","caption":"Package Manager URL","type_name":"URL String"},"purl":{"type":"string_t","description":"A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.","requirement":"optional","caption":"Package URL","type_name":"String"},"src_url":{"type":"url_t","description":"The link to the specific library or package such as within GitHub, this is different from the link to the package manager where the library or package is hosted.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"vendor_name":{"type":"string_t","description":"The name of the vendor who published the software package.","requirement":"optional","caption":"Vendor Name","type_name":"String"}},"name":"package","description":"The Software Package object describes details about a software package.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:SoftwarePackage.","url":"https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/"}],"caption":"Software Package"},"remediation":{"attributes":{"desc":{"type":"string_t","description":"The description of the remediation strategy.","requirement":"required","caption":"Description","type_name":"String"},"references":{"type":"string_t","description":"A list of supporting URL/s, references that help describe the remediation strategy.","is_array":true,"requirement":"optional","caption":"References","type_name":"String"},"cis_controls":{"type":"object_t","description":"An array of Center for Internet Security (CIS) Controls that can be optionally mapped to provide additional remediation details.","is_array":true,"references":[{"description":"Center For Internet Security Controls","url":"https://www.cisecurity.org/controls/"}],"requirement":"optional","object_type":"cis_control","caption":"CIS Controls","object_name":"CIS Control"},"kb_article_list":{"type":"object_t","description":"A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.","is_array":true,"requirement":"optional","object_type":"kb_article","caption":"Knowledgebase Articles","object_name":"KB Article"},"kb_articles":{"type":"string_t","description":"The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.","is_array":true,"requirement":"optional","caption":"Knowledgebase Articles","type_name":"String","@deprecated":{"message":"Use the kb_article_list attribute instead.","since":"1.1.0"}}},"name":"remediation","description":"The Remediation object describes the recommended remediation steps to address identified issue(s).","extends":"object","profiles":["data_classification"],"caption":"Remediation"},"kb_article":{"attributes":{"size":{"type":"long_t","description":"The size in bytes for the kb article.","requirement":"optional","caption":"Size","type_name":"Long"},"os":{"type":"object_t","description":"The operating system the kb article applies.","requirement":"recommended","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"title":{"type":"string_t","description":"The title of the kb article.","requirement":"recommended","caption":"Title","type_name":"String"},"product":{"type":"object_t","description":"The product details the kb article applies.","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"uid":{"type":"string_t","description":"The unique identifier for the kb article.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"severity":{"type":"string_t","description":"The severity of the kb article.","requirement":"recommended","caption":"Severity","type_name":"String"},"avg_timespan":{"type":"object_t","description":"The average time to patch.","requirement":"optional","object_type":"timespan","caption":"Average Timespan","object_name":"Time Span"},"bulletin":{"type":"string_t","description":"The kb article bulletin identifier.","requirement":"optional","caption":"Patch Bulletin","type_name":"String"},"classification":{"type":"string_t","description":"The vendors classification of the kb article.","requirement":"optional","caption":"Classification","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The date the kb article was released by the vendor.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"install_state":{"type":"string_t","description":"The install state of the kb article.","requirement":"recommended","caption":"Install State","type_name":"String"},"install_state_id":{"type":"integer_t","enum":{"3":{"description":"The item is installed pending reboot operation.","caption":"Installed Pending Reboot"},"0":{"description":"The normalized install state is unknown.","caption":"Unknown"},"1":{"description":"The item is installed.","caption":"Installed"},"2":{"description":"The item is not installed.","caption":"Not Installed"},"99":{"description":"The install state is not mapped. See the install_state attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized install state ID of the kb article.","requirement":"recommended","caption":"Install State ID","sibling":"install_state","type_name":"Integer"},"is_superseded":{"type":"boolean_t","description":"The kb article has been replaced by another.","requirement":"optional","caption":"The patch is superseded.","type_name":"Boolean"},"src_url":{"type":"url_t","description":"The kb article link from the source vendor.","requirement":"optional","caption":"Source URL","type_name":"URL String"},"created_time_dt":{"type":"datetime_t","description":"The date the kb article was released by the vendor.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"}},"name":"kb_article","description":"The KB Article object contains metadata that describes the patch or update.","extends":"object","constraints":{"at_least_one":["uid","src_url"]},"profiles":["data_classification","datetime"],"caption":"KB Article"},"encryption_details":{"attributes":{"type":{"type":"string_t","description":"The type of the encryption used.","requirement":"recommended","caption":"Encryption Type","type_name":"String"},"key_length":{"type":"integer_t","description":"The length of the encryption key used.","requirement":"optional","caption":"Encryption Key Length","type_name":"Integer"},"algorithm":{"type":"string_t","description":"The encryption algorithm used, normalized to the caption of 'algorithm_id","requirement":"optional","caption":"Encryption Algorithm","type_name":"String"},"algorithm_id":{"type":"integer_t","enum":{"3":{"description":"Advanced Encryption Standard Algorithm.","caption":"AES"},"6":{"description":"ShangMi Cryptographic Algorithm","caption":"SM2"},"0":{"description":"The algorithm is unknown.","caption":"Unknown"},"1":{"description":"Data Encryption Standard Algorithm","caption":"DES"},"2":{"description":"Triple Data Encryption Standard Algorithm","caption":"TripleDES"},"99":{"description":"The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Rivest-Shamir-Adleman Algorithm","caption":"RSA"},"5":{"description":"Elliptic Curve Cryptography Algorithm","caption":"ECC"}},"description":"The encryption algorithm used.","requirement":"recommended","caption":"Encryption Algorithm ID","sibling":"algorithm","type_name":"Integer"},"key_uid":{"type":"string_t","description":"The unique identifier of the key used for encryption. For example, AWS KMS Key ARN.","requirement":"optional","caption":"Key UID","type_name":"String"}},"name":"encryption_details","description":"Details about the encryption methodology utilized.","extends":"object","caption":"Encryption Details"},"ldap_person":{"attributes":{"location":{"type":"object_t","description":"The geographical location associated with a user. This is typically the user's usual work location.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"labels":{"type":"string_t","description":"The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee.","is_array":true,"requirement":"optional","caption":"Labels","type_name":"String"},"manager":{"type":"object_t","description":"The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.","requirement":"optional","object_type":"user","caption":"Manager","object_name":"User"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the user.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"cost_center":{"type":"string_t","description":"The cost center associated with the user.","requirement":"optional","caption":"Cost Center","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The timestamp when the user was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"deleted_time":{"type":"timestamp_t","description":"The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.","requirement":"optional","caption":"Deleted Time","type_name":"Timestamp"},"department":{"type":"string_t","description":"The name of the department in which the user works.","requirement":"optional","caption":"Department","type_name":"String"},"display_name":{"type":"string_t","description":"The display name of the LDAP person. According to RFC 2798, this is the preferred name of a person to be used when displaying entries.","references":[{"description":"RFC 2798","url":"https://www.rfc-editor.org/rfc/rfc2798.html#section-2.3"},{"description":"Microsoft AD Schema","url":"https://learn.microsoft.com/en-us/windows/win32/adschema/a-displayname"}],"requirement":"optional","caption":"Display Name","type_name":"String"},"email_addrs":{"type":"email_t","description":"A list of additional email addresses for the user.","is_array":true,"requirement":"optional","caption":"Email Addresses","type_name":"Email Address"},"employee_uid":{"type":"string_t","description":"The employee identifier assigned to the user by the organization.","requirement":"optional","caption":"Employee ID","type_name":"String"},"given_name":{"type":"string_t","description":"The given or first name of the user.","requirement":"optional","caption":"Given Name","type_name":"String"},"hire_time":{"type":"timestamp_t","description":"The timestamp when the user was or will be hired by the organization.","requirement":"optional","caption":"Hire Time","type_name":"Timestamp"},"job_title":{"type":"string_t","description":"The user's job title.","requirement":"optional","caption":"Job Title","type_name":"String"},"last_login_time":{"type":"timestamp_t","description":"The last time when the user logged in.","requirement":"optional","caption":"Last Login","type_name":"Timestamp"},"ldap_cn":{"type":"string_t","description":"The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe.","requirement":"optional","caption":"LDAP Common Name","type_name":"String"},"ldap_dn":{"type":"string_t","description":"The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com.","requirement":"optional","caption":"LDAP Distinguished Name","type_name":"String"},"leave_time":{"type":"timestamp_t","description":"The timestamp when the user left or will be leaving the organization.","requirement":"optional","caption":"Leave Time","type_name":"Timestamp"},"modified_time":{"type":"timestamp_t","description":"The timestamp when the user entry was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"office_location":{"type":"string_t","description":"The primary office location associated with the user. This could be any string and isn't a specific address. For example, South East Virtual.","requirement":"optional","caption":"Office Location","type_name":"String"},"phone_number":{"type":"string_t","description":"The telephone number of the user. Corresponds to the LDAP Telephone-Number CN.","requirement":"optional","caption":"Telephone Number","type_name":"String"},"surname":{"type":"string_t","description":"The last or family name for the user.","requirement":"optional","caption":"Surname","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The timestamp when the user was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"deleted_time_dt":{"type":"datetime_t","description":"The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.","requirement":"optional","profiles":["datetime"],"caption":"Deleted Time","type_name":"Datetime"},"hire_time_dt":{"type":"datetime_t","description":"The timestamp when the user was or will be hired by the organization.","requirement":"optional","profiles":["datetime"],"caption":"Hire Time","type_name":"Datetime"},"last_login_time_dt":{"type":"datetime_t","description":"The last time when the user logged in.","requirement":"optional","profiles":["datetime"],"caption":"Last Login","type_name":"Datetime"},"leave_time_dt":{"type":"datetime_t","description":"The timestamp when the user left or will be leaving the organization.","requirement":"optional","profiles":["datetime"],"caption":"Leave Time","type_name":"Datetime"},"modified_time_dt":{"type":"datetime_t","description":"The timestamp when the user entry was last modified.","requirement":"optional","profiles":["datetime"],"caption":"Modified Time","type_name":"Datetime"}},"name":"ldap_person","description":"The additional LDAP attributes that describe a person.","extends":"object","profiles":["datetime"],"caption":"LDAP Person"},"extension":{"attributes":{"name":{"type":"string_t","description":"The schema extension name. For example: dev.","requirement":"recommended","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The schema extension version. For example: 1.0.0-alpha.2.","requirement":"required","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"The schema extension unique identifier. For example: 999.","requirement":"recommended","caption":"Unique ID","type_name":"String"}},"name":"extension","description":"The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Schema Extension"},"dns_query":{"attributes":{"type":{"type":"string_t","description":"The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.","requirement":"recommended","caption":"Resource Record Type","type_name":"String"},"hostname":{"type":"hostname_t","description":"The hostname or domain being queried. For example: www.example.com","requirement":"required","caption":"Hostname","type_name":"Hostname"},"class":{"type":"string_t","description":"The class of resource records being queried. See RFC1035. For example: IN.","requirement":"recommended","caption":"Resource Record Class","type_name":"String"},"opcode":{"type":"string_t","description":"The DNS opcode specifies the type of the query message.","requirement":"optional","caption":"DNS Opcode","type_name":"String"},"opcode_id":{"type":"integer_t","enum":{"3":{"description":"Reserved, not used","caption":"Reserved"},"6":{"description":"DNS Stateful Operations (DSO)","caption":"DSO Message"},"0":{"description":"Standard query","caption":"Query"},"1":{"description":"Inverse query, obsolete","caption":"Inverse Query"},"2":{"description":"Server status request","caption":"Status"},"99":{"description":"The DNS Opcode is not defined by the RFC. See the opcode attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Zone change notification","caption":"Notify"},"5":{"description":"Dynamic DNS update","caption":"Update"}},"description":"The DNS opcode ID specifies the normalized query message type as defined in RFC-5395.","requirement":"recommended","caption":"DNS Opcode ID","type_name":"Integer","suppress_checks":["enum_convention"]},"packet_uid":{"type":"integer_t","description":"The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.","requirement":"recommended","caption":"Packet UID","type_name":"Integer"}},"name":"dns_query","description":"The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX).","extends":"_dns","references":[{"description":"D3FEND™ Ontology d3f:DNSLookup.","url":"https://d3fend.mitre.org/dao/artifact/d3f:DNSLookup/"}],"caption":"DNS Query"},"attack":{"attributes":{"version":{"type":"string_t","description":"The ATT&CK® or ATLAS™ Matrix version.","requirement":"recommended","caption":"Version","type_name":"String"},"tactics":{"type":"object_t","description":"The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK® Matrix.","is_array":true,"requirement":"optional","object_type":"tactic","caption":"Tactics","@deprecated":{"message":"Use the tactic attribute instead.","since":"1.1.0"},"object_name":"MITRE Tactic"},"technique":{"type":"object_t","description":"The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"recommended","object_type":"technique","caption":"MITRE Technique","object_name":"MITRE Technique"},"mitigation":{"type":"object_t","description":"The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","object_type":"mitigation","caption":"MITRE Mitigation","object_name":"MITRE Mitigation"},"sub_technique":{"type":"object_t","description":"The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"recommended","object_type":"sub_technique","caption":"MITRE Sub-technique","object_name":"MITRE Sub-technique"},"tactic":{"type":"object_t","description":"The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack.","references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"recommended","object_type":"tactic","caption":"MITRE Tactic","object_name":"MITRE Tactic"}},"name":"attack","description":"The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique, sub-technique & mitigation associated to an attack.","extends":"object","constraints":{"at_least_one":["tactic","technique","sub_technique"]},"references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"caption":"MITRE ATT&CK® & ATLAS™"},"rule":{"attributes":{"name":{"type":"string_t","description":"The name of the rule that generated the event.","requirement":"recommended","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The rule type.","requirement":"optional","caption":"Type","type_name":"String"},"version":{"type":"string_t","description":"The rule version. For example: 1.1.","requirement":"optional","caption":"Version","type_name":"String"},"desc":{"type":"string_t","description":"The description of the rule that generated the event.","requirement":"optional","caption":"Description","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the rule that generated the event.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"category":{"type":"string_t","description":"The rule category.","requirement":"optional","caption":"Category","type_name":"String"}},"name":"rule","description":"The Rule object describes characteristics of a rule associated with a policy or an event.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"caption":"Rule"},"session":{"attributes":{"count":{"type":"integer_t","description":"The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.","requirement":"optional","caption":"Count","type_name":"Integer"},"terminal":{"type":"string_t","description":"The Pseudo Terminal associated with the session. Ex: the tty or pts value.","requirement":"optional","caption":"Terminal","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the session.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"uuid":{"type":"uuid_t","description":"The universally unique identifier of the session.","requirement":"optional","caption":"UUID","type_name":"UUID"},"issuer":{"type":"string_t","description":"The identifier of the session issuer.","requirement":"recommended","caption":"Issuer Details","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the session was created.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"credential_uid":{"type":"string_t","description":"The unique identifier of the user's credential. For example, AWS Access Key ID.","requirement":"optional","caption":"User Credential ID","type_name":"String","observable":19},"expiration_reason":{"type":"string_t","description":"The reason which triggered the session expiration.","requirement":"optional","caption":"Expiration Reason","type_name":"String"},"expiration_time":{"type":"timestamp_t","description":"The session expiration time.","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"is_mfa":{"type":"boolean_t","description":"Indicates whether Multi Factor Authentication was used during authentication.","requirement":"optional","caption":"Multi Factor Authentication","type_name":"Boolean"},"is_remote":{"type":"boolean_t","description":"The indication of whether the session is remote.","requirement":"recommended","caption":"Remote","type_name":"Boolean"},"is_vpn":{"type":"boolean_t","description":"The indication of whether the session is a VPN session.","requirement":"optional","caption":"VPN Session","type_name":"Boolean"},"uid_alt":{"type":"string_t","description":"The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session.","requirement":"optional","caption":"Alternate ID","type_name":"String"},"created_time_dt":{"type":"datetime_t","description":"The time when the session was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"expiration_time_dt":{"type":"datetime_t","description":"The session expiration time.","requirement":"optional","profiles":["datetime"],"caption":"Expiration Time","type_name":"Datetime"}},"name":"session","description":"The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:Session","url":"https://d3fend.mitre.org/dao/artifact/d3f:Session/"}],"profiles":["datetime"],"caption":"Session"},"privilege_attack_info":{"attributes":{"attack":{"type":"object_t","description":"The MITRE ATT&CK technique that these privileges could enable.","requirement":"required","object_type":"attack","caption":"MITRE ATT&CK® Details","object_name":"MITRE ATT&CK® & ATLAS™"},"privilege_info_list":{"type":"object_t","description":"The list of privilege information objects, where each element describes a specific privilege that could enable the associated attack technique.","is_array":true,"requirement":"required","object_type":"privilege_info","caption":"Privilege Info List","object_name":"Privilege Info"}},"name":"privilege_attack_info","description":"The Privilege Attack Info object groups privileges by the potential attack they could enable. It maps specific privileges to MITRE ATT&CK techniques, helping identify security risks associated with granted permissions.","extends":"object","caption":"Privilege Attack Info"},"sub_technique":{"attributes":{"name":{"type":"string_t","description":"The name of the attack sub-technique. For example: Scanning IP Blocks or User Execution: Unsafe ML Artifacts.","requirement":"recommended","caption":"Name","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the attack sub-technique. For example: T1595.001 or AML.T0011.000.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"src_url":{"type":"url_t","description":"The versioned permalink of the attack sub-technique. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.","requirement":"optional","caption":"Source URL","type_name":"URL String"}},"name":"sub_technique","description":"The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"references":[{"description":"ATT&CK® Matrix","url":"https://attack.mitre.org"},{"description":"ATLAS™ Matrix","url":"https://atlas.mitre.org/matrices/ATLAS"}],"caption":"MITRE Sub-technique"},"long_string":{"attributes":{"value":{"type":"string_t","description":"The string value, truncated if is_truncated is true.","requirement":"required","caption":"Value","type_name":"String"},"is_truncated":{"type":"boolean_t","description":"Indicates that value has been truncated. May be omitted if truncation has not occurred.","requirement":"optional","caption":"Is Truncated","type_name":"Boolean"},"untruncated_size":{"type":"integer_t","description":"The size in bytes of the string represented by value before truncation. Should be omitted if truncation has not occurred.","requirement":"optional","caption":"Untruncated Size","type_name":"Integer"}},"name":"long_string","description":"This object is a used to capture strings which may be truncated by a security product due to their length.","extends":"object","caption":"Long String"},"aircraft":{"attributes":{"name":{"type":"string_t","description":"The name of the aircraft, such as the such as the flight name or callsign.","requirement":"recommended","caption":"Name","type_name":"String"},"speed":{"type":"string_t","description":"Ground speed of flight. This value is provided in meters per second with a minimum resolution of 0.25 m/s. Special Values: Invalid, No Value, or Unknown: 255 m/s.","requirement":"optional","caption":"Speed","type_name":"String"},"location":{"type":"object_t","description":"The detailed geographical location usually associated with an IP address.","requirement":"recommended","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"uid":{"type":"string_t","description":"The primary identification identifier for an aircraft, such as the 24-bit International Civil Aviation Organization (ICAO) identifier of the aircraft, as 6 hex digits.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"model":{"type":"string_t","description":"The model name of the aircraft or unmanned system.","requirement":"optional","caption":"Model","type_name":"String"},"serial_number":{"type":"string_t","description":"The serial number of the aircraft.","requirement":"optional","caption":"Serial Number","type_name":"String","observable":37},"speed_accuracy":{"type":"string_t","description":"Provides quality/containment on horizontal ground speed. Measured in meters/second.","requirement":"optional","caption":"Speed Accuracy","type_name":"String"},"track_direction":{"type":"string_t","description":"Direction of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value","requirement":"optional","caption":"Track Direction","type_name":"String"},"uid_alt":{"type":"string_t","description":"A secondary identification identifier for an aircraft, such as the 4-digit squawk (octal representation).","requirement":"optional","caption":"Alternate ID","type_name":"String"},"vertical_speed":{"type":"string_t","description":"Vertical speed upward relative to the WGS-84 datum, measured in meters per second. Special Values: Invalid, No Value, or Unknown: 63 m/s.","requirement":"optional","caption":"Vertical Speed","type_name":"String"}},"name":"aircraft","description":"The Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise. The Aircraft object is intended to normalized data captured or otherwise logged from active radar, passive radar, multi-spectral systems, or the Automatic Dependant Broadcast - Surveillance (ADS-B), and/or Mode S systems.","extends":"_entity","constraints":{"at_least_one":["name","serial_number","uid","uid_alt"]},"caption":"Aircraft"},"anomaly_analysis":{"attributes":{"analysis_targets":{"type":"object_t","description":"The analysis targets define the scope of monitored activities, specifying what entities, systems or processes are analyzed for activity patterns.","is_array":true,"requirement":"required","object_type":"analysis_target","caption":"Analysis Targets","object_name":"Analysis Target"},"anomalies":{"type":"object_t","description":"List of detected activities that significantly deviate from the established baselines. This can include unusual access patterns, unexpected user-agents, abnormal API usage, suspicious traffic spikes, unauthorized access attempts, and other activities that may indicate potential security threats or system issues.","is_array":true,"requirement":"required","object_type":"anomaly","caption":"Anomalies","object_name":"Anomaly"},"baselines":{"type":"object_t","description":"List of established patterns representing normal activity that serve as reference points for anomaly detection. This includes typical user interaction patterns like common user-agents, expected API access frequencies and patterns, standard resource utilization levels, and regular traffic flows. These baselines help establish what constitutes 'normal' activity in the system.","is_array":true,"requirement":"recommended","object_type":"baseline","caption":"Baselines","object_name":"Baseline"}},"name":"anomaly_analysis","description":"Describes the analysis of activity patterns and anomalies of target entities to identify potential security threats, performance issues, or other deviations from established baselines. This includes monitoring and analyzing user interactions, API usage, resource utilization, access patterns and other measured indicators.","caption":"Anomaly Analysis"},"identity_activity_metrics":{"attributes":{"first_seen_time":{"type":"timestamp_t","description":"The timestamp when this identity was first observed or created in the system. This helps establish the identity's age and lifecycle stage for risk assessment.","requirement":"optional","caption":"First Seen","type_name":"Timestamp"},"last_authentication_time":{"type":"timestamp_t","description":"The timestamp when this identity last successfully authenticated to any system or service. This differs from last_seen_time as it specifically tracks authentication events rather than all activities.","requirement":"optional","caption":"Last Authentication Time","type_name":"Timestamp"},"last_seen_time":{"type":"timestamp_t","description":"The timestamp of the most recent activity performed by this identity, including authentication, resource access, or API calls. This is the most comprehensive indicator of identity usage recency.","requirement":"recommended","caption":"Last Seen","type_name":"Timestamp"},"password_last_used_time":{"type":"timestamp_t","description":"The timestamp when password-based authentication was last used by this identity. This helps distinguish between password and other authentication methods (MFA, SSO, certificates) and identify password-specific usage patterns.","requirement":"optional","caption":"Password Last Used Time","type_name":"Timestamp"},"programmatic_credentials":{"type":"object_t","description":"Details about the programmatic credentials associated with this identity, such as API keys, service account keys, access tokens, and client certificates used for automated access.","is_array":true,"requirement":"optional","object_type":"programmatic_credential","caption":"Programmatic Credentials","object_name":"Programmatic Credential"},"first_seen_time_dt":{"type":"datetime_t","description":"The timestamp when this identity was first observed or created in the system. This helps establish the identity's age and lifecycle stage for risk assessment.","requirement":"optional","profiles":["datetime"],"caption":"First Seen","type_name":"Datetime"},"last_authentication_time_dt":{"type":"datetime_t","description":"The timestamp when this identity last successfully authenticated to any system or service. This differs from last_seen_time as it specifically tracks authentication events rather than all activities.","requirement":"optional","profiles":["datetime"],"caption":"Last Authentication Time","type_name":"Datetime"},"last_seen_time_dt":{"type":"datetime_t","description":"The timestamp of the most recent activity performed by this identity, including authentication, resource access, or API calls. This is the most comprehensive indicator of identity usage recency.","requirement":"optional","profiles":["datetime"],"caption":"Last Seen","type_name":"Datetime"},"password_last_used_time_dt":{"type":"datetime_t","description":"The timestamp when password-based authentication was last used by this identity. This helps distinguish between password and other authentication methods (MFA, SSO, certificates) and identify password-specific usage patterns.","requirement":"optional","profiles":["datetime"],"caption":"Password Last Used Time","type_name":"Datetime"}},"name":"identity_activity_metrics","description":"The Identity Activity Metrics object captures usage patterns, authentication activity, credential usage and other metrics for identities across cloud and on-premises environments. Example identities include AWS IAM Users, Roles, Azure AD Principals, GCP Service Accounts, on-premises Active Directory accounts.","extends":"object","profiles":["datetime"],"caption":"Identity Activity Metrics"},"security_state":{"attributes":{"state":{"type":"string_t","description":"The security state, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Security State","type_name":"String"},"state_id":{"type":"integer_t","enum":{"3":{"description":"Isolated from the network.","caption":"In network quarantine"},"6":{"description":"The security solution does not have a valid license.","caption":"Protection not licensed"},"0":{"description":"The security state is unknown.","caption":"Unknown"},"1":{"description":"The content is missing or outdated.","caption":"Missing or outdated content"},"2":{"description":"Not in compliance with the expected security policy.","caption":"Policy mismatch"},"99":{"description":"The security state is not mapped. See the state attribute, which contains data source specific values.","caption":"Other"},"4":{"description":"Not protected by a security solution.","caption":"Protection off"},"5":{"description":"The security solution is not functioning properly.","caption":"Protection malfunction"},"7":{"description":"A detected threat has not been remediated.","caption":"Unremediated threat"},"8":{"description":"Reputation of the entity is suspicious.","caption":"Suspicious reputation"},"9":{"description":"A reboot is required for one or more pending actions.","caption":"Reboot pending"},"10":{"description":"The content is locked to a specific version.","caption":"Content is locked"},"11":{"description":"The entity is not installed.","caption":"Not installed"},"12":{"description":"The system partition is writeable.","caption":"Writable system partition"},"14":{"description":"The device has failed the boot verification process.","caption":"Failed boot verify"},"15":{"description":"The execution environment has been modified.","caption":"Modified execution environment"},"16":{"description":"The SELinux security feature has been disabled.","caption":"SELinux disabled"},"17":{"description":"An elevated privilege shell has been detected.","caption":"Elevated privilege shell"},"18":{"description":"The file system has been altered on an iOS device.","caption":"iOS file system altered"},"20":{"description":"Mobile OTA (Over The Air) updates have been disabled.","caption":"OTA updates disabled"},"21":{"description":"The device has been modified to allow root access.","caption":"Rooted"},"22":{"description":"The Android partition has been modified.","caption":"Android partition modified"},"23":{"description":"The entity is not compliant with the associated security policy.","caption":"Compliance failure"},"13":{"description":"The device has failed the SafetyNet check.","caption":"SafetyNet failure"},"19":{"description":"Remote access is enabled.","caption":"Open remote access"}},"description":"The security state of the managed entity.","requirement":"recommended","caption":"Security State ID","sibling":"state","type_name":"Integer"}},"name":"security_state","description":"The Security State object describes the security related state of a managed entity.","extends":"object","caption":"Security State"},"display":{"attributes":{"scale_factor":{"type":"integer_t","description":"The numeric scale factor of display.","requirement":"optional","caption":"Scale Factor","type_name":"Integer"},"color_depth":{"type":"integer_t","description":"The numeric color depth.","requirement":"optional","caption":"Color Depth","type_name":"Integer"},"physical_height":{"type":"integer_t","description":"The numeric physical height of display.","requirement":"optional","caption":"Physical Height","type_name":"Integer"},"physical_orientation":{"type":"integer_t","description":"The numeric physical orientation of display.","requirement":"optional","caption":"Physical Orientation","type_name":"Integer"},"physical_width":{"type":"integer_t","description":"The numeric physical width of display.","requirement":"optional","caption":"Physical Width","type_name":"Integer"}},"name":"display","description":"The Display object contains information about the physical or virtual display connected to a computer system.","extends":"object","caption":"Display"},"permission_analysis_result":{"attributes":{"analyzed_privileges_count":{"type":"integer_t","description":"The total count of privileges that were analyzed across all services.","requirement":"optional","caption":"Analyzed Privileges Count","type_name":"Integer"},"condition_keys":{"type":"object_t","description":"The condition keys and their values that were evaluated during policy analysis, including contextual constraints that affect permission grants. These conditions define when and how permissions are applied. Examples: aws:SourceIp:1.2.3.4, aws:RequestedRegion:us-east-1.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Condition Keys","object_name":"Key:Value object"},"granted_privileges":{"type":"string_t","description":"The specific privileges, actions, or permissions that are explicitly granted by the analyzed policy. Examples: AWS actions like s3:GetObject, ec2:RunInstances, iam:CreateUser; Azure actions like Microsoft.Storage/storageAccounts/read; or GCP permissions like storage.objects.get.","is_array":true,"requirement":"optional","caption":"Granted Privileges","type_name":"String"},"policy":{"type":"object_t","description":"Detailed information about the policy document that was analyzed, including policy metadata, version, type (identity-based, resource-based, etc.), and structural details. This provides context for understanding the scope and nature of the permission analysis.","requirement":"recommended","object_type":"policy","caption":"Policy","object_name":"Policy"},"service_privilege_analysis_list":{"type":"object_t","description":"The list of privilege analysis results grouped by cloud service or namespace.","is_array":true,"requirement":"optional","object_type":"service_privilege_analysis","caption":"Service Privilege Analysis List","object_name":"Service Privilege Analysis"},"total_potential_attacks_count":{"type":"integer_t","description":"The total count of privilege-to-attack technique mappings identified across all analyzed privileges.","requirement":"optional","caption":"Total Potential Attacks Count","type_name":"Integer"},"unused_privileges_count":{"type":"integer_t","description":"The total count of privileges or actions defined in the policy that have not been utilized within the analysis timeframe. This metric helps identify over-privileged access and opportunities for privilege reduction to follow the principle of least privilege. High counts may indicate policy bloat or excessive permissions.","requirement":"optional","caption":"Unused Privileges Count","type_name":"Integer"},"unused_services_count":{"type":"integer_t","description":"The total count of cloud services or resource types referenced in the policy that have not been accessed or utilized within the analysis timeframe. This helps identify unused service permissions that could be removed to reduce attack surface. Examples: AWS services like S3, SQS, IAM, Lambda; Azure services like Storage, Compute, KeyVault; or GCP services like Cloud Storage, Compute Engine, BigQuery.","requirement":"optional","caption":"Unused Services Count","type_name":"Integer"}},"name":"permission_analysis_result","description":"The Permission Analysis object describes analysis results of permissions, policies directly associated with an identity (user, role, or service account). This evaluates what permissions an identity has been granted through attached policies, which privileges are actively used versus unused, and identifies potential over-privileged access. Use this for identity-centric security assessments such as privilege audits, dormant permission discovery, and least-privilege compliance analysis.","extends":"object","caption":"Permission Analysis Result"},"endpoint_connection":{"attributes":{"code":{"type":"integer_t","description":"A numerical response status code providing details about the connection.","requirement":"recommended","caption":"Response Code","type_name":"Integer"},"network_endpoint":{"type":"object_t","description":"Provides characteristics of the network endpoint.","requirement":"recommended","object_type":"network_endpoint","caption":"Network Endpoint","object_name":"Network Endpoint"}},"name":"endpoint_connection","description":"The Endpoint Connection object contains information detailing a connection attempt to an endpoint.","extends":"object","constraints":{"at_least_one":["network_endpoint","code"]},"profiles":["container"],"caption":"Endpoint Connection"},"enrichment":{"attributes":{"data":{"type":"json_t","description":"The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.","requirement":"required","caption":"Data","type_name":"JSON"},"name":{"type":"string_t","description":"The name of the attribute to which the enriched data pertains.","requirement":"required","caption":"Name","type_name":"String"},"type":{"type":"string_t","description":"The enrichment type. For example: location.","requirement":"recommended","caption":"Type","type_name":"String"},"value":{"type":"string_t","description":"The value of the attribute to which the enriched data pertains.","requirement":"required","caption":"Value","type_name":"String"},"desc":{"type":"string_t","description":"A long description of the enrichment data.","requirement":"optional","caption":"Description","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the enrichment data was generated.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"provider":{"type":"string_t","description":"The enrichment data provider name.","requirement":"recommended","caption":"Provider","type_name":"String"},"reputation":{"type":"object_t","description":"The reputation of the enrichment data.","requirement":"optional","object_type":"reputation","caption":"Reputation Scores","object_name":"Reputation"},"short_desc":{"type":"string_t","description":"A short description of the enrichment data.","requirement":"recommended","caption":"Short Description","type_name":"String"},"src_url":{"type":"url_t","description":"The URL of the source of the enrichment data.","requirement":"recommended","caption":"Source URL","type_name":"URL String"},"created_time_dt":{"type":"datetime_t","description":"The time when the enrichment data was generated.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"}},"name":"enrichment","description":"The Enrichment object provides inline enrichment data for specific attributes of interest within an event. It serves as a mechanism to enhance or supplement the information associated with the event by adding additional relevant details or context.","extends":"object","profiles":["datetime"],"caption":"Enrichment"},"span":{"attributes":{"message":{"type":"string_t","description":"The message in a span (often referred to as a span event) serves as a way to record significant moments or occurrences during the span's lifecycle. This content typically manifests as log entries, annotations, or semi-structured events as a string, providing additional granularity and context about what happens at specific points during the execution of an operation.","requirement":"optional","caption":"Message","type_name":"String"},"service":{"type":"object_t","description":"Identifies the service or component that generates the span, helping trace its path through the distributed system.","requirement":"optional","object_type":"service","caption":"Service","object_name":"Service"},"uid":{"type":"string_t","description":"The unique identifier for the span, used in distributed systems and microservices architectures to track and correlate requests across different components of an application. It enables tracing the flow of a request through various services.","requirement":"required","caption":"Unique ID","type_name":"String"},"operation":{"type":"string_t","description":"Describes an action performed in a span, such as API requests, database queries, or computations.","requirement":"optional","caption":"Operation","type_name":"String"},"start_time":{"type":"timestamp_t","description":"The start timestamp of the span, essential for identifying latency and performance bottlenecks. This timestamp is normalized across the observability system, ensuring consistency even when events occur across distributed services with potentially unsynchronized clocks. By using normalized time, observability tools can provide accurate, uniform measurements of operation performance and latency, regardless of where or when the events actually occur.","requirement":"required","caption":"Start Time","type_name":"Timestamp"},"duration":{"type":"long_t","description":"The total time, in milliseconds, that the span represents, calculated as the difference between start_time and end_time. It reflects the operation's performance and latency, independent of event timestamps, and accounts for normalized times used by observability tools to ensure consistency across distributed systems.","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"end_time":{"type":"timestamp_t","description":"The end timestamp of the span, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the observability system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.","requirement":"required","caption":"End Time","type_name":"Timestamp"},"start_time_dt":{"type":"datetime_t","description":"The start timestamp of the span, essential for identifying latency and performance bottlenecks. This timestamp is normalized across the observability system, ensuring consistency even when events occur across distributed services with potentially unsynchronized clocks. By using normalized time, observability tools can provide accurate, uniform measurements of operation performance and latency, regardless of where or when the events actually occur.","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"end_time_dt":{"type":"datetime_t","description":"The end timestamp of the span, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the observability system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"parent_uid":{"type":"string_t","description":"The ID of the parent span for this span object, establishing its relationship in the trace hierarchy.","requirement":"optional","caption":"Parent Unique ID","type_name":"String"},"status_code":{"type":"string_t","description":"Indicates the outcome of the operation in the span, such as success, failure, or error. Issues in a span typically refer to problems such as failed operations, timeouts, service unavailability, or errors in processing that can negatively impact the performance or reliability of the system. Tracking the `status_code` helps pinpoint these issues, enabling quicker identification and resolution of system inefficiencies or faults.","requirement":"optional","caption":"Status Code","type_name":"String"}},"name":"span","description":"Represents a single unit of work or operation within a distributed trace. A span typically tracks the execution of a request across a service, capturing important details such as the operation, timestamps, and status. Spans help break down the overall trace into smaller, manageable parts, enabling detailed analysis of the performance and behavior of specific operations within the system. They are crucial for understanding latency, dependencies, and bottlenecks in complex distributed systems.","extends":"object","profiles":["datetime"],"caption":"Span"},"certificate":{"attributes":{"version":{"type":"string_t","description":"The certificate version.","requirement":"recommended","caption":"Version","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the certificate.","requirement":"optional","caption":"Unique ID","type_name":"String"},"issuer":{"type":"string_t","description":"The certificate issuer distinguished name.","requirement":"required","caption":"Issuer Distinguished Name","type_name":"String"},"is_self_signed":{"type":"boolean_t","description":"Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).","requirement":"recommended","caption":"Certificate Self-Signed","type_name":"Boolean"},"subject":{"type":"string_t","description":"The certificate subject distinguished name.","requirement":"recommended","caption":"Subject Distinguished Name","type_name":"String"},"fingerprints":{"type":"object_t","description":"The fingerprint list of the certificate.","is_array":true,"requirement":"recommended","object_type":"fingerprint","caption":"Fingerprints","object_name":"Fingerprint"},"created_time":{"type":"timestamp_t","description":"The time when the certificate was created.","requirement":"recommended","caption":"Created Time","type_name":"Timestamp"},"expiration_time":{"type":"timestamp_t","description":"The expiration time of the certificate.","requirement":"recommended","caption":"Expiration Time","type_name":"Timestamp"},"sans":{"type":"object_t","description":"The list of subject alternative names that are secured by a specific certificate.","is_array":true,"requirement":"optional","object_type":"san","caption":"Subject Alternative Names","object_name":"Subject Alternative Name"},"serial_number":{"type":"string_t","description":"The serial number of the certificate used to create the digital signature.","requirement":"required","caption":"Certificate Serial Number","type_name":"String","observable":37},"created_time_dt":{"type":"datetime_t","description":"The time when the certificate was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"expiration_time_dt":{"type":"datetime_t","description":"The expiration time of the certificate.","requirement":"optional","profiles":["datetime"],"caption":"Expiration Time","type_name":"Datetime"}},"name":"certificate","description":"The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity.","extends":"object","references":[{"description":"D3FEND™ Ontology d3f:Certificate.","url":"https://d3fend.mitre.org/dao/artifact/d3f:Certificate/"}],"profiles":["datetime"],"caption":"Digital Certificate"},"key_value_object":{"attributes":{"name":{"type":"string_t","description":"The name of the key.","requirement":"required","caption":"Name","type_name":"String"},"value":{"type":"string_t","description":"The value associated to the key.","requirement":"recommended","caption":"Value","type_name":"String"},"values":{"type":"string_t","description":"Optional, the values associated to the key. You can populate this attribute, when you have multiple values for the same key.","is_array":true,"requirement":"recommended","caption":"Values","type_name":"String"}},"name":"key_value_object","description":"A generic object allowing to define a {key:value} pair.","extends":"object","constraints":{"at_least_one":["value","values"]},"caption":"Key:Value object"},"location":{"attributes":{"desc":{"type":"string_t","description":"The description of the geographical location.","requirement":"optional","caption":"Description","type_name":"String"},"long":{"type":"float_t","description":"The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083.","requirement":"optional","caption":"Longitude","type_name":"Float"},"city":{"type":"string_t","description":"The name of the city.","requirement":"recommended","caption":"City","type_name":"String"},"country":{"type":"string_t","description":"The ISO 3166-1 Alpha-2 country code.Note: The two letter country code should be capitalized. For example: US or CA.
[-73.983, 40.719].","is_array":true,"requirement":"optional","caption":"Coordinates","type_name":"Float","@deprecated":{"message":"Use specific lat, long attributes instead.","since":"1.2.0"}},"continent":{"type":"string_t","description":"The name of the continent.","requirement":"recommended","caption":"Continent","type_name":"String"},"aerial_height":{"type":"string_t","description":"Expressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Aerial Height","type_name":"String"},"geodetic_altitude":{"type":"string_t","description":"The aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Geodetic Altitude","type_name":"String"},"geodetic_vertical_accuracy":{"type":"string_t","description":"Provides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters.","requirement":"optional","caption":"Geodetic Vertical Accuracy","type_name":"String"},"geohash":{"type":"string_t","description":"Geohash of the geo-coordinates (latitude and longitude).
Geohashing is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.","requirement":"optional","caption":"Geohash","type_name":"String"},"horizontal_accuracy":{"type":"string_t","description":"Provides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters.","requirement":"optional","caption":"Horizontal Accuracy","type_name":"String"},"is_on_premises":{"type":"boolean_t","description":"Indicates whether the location is on-premises.","requirement":"optional","caption":"On-Premises","type_name":"Boolean"},"isp":{"type":"string_t","description":"The name of the Internet Service Provider (ISP).","requirement":"optional","caption":"ISP Name","type_name":"String","@deprecated":{"message":"Utilizeisp attribute available in network_endpoint, whois objects according to your use-case.","since":"1.5.0"}},"lat":{"type":"float_t","description":"The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: 42.361145.","requirement":"optional","caption":"Latitude","type_name":"Float"},"postal_code":{"type":"string_t","description":"The postal code of the location.","requirement":"optional","caption":"Postal Code","type_name":"String"},"pressure_altitude":{"type":"string_t","description":"The uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: Invalid, No Value, or Unknown: -1000 m.","requirement":"optional","caption":"Pressure Altitude","type_name":"String"},"provider":{"type":"string_t","description":"The provider of the geographical location data.","requirement":"optional","caption":"Provider","type_name":"String"},"region":{"type":"string_t","description":"The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland","references":[{"description":"ISO Region Codes","url":"https://www.iso.org/iso-3166-country-codes.html"},{"description":"U.S. Region Codes","url":"https://www.iso.org/obp/ui/#iso:code:3166:US"}],"requirement":"optional","caption":"Region","type_name":"String"}},"name":"location","description":"The Geo Location object describes a geographical location, usually associated with an IP address.","extends":"object","constraints":{"at_least_one":["city","country","postal_code","region"]},"caption":"Geo Location","observable":26},"query_evidence":{"attributes":{"module":{"type":"object_t","description":"The module that pertains to the event when query_type_id indicates a Module query.","group":"primary","requirement":"recommended","object_type":"module","caption":"Module","object_name":"Module"},"process":{"type":"object_t","description":"The process that pertains to the event when query_type_id indicates a Process query.","group":"primary","requirement":"recommended","object_type":"process","caption":"Process","object_name":"Process"},"session":{"type":"object_t","description":"The authenticated user or service session when query_type_id indicates a Session query.","group":"primary","requirement":"recommended","object_type":"session","caption":"Session","object_name":"Session"},"file":{"type":"object_t","description":"The file that is the target of the query when query_type_id indicates a File query.","group":"primary","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"state":{"type":"string_t","description":"The state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","caption":"Network Connection State","type_name":"String"},"user":{"type":"object_t","description":"The user that pertains to the event when query_type_id indicates a User query.","group":"primary","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"kernel":{"type":"object_t","description":"The kernel object that pertains to the event when query_type_id indicates a Kernel query.","group":"primary","requirement":"recommended","object_type":"kernel","caption":"Kernel","object_name":"Kernel Resource"},"service":{"type":"object_t","description":"The service that pertains to the event when query_type_id indicates a Service query.","group":"primary","requirement":"recommended","object_type":"service","caption":"Service","object_name":"Service"},"group":{"type":"object_t","description":"The administrative group that is the target of the query when query_type_id indicates an Admin Group query.","group":"primary","requirement":"recommended","object_type":"group","caption":"Group","object_name":"Group"},"users":{"type":"object_t","description":"The users that belong to the administrative group when query_type_id indicates a Users query.","group":"context","is_array":true,"requirement":"optional","object_type":"user","caption":"Users","object_name":"User"},"connection_info":{"type":"object_t","description":"The network connection information related to a Network Connection query type.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"folder":{"type":"object_t","description":"The folder that is the target of the query when query_type_id indicates a Folder query.","group":"primary","requirement":"recommended","object_type":"file","caption":"Folder","object_name":"File"},"job":{"type":"object_t","description":"The job object that pertains to the event when query_type_id indicates a Job query.","group":"primary","requirement":"recommended","object_type":"job","caption":"Job","object_name":"Job"},"network_interfaces":{"type":"object_t","description":"The physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query.","group":"primary","is_array":true,"requirement":"recommended","object_type":"network_interface","caption":"Network Interfaces","object_name":"Network Interface"},"peripheral_device":{"type":"object_t","description":"The peripheral device that triggered the event when query_type_id indicates a Peripheral Device query.","group":"primary","requirement":"recommended","object_type":"peripheral_device","caption":"Peripheral Device","object_name":"Peripheral Device"},"query_type":{"type":"string_t","description":"The normalized caption of query_type_id or the source-specific query type.","group":"classification","requirement":"optional","caption":"Query Type","type_name":"String"},"query_type_id":{"type":"integer_t","enum":{"3":{"description":"A query about folder attributes, metadata, content, or structure.","caption":"Folder"},"6":{"description":"A query about loaded modules, their base addresses, load types, or function entry points.","caption":"Module"},"0":{"description":"The query type was unknown or not specified.","caption":"Unknown"},"1":{"description":"A query about kernel resources including system calls, shared mutex, or other kernel components.","caption":"Kernel"},"2":{"description":"A query about file attributes, metadata, content, hash values, or properties.","caption":"File"},"99":{"description":"The query type was not mapped to a standard category. See the query_type attribute for source-specific value.","caption":"Other"},"4":{"description":"A query about group membership, privileges, domain, or group properties.","caption":"Admin Group"},"5":{"description":"A query about scheduled jobs, their command lines, run states, or execution times.","caption":"Job"},"7":{"description":"A query about active network connections, boundaries, protocols, or TCP states.","caption":"Network Connection"},"8":{"description":"A query about physical or virtual network interfaces, their IP/MAC addresses, or types.","caption":"Network Interfaces"},"9":{"description":"A query about attached peripheral devices, their classes, models, or vendor information.","caption":"Peripheral Device"},"10":{"description":"A query about running processes, command lines, ancestry, loaded modules, or execution context.","caption":"Process"},"11":{"description":"A query about system services, their names, versions, labels, or properties.","caption":"Service"},"12":{"description":"A query about authenticated user or service sessions, their creation times, or issuer details.","caption":"Session"},"14":{"description":"A query about multiple users belonging to an administrative group.","caption":"Users"},"15":{"description":"A query about startup configuration items, their run modes, start types, or current states.","caption":"Startup Item"},"16":{"description":"A Windows-specific query about registry keys, their paths, security descriptors, or modification times.","caption":"Registry Key"},"17":{"description":"A Windows-specific query about registry values, their data types, content, or names.","caption":"Registry Value"},"18":{"description":"A Windows-specific query about prefetch files, their run counts, last execution times, or existence.","caption":"Prefetch"},"13":{"description":"A query about user accounts, their properties, credentials, or domain information.","caption":"User"}},"description":"The normalized type of system query performed against a device or system component.","group":"classification","requirement":"required","caption":"Query Type ID","sibling":"query_type","type_name":"Integer"},"startup_item":{"type":"object_t","description":"The startup item object that pertains to the event when query_type_id indicates a Startup Item query.","group":"primary","requirement":"recommended","object_type":"startup_item","caption":"Startup Item","object_name":"Startup Item"},"tcp_state_id":{"type":"integer_t","enum":{"3":{"description":"The socket has passively received a connection request from a remote peer.","caption":"SYN-RECEIVED"},"6":{"description":"The socket connection has been closed by the local application, the remote peer has closed its half of the connection, and the system is waiting to be sure that the remote peer received the last acknowledgement.","caption":"TIME-WAIT"},"0":{"description":"The socket state is unknown.","caption":"Unknown"},"1":{"description":"The socket has an established connection between a local application and a remote peer.","caption":"ESTABLISHED"},"2":{"description":"The socket is actively trying to establish a connection to a remote peer.","caption":"SYN-SENT"},"4":{"description":"The socket connection has been closed by the local application, the remote peer has not yet acknowledged the close, and the system is waiting for it to close its half of the connection.","caption":"FIN-WAIT-1"},"5":{"description":"The socket connection has been closed by the local application, the remote peer has acknowledged the close, and the system is waiting for it to close its half of the connection.","caption":"FIN-WAIT-2"},"7":{"description":"The socket is not in use.","caption":"CLOSED"},"8":{"description":"The socket connection has been closed by the remote peer, and the system is waiting for the local application to close its half of the connection.","caption":"CLOSE-WAIT"},"9":{"description":"The socket connection has been closed by the remote peer, the local application has closed its half of the connection, and the system is waiting for the remote peer to acknowledge the close.","caption":"LAST-ACK"},"10":{"description":"The socket is listening for incoming connections.","caption":"LISTEN"},"11":{"description":"The socket connection has been closed by the local application and the remote peer simultaneously, and the remote peer has not yet acknowledged the close attempt of the local application.","caption":"CLOSING"}},"description":"The state of the TCP socket for the network connection.","group":"context","references":[{"description":"RFC 9293","url":"https://datatracker.ietf.org/doc/html/rfc9293"}],"requirement":"optional","caption":"TCP State ID","type_name":"Integer"},"reg_key":{"type":"object_t","description":"The registry key object describes a Windows registry key.","group":"primary","extension":"win","requirement":"recommended","extension_id":2,"object_type":"win/reg_key","caption":"Registry Key","object_name":"Registry Key"},"reg_value":{"type":"object_t","description":"The registry key object describes a Windows registry value.","group":"primary","extension":"win","requirement":"recommended","extension_id":2,"object_type":"win/reg_value","caption":"Registry Value","object_name":"Registry Value"}},"name":"query_evidence","description":"The specific resulting evidence information that was queried or discovered. When mapping raw telemetry data users should select the appropriate child object that best matches the evidence type as defined by query_type_id.","constraints":{"just_one":["connection_info","file","folder","group","job","kernel","module","network_interfaces","peripheral_device","process","reg_key","reg_value","service","session","startup_item","user"]},"profiles":["container","data_classification","linux/linux_users","macos/macos_users"],"caption":"Query Evidence"},"discovery_details":{"attributes":{"count":{"type":"integer_t","description":"The number of discovered entities of the specified type.","requirement":"recommended","caption":"Count","type_name":"Integer"},"type":{"type":"string_t","description":"The specific type of information that was discovered. e.g. name, phone_number, etc.","requirement":"recommended","caption":"Type","type_name":"String"},"value":{"type":"string_t","description":"Optionally, the specific value of discovered information.","requirement":"optional","caption":"Value","type_name":"String"},"occurrence_details":{"type":"object_t","description":"Details about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populated.","requirement":"optional","object_type":"occurrence_details","caption":"Occurrence Details","@deprecated":{"message":"Use occurrences instead.","since":"1.4.0"},"object_name":"Occurrence Details"},"occurrences":{"type":"object_t","description":"Details about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populated.","is_array":true,"requirement":"optional","object_type":"occurrence_details","caption":"Occurrences","object_name":"Occurrence Details"}},"name":"discovery_details","description":"The Discovery Details object describes results of a discovery task/job.","extends":"object","caption":"Discovery Details"},"file":{"attributes":{"modified_time":{"type":"timestamp_t","description":"The time when the file was last modified.","requirement":"optional","caption":"Modified Time","type_name":"Timestamp"},"ext":{"type":"string_t","description":"The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.","requirement":"recommended","caption":"File Extension","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the file as defined by the storage system, such the file system file ID.","requirement":"optional","caption":"Unique ID","type_name":"String"},"parent_folder":{"type":"string_t","description":"The parent folder in which the file resides. For example: c:\\windows\\system32","requirement":"optional","caption":"Parent Folder","type_name":"String"},"is_public":{"type":"boolean_t","description":"Indicates if the file is publicly accessible. For example in an object's public access in AWS S3","requirement":"optional","profiles":["cloud"],"caption":"Public","type_name":"Boolean"},"is_deleted":{"type":"boolean_t","description":"Indicates if the file was deleted from the filesystem.","requirement":"optional","caption":"Deleted","type_name":"Boolean"},"mime_type":{"type":"string_t","description":"The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.","requirement":"optional","caption":"MIME type","type_name":"String"},"owner":{"type":"object_t","description":"The user that owns the file/object.","requirement":"optional","object_type":"user","caption":"Owner","object_name":"User"},"is_system":{"type":"boolean_t","description":"The indication of whether the object is part of the operating system.","requirement":"optional","caption":"System","type_name":"Boolean"},"type":{"type":"string_t","description":"The file type.","requirement":"optional","caption":"Type","type_name":"String"},"signature":{"type":"object_t","description":"The digital signature of the file.","requirement":"optional","object_type":"digital_signature","caption":"Digital Signature","@deprecated":{"message":"Use the signatures attribute.","since":"1.8.0"},"object_name":"Digital Signature"},"attributes":{"type":"integer_t","description":"The bitmask value that represents the file attributes.","requirement":"optional","caption":"Attributes","type_name":"Integer"},"uri":{"type":"url_t","description":"The file URI, such as those reporting by static analysis tools. E.g., file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js","references":[{"description":"RFC 3986","url":"https://datatracker.ietf.org/doc/html/rfc3986"}],"requirement":"optional","caption":"File URI","type_name":"URL String"},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Character Device"},"6":{"caption":"Named Pipe"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"caption":"Regular File"},"2":{"caption":"Folder"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Block Device"},"5":{"caption":"Local Socket"},"7":{"caption":"Symbolic Link"},"8":{"caption":"Executable File"}},"description":"The file type ID. Note the distinction between a Regular File and an Executable File. If the distinction is not known, or not indicated by the log, use Regular File. In this case, it should not be assumed that a Regular File is not executable.","requirement":"required","caption":"Type ID","sibling":"type","type_name":"Integer"},"xattributes":{"type":"object_t","description":"An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: Digital Signature objects.","is_array":true,"requirement":"optional","object_type":"digital_signature","caption":"Digital Signatures","object_name":"Digital Signature"},"is_encrypted":{"type":"boolean_t","description":"Indicates if the file is encrypted.","requirement":"optional","caption":"Encrypted","type_name":"Boolean"},"internal_name":{"type":"string_t","description":"The name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a VERSIONINFO resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.","requirement":"optional","caption":"Internal Name","type_name":"String"},"name":{"type":"file_name_t","description":"The name of the file. For example: svchost.exe","requirement":"required","caption":"Name","type_name":"File Name"},"url":{"type":"object_t","description":"The URL of the file, when applicable.","requirement":"optional","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"accessed_time":{"type":"timestamp_t","description":"The time when the file was last accessed.","requirement":"optional","caption":"Accessed Time","type_name":"Timestamp"},"desc":{"type":"string_t","description":"The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.","requirement":"optional","caption":"Description","type_name":"String"},"created_time":{"type":"timestamp_t","description":"The time when the file was created.","requirement":"optional","caption":"Created Time","type_name":"Timestamp"},"confidentiality_id":{"type":"integer_t","enum":{"3":{"caption":"Secret"},"6":{"caption":"Restricted"},"0":{"description":"The confidentiality is unknown.","caption":"Unknown"},"1":{"caption":"Not Confidential"},"2":{"caption":"Confidential"},"99":{"description":"The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Top Secret"},"5":{"caption":"Private"}},"description":"The normalized identifier of the file content confidentiality indicator.","requirement":"optional","caption":"Confidentiality ID","sibling":"confidentiality","type_name":"Integer"},"data_classification":{"type":"object_t","description":"The Data Classification object includes information about data classification levels and data category types.","group":"context","requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","@deprecated":{"message":"Use the attribute data_classifications instead","since":"1.4.0"},"object_name":"Data Classification"},"created_time_dt":{"type":"datetime_t","description":"The time when the file was created.","requirement":"optional","profiles":["datetime"],"caption":"Created Time","type_name":"Datetime"},"data_classifications":{"type":"object_t","description":"A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.","group":"context","is_array":true,"requirement":"recommended","profiles":["data_classification"],"object_type":"data_classification","caption":"Data Classification","object_name":"Data Classification"},"version":{"type":"string_t","description":"The file version. For example: 8.0.7601.17514.","requirement":"optional","caption":"Version","type_name":"String"},"tags":{"type":"object_t","description":"The list of tags; {key:value} pairs associated to the file.","is_array":true,"requirement":"optional","object_type":"key_value_object","caption":"Tags","object_name":"Key:Value object"},"accessed_time_dt":{"type":"datetime_t","description":"The time when the file was last accessed.","requirement":"optional","profiles":["datetime"],"caption":"Accessed Time","type_name":"Datetime"},"security_descriptor":{"type":"string_t","description":"The object security descriptor.","requirement":"optional","caption":"Security Descriptor","type_name":"String"},"accessor":{"type":"object_t","description":"The name of the user who last accessed the object.","requirement":"optional","object_type":"user","caption":"Accessor","object_name":"User"},"volume":{"type":"string_t","description":"The volume on the storage device where the file is located.","requirement":"optional","caption":"Volume","type_name":"String"},"path":{"type":"file_path_t","description":"The full path to the file. For example: c:\\windows\\system32\\svchost.exe.","requirement":"recommended","caption":"Path","type_name":"File Path"},"creator":{"type":"object_t","description":"The user that created the file.","requirement":"optional","object_type":"user","caption":"Creator","object_name":"User"},"modifier":{"type":"object_t","description":"The user that last modified the file.","requirement":"optional","object_type":"user","caption":"Modifier","object_name":"User"},"drive_type_id":{"type":"integer_t","enum":{"3":{"description":"The drive is a remote (network) drive.","caption":"Remote"},"0":{"description":"The drive type is unknown.","caption":"Unknown"},"1":{"description":"The drive has removable media; for example, a floppy drive, thumb drive, or flash card reader.","caption":"Removable"},"2":{"description":"The drive has fixed media; for example, a hard disk drive or flash drive.","caption":"Fixed"},"99":{"description":"The drive type is not mapped. See the drive_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The drive is a CD-ROM drive.","caption":"CD-ROM"},"5":{"description":"The drive is a RAM disk.","caption":"RAM Disk"}},"description":"Identifies the type of a disk drive, i.e. fixed, removable, etc.","requirement":"optional","caption":"Drive Type ID","sibling":"drive_type","type_name":"Integer"},"is_readonly":{"type":"boolean_t","description":"Indicates that the file cannot be modified.","requirement":"optional","caption":"Read-Only","type_name":"Boolean"},"size":{"type":"long_t","description":"The size of data, in bytes.","requirement":"optional","caption":"Size","type_name":"Long"},"storage_class":{"type":"string_t","description":"The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER.","requirement":"optional","profiles":["cloud"],"caption":"Storage Class","type_name":"String"},"hashes":{"type":"object_t","description":"An array of hash attributes.","is_array":true,"requirement":"recommended","object_type":"fingerprint","caption":"Hashes","object_name":"Fingerprint"},"confidentiality":{"type":"string_t","description":"The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.","requirement":"optional","caption":"Confidentiality","type_name":"String"},"encryption_details":{"type":"object_t","description":"The encryption details of the file. Should be populated if the file is encrypted.","requirement":"optional","object_type":"encryption_details","caption":"Encryption Details","object_name":"Encryption Details"},"drive_type":{"type":"string_t","description":"The drive type, normalized to the caption of the drive_type_id value. In the case of Other, it is defined by the source.","requirement":"optional","caption":"Drive Type","type_name":"String"},"company_name":{"type":"string_t","description":"The name of the company that published the file. For example: Microsoft Corporation.","requirement":"optional","caption":"Company Name","type_name":"String"}},"name":"file","description":"The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.","extends":"_entity","constraints":{},"references":[{"description":"D3FEND™ Ontology d3f:File","url":"https://next.d3fend.mitre.org/dao/artifact/d3f:File/"}],"profiles":["data_classification","datetime"],"caption":"File","observable":24},"logger":{"attributes":{"name":{"type":"string_t","description":"The name of the logging product instance.","requirement":"recommended","caption":"Name","type_name":"String"},"version":{"type":"string_t","description":"The version of the logging provider.","requirement":"optional","caption":"Version","type_name":"String"},"device":{"type":"object_t","description":"The device where the events are logged.","requirement":"recommended","object_type":"device","caption":"Device","object_name":"Device"},"product":{"type":"object_t","description":"The product logging the event. This may be the event source product, a management server product, a scanning product, a SIEM, etc.","requirement":"recommended","object_type":"product","caption":"Product","object_name":"Product"},"uid":{"type":"string_t","description":"The unique identifier of the logging product instance.","requirement":"recommended","caption":"Unique ID","type_name":"String"},"log_level":{"type":"string_t","description":"The level at which an event was logged. This can be log provider specific. For example the audit level.","requirement":"optional","caption":"Log Level","type_name":"String"},"event_uid":{"type":"string_t","description":"The unique identifier of the event assigned by the logger.","requirement":"optional","caption":"Event UID","type_name":"String"},"is_truncated":{"type":"boolean_t","description":"Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints.","requirement":"optional","caption":"Is Truncated","type_name":"Boolean"},"log_format":{"type":"string_t","description":"The format of data in the log. For example JSON, syslog or CSV.","requirement":"optional","caption":"Log Format","type_name":"String"},"log_name":{"type":"string_t","description":"The log name for the logging provider log, or the file name of the system log. This may be an intermediate store-and-forward log or a vendor destination log. For example /archive/server1/var/log/messages.0 or /var/log/.","requirement":"recommended","caption":"Log Name","type_name":"String"},"log_provider":{"type":"string_t","description":"The logging provider or logging service that logged the event. This may be an intermediate application store-and-forward log or a vendor destination log.","requirement":"recommended","caption":"Log Provider","type_name":"String"},"log_version":{"type":"string_t","description":"The event log schema version of the original event. For example the syslog version or the Cisco Log Schema version","requirement":"optional","caption":"Log Version","type_name":"String"},"logged_time":{"type":"timestamp_t","description":"The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.","requirement":"recommended","caption":"Logged Time","type_name":"Timestamp"},"transmit_time":{"type":"timestamp_t","description":"The time when the event was transmitted from the logging device to it's next destination.","requirement":"recommended","caption":"Transmission Time","type_name":"Timestamp"},"untruncated_size":{"type":"integer_t","description":"The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated whenis_truncated is true to indicate the full size of the original event.","requirement":"optional","caption":"Untruncated Size","type_name":"Integer"},"logged_time_dt":{"type":"datetime_t","description":"The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.","requirement":"optional","profiles":["datetime"],"caption":"Logged Time","type_name":"Datetime"},"transmit_time_dt":{"type":"datetime_t","description":"The time when the event was transmitted from the logging device to it's next destination.","requirement":"optional","profiles":["datetime"],"caption":"Transmission Time","type_name":"Datetime"}},"name":"logger","description":"The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.","extends":"_entity","constraints":{"at_least_one":["name","uid"]},"profiles":["container","data_classification","datetime"],"caption":"Logger"},"network_endpoint":{"attributes":{"proxy_endpoint":{"type":"object_t","description":"The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).","requirement":"optional","object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"zone":{"type":"string_t","description":"The network zone or LAN segment.","requirement":"optional","caption":"Network Zone","type_name":"String"},"uid":{"type":"string_t","description":"The unique identifier of the endpoint.","requirement":"recommended","caption":"Unique ID","type_name":"String","observable":48},"os":{"type":"object_t","description":"The endpoint operating system.","requirement":"optional","object_type":"os","caption":"OS","object_name":"Operating System (OS)"},"vpc_uid":{"type":"string_t","description":"The unique identifier of the Virtual Private Cloud (VPC).","requirement":"optional","caption":"VPC UID","type_name":"String"},"port":{"type":"port_t","description":"The port used for communication within the network connection.","requirement":"recommended","caption":"Port","type_name":"Port"},"network_scope_id":{"type":"integer_t","enum":{"0":{"description":"Unknown whether this endpoint resides within the customer’s network.","caption":"Unknown"},"1":{"description":"The endpoint resides inside the customer’s network.","caption":"Internal"},"2":{"description":"The endpoint is on the Internet or otherwise external to the customer’s network.","caption":"External"},"99":{"description":"The network scope is not mapped. See thenetwork_scope attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the endpoint’s network scope. The normalized network scope identifier indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined.","requirement":"optional","caption":"Network Scope ID","sibling":"network_scope","type_name":"Integer"},"fingerprints":{"type":"object_t","description":"Fingerprints that identify the specific application implementation on this endpoint, such as Cisco NPF or HASSH.","is_array":true,"requirement":"optional","object_type":"fingerprint","caption":"Fingerprints","object_name":"Fingerprint"},"owner":{"type":"object_t","description":"The identity of the service or user account that owns the endpoint or was last logged into it.","requirement":"recommended","object_type":"user","caption":"Owner","object_name":"User"},"type":{"type":"string_t","description":"The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.","requirement":"optional","caption":"Type","type_name":"String"},"network_scope":{"type":"string_t","description":"Indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the network_scope_id.","requirement":"optional","caption":"Network Scope","type_name":"String"},"container":{"type":"object_t","description":"The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.","group":"context","requirement":"recommended","profiles":["container"],"object_type":"container","caption":"Container","object_name":"Container"},"type_id":{"type":"integer_t","enum":{"3":{"description":"A laptop computer.","caption":"Laptop"},"6":{"description":"A virtual machine.","caption":"Virtual"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"A server.","caption":"Server"},"2":{"description":"A desktop computer.","caption":"Desktop"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A tablet computer.","caption":"Tablet"},"5":{"description":"A mobile phone.","caption":"Mobile"},"7":{"description":"An IOT (Internet of Things) device.","caption":"IOT"},"8":{"description":"A web browser.","caption":"Browser"},"9":{"description":"A networking firewall.","caption":"Firewall"},"10":{"description":"A networking switch.","caption":"Switch"},"11":{"description":"A networking hub.","caption":"Hub"},"12":{"description":"A networking router.","caption":"Router"},"14":{"description":"An intrusion prevention system.","caption":"IPS"},"15":{"description":"A Load Balancer device.","caption":"Load Balancer"},"13":{"description":"An intrusion detection system.","caption":"IDS"}},"description":"The network endpoint type ID.","requirement":"recommended","caption":"Type ID","sibling":"type","type_name":"Integer"},"domain":{"type":"string_t","description":"The name of the domain that the endpoint belongs to or that corresponds to the endpoint.","requirement":"optional","caption":"Domain","type_name":"String"},"pool":{"type":"object_t","description":"The pool of desktops or virtual machines to which the endpoint belongs.","requirement":"optional","object_type":"group","caption":"Pool","object_name":"Group"},"interface_name":{"type":"string_t","description":"The name of the network interface (e.g. eth2).","requirement":"recommended","caption":"Network Interface Name","type_name":"String"},"isp":{"type":"string_t","description":"The name of the Internet Service Provider (ISP).","requirement":"optional","caption":"ISP Name","type_name":"String"},"namespace_pid":{"type":"integer_t","description":"If running under a process namespace (such as in a container), the process identifier within that process namespace.","group":"context","requirement":"recommended","profiles":["container"],"caption":"Namespace PID","type_name":"Integer"},"mac_vendor":{"type":"string_t","description":"The vendor or manufacturer of the endpoint's network interface controller (NIC), as identified from the MAC address.","references":[{"description":"IEEE Registration Authority","url":"https://standards.ieee.org/products-programs/regauth/"}],"requirement":"optional","caption":"MAC Vendor","type_name":"String"},"name":{"type":"string_t","description":"The short name of the endpoint.","requirement":"recommended","caption":"Name","type_name":"String"},"mac":{"type":"mac_t","description":"The Media Access Control (MAC) address of the endpoint.","requirement":"optional","caption":"MAC Address","type_name":"MAC Address"},"instance_uid":{"type":"string_t","description":"The unique identifier of a VM instance.","requirement":"recommended","caption":"Instance ID","type_name":"String"},"subnet_uid":{"type":"string_t","description":"The unique identifier of a virtual subnet.","requirement":"optional","caption":"Subnet UID","type_name":"String"},"vlan_uid":{"type":"string_t","description":"The Virtual LAN identifier.","requirement":"optional","caption":"VLAN","type_name":"String"},"svc_name":{"type":"string_t","description":"The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.","requirement":"recommended","caption":"Service Name","type_name":"String"},"hostname":{"type":"hostname_t","description":"The fully qualified name of the endpoint.","requirement":"recommended","caption":"Hostname","type_name":"Hostname"},"autonomous_system":{"type":"object_t","description":"The Autonomous System details associated with an IP address.","requirement":"optional","object_type":"autonomous_system","caption":"Autonomous System","object_name":"Autonomous System"},"agent_list":{"type":"object_t","description":"A list of agent objects associated with a device, endpoint, or resource.","is_array":true,"requirement":"optional","object_type":"agent","caption":"Agent List","object_name":"Agent"},"interface_uid":{"type":"string_t","description":"The unique identifier of the network interface.","requirement":"recommended","caption":"Network Interface ID","type_name":"String"},"hw_info":{"type":"object_t","description":"The endpoint hardware information.","requirement":"optional","object_type":"device_hw_info","caption":"Hardware Info","object_name":"Device Hardware Info"},"ip":{"type":"ip_t","description":"The IP address of the endpoint, in either IPv4 or IPv6 format.","requirement":"recommended","caption":"IP Address","type_name":"IP Address"},"isp_org":{"type":"string_t","description":"The organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.","requirement":"optional","caption":"ISP Org","type_name":"String"},"location":{"type":"object_t","description":"The geographical location of the endpoint.","requirement":"optional","object_type":"location","caption":"Geo Location","object_name":"Geo Location"},"intermediate_ips":{"type":"ip_t","description":"The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.","is_array":true,"requirement":"optional","caption":"Intermediate IP Addresses","type_name":"IP Address"}},"name":"network_endpoint","description":"The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.","extends":"endpoint","constraints":{"at_least_one":["ip","uid","name","hostname","svc_name","instance_uid","interface_uid","interface_name","domain"]},"references":[{"description":"D3FEND™ Ontology d3f:ComputerNetworkNode.","url":"https://d3fend.mitre.org/dao/artifact/d3f:ComputerNetworkNode/"}],"profiles":["container"],"caption":"Network Endpoint","observable":20}},"categories":{"attributes":{"system":{"description":"System Activity events.","uid":1,"caption":"System Activity"},"application":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"},"discovery":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"},"findings":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"},"iam":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"},"network":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"},"remediation":{"description":"Remediation events report the results of remediation commands targeting files, processes, and other objects.","uid":7,"caption":"Remediation"},"unmanned_systems":{"description":"Unmanned Systems events report the activity, existence, and/or state of unmanned systems for tracking, mission planning, and other related activities.","uid":8,"caption":"Unmanned Systems"}},"name":"category","description":"The OCSF categories organize event classes, each aligned with a specific domain or area of focus.","caption":"Categories"},"classes":{"application_lifecycle":{"attributes":{"app":{"type":"object_t","description":"The application that was affected by the lifecycle event. This also applies to self-updating application systems.","group":"primary","requirement":"required","object_type":"product","caption":"Application","object_name":"Product"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"6002":{"description":"Application Lifecycle events report installation, removal, start, stop of an application or service.","caption":"Application Lifecycle"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Start the application.","caption":"Start"},"6":{"description":"Enable the application.","caption":"Enable"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Install the application.","caption":"Install"},"2":{"description":"Remove the application.","caption":"Remove"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Stop the application.","caption":"Stop"},"5":{"description":"Restart the application.","caption":"Restart"},"7":{"description":"Disable the application.","caption":"Disable"},"8":{"description":"Update the application.","caption":"Update"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600200":{"caption":"Application Lifecycle: Unknown"},"600299":{"caption":"Application Lifecycle: Other"},"600201":{"description":"Install the application.","caption":"Application Lifecycle: Install"},"600202":{"description":"Remove the application.","caption":"Application Lifecycle: Remove"},"600203":{"description":"Start the application.","caption":"Application Lifecycle: Start"},"600204":{"description":"Stop the application.","caption":"Application Lifecycle: Stop"},"600205":{"description":"Restart the application.","caption":"Application Lifecycle: Restart"},"600206":{"description":"Enable the application.","caption":"Application Lifecycle: Enable"},"600207":{"description":"Disable the application.","caption":"Application Lifecycle: Disable"},"600208":{"description":"Update the application.","caption":"Application Lifecycle: Update"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Application Lifecycle.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"application_lifecycle","description":"Application Lifecycle events report installation, removal, start, stop of an application or service.","uid":6002,"extends":"application","category":"application","references":[{"description":"D3FEND™ Ontology d3f:ApplicationEvent","url":"https://d3fend.mitre.org/event/d3f:ApplicationEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Application Activity","caption":"Application Lifecycle","category_uid":6},"patch_state":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5004":{"description":"Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.","caption":"Operating System Patch State"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500400":{"caption":"Operating System Patch State: Unknown"},"500499":{"caption":"Operating System Patch State: Other"},"500401":{"description":"The discovered information is via a log.","caption":"Operating System Patch State: Log"},"500402":{"description":"The discovered information is via a collection process.","caption":"Operating System Patch State: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"kb_article_list":{"type":"object_t","description":"A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.","group":"primary","is_array":true,"requirement":"recommended","object_type":"kb_article","caption":"Knowledgebase Articles","object_name":"KB Article"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Operating System Patch State.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"patch_state","description":"Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.","uid":5004,"extends":"discovery","category":"discovery","constraints":{"at_least_one":["device.os.sp_name","device.os.sp_ver","device.os.version"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Operating System Patch State","category_uid":5},"dhcp_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g.,https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"transaction_uid":{"type":"string_t","description":"The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair.","group":"primary","requirement":"recommended","caption":"Transaction UID","type_name":"String"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"is_renewal":{"type":"boolean_t","description":"Indicates whether this is a lease/session renewal event.","group":"primary","requirement":"recommended","caption":"Renewal","type_name":"Boolean"},"class_uid":{"type":"integer_t","enum":{"4004":{"description":"DHCP Activity events report MAC to IP assignment via DHCP from a client or server.","caption":"DHCP Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"DHCPREQUEST","caption":"Request"},"6":{"description":"DHCPNAK","caption":"Nak"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"DHCPDISCOVER","caption":"Discover"},"2":{"description":"DHCPOFFER","caption":"Offer"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"DHCPDECLINE","caption":"Decline"},"5":{"description":"DHCPACK: The server accepts the request by sending the client a DHCP Acknowledgment message.","caption":"Ack"},"7":{"description":"DHCPRELEASE: A DHCP client sends a DHCPRELEASE packet to the server to release the IP address and cancel any remaining lease.","caption":"Release"},"8":{"description":"DHCPINFORM","caption":"Inform"},"9":{"description":"DHCPEXPIRE: A DHCP lease expired.","caption":"Expire"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400400":{"caption":"DHCP Activity: Unknown"},"400499":{"caption":"DHCP Activity: Other"},"400401":{"description":"DHCPDISCOVER","caption":"DHCP Activity: Discover"},"400402":{"description":"DHCPOFFER","caption":"DHCP Activity: Offer"},"400403":{"description":"DHCPREQUEST","caption":"DHCP Activity: Request"},"400404":{"description":"DHCPDECLINE","caption":"DHCP Activity: Decline"},"400405":{"description":"DHCPACK: The server accepts the request by sending the client a DHCP Acknowledgment message.","caption":"DHCP Activity: Ack"},"400406":{"description":"DHCPNAK","caption":"DHCP Activity: Nak"},"400407":{"description":"DHCPRELEASE: A DHCP client sends a DHCPRELEASE packet to the server to release the IP address and cancel any remaining lease.","caption":"DHCP Activity: Release"},"400408":{"description":"DHCPINFORM","caption":"DHCP Activity: Inform"},"400409":{"description":"DHCPEXPIRE: A DHCP lease expired.","caption":"DHCP Activity: Expire"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"relay":{"type":"object_t","description":"The network relay that is associated with the event.","group":"primary","requirement":"recommended","object_type":"network_interface","caption":"Relay","object_name":"Network Interface"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the DHCP connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"lease_dur":{"type":"integer_t","description":"This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.","group":"primary","requirement":"recommended","caption":"Lease Duration","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: DHCP Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) of the DHCP connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"dhcp_activity","description":"DHCP Activity events report MAC to IP assignment via DHCP from a client or server.","uid":4004,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:DHCPEvent","url":"https://d3fend.mitre.org/event/d3f:DHCPEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"DHCP Activity","category_uid":4},"evidence_info":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5040":{"description":"Data collected directly from devices that represents forensic information pulled, queried, or discovered from devices that may indicate malicious activity. It contains a number of child objects, each representing a distinct evidence domain (network connections, file artifacts, registry entries, etc.). When mapping raw telemetry data users should select Query Evidence and then the appropriate child object that best matches the evidence type.","caption":"Live Evidence Info"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host from which evidence was collected.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"504000":{"caption":"Live Evidence Info: Unknown"},"504099":{"caption":"Live Evidence Info: Other"},"504001":{"description":"The discovered results are via a query request.","caption":"Live Evidence Info: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Live Evidence Info.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"query_evidence":{"type":"object_t","description":"The specific resulting evidence information that was queried or discovered based on the query type. Contains various child objects corresponding to the query_type_id values.","group":"primary","requirement":"required","object_type":"query_evidence","caption":"Query Evidence","object_name":"Query Evidence"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"evidence_info","description":"Data collected directly from devices that represents forensic information pulled, queried, or discovered from devices that may indicate malicious activity. It contains a number of child objects, each representing a distinct evidence domain (network connections, file artifacts, registry entries, etc.). When mapping raw telemetry data users should select Query Evidence and then the appropriate child object that best matches the evidence type.","uid":5040,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Live Evidence Info","category_uid":5},"admin_group_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5009":{"description":"Admin Group Query events report information about administrative groups.","caption":"Admin Group Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"group":{"type":"object_t","description":"The administrative group.","group":"primary","requirement":"required","object_type":"group","caption":"Group","object_name":"Group"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500900":{"caption":"Admin Group Query: Unknown"},"500999":{"caption":"Admin Group Query: Other"},"500901":{"description":"The discovered results are via a query request.","caption":"Admin Group Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"users":{"type":"object_t","description":"The users that belong to the administrative group.","group":"primary","is_array":true,"requirement":"recommended","object_type":"user","caption":"Users","object_name":"User"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Admin Group Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"admin_group_query","description":"Admin Group Query events report information about administrative groups.","uid":5009,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Admin Group Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"group_management":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying HTTP response.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"3006":{"description":"Group Management events report management updates to a group, including updates to membership and permissions.","caption":"Group Management"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"A user that was added to or removed from the group.","group":"primary","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"subgroup":{"type":"object_t","description":"A subgroup that was added to or removed from the group.","group":"primary","requirement":"recommended","object_type":"group","caption":"Subgroup","object_name":"Group"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Add user to a group.","caption":"Add User"},"6":{"description":"A group was created.","caption":"Create"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Assign privileges to a group.","caption":"Assign Privileges"},"2":{"description":"Revoke privileges from a group.","caption":"Revoke Privileges"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Remove user from a group.","caption":"Remove User"},"5":{"description":"A group was deleted.","caption":"Delete"},"7":{"description":"Add subgroup to a group.","caption":"Add Subgroup"},"8":{"description":"Remove subgroup from a group.","caption":"Remove Subgroup"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"group":{"type":"object_t","description":"Group that was the target of the event.","group":"primary","requirement":"required","object_type":"group","caption":"Group","object_name":"Group"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"3":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"resource":{"type":"object_t","description":"Resource that the privileges give access to.","group":"primary","requirement":"recommended","object_type":"resource_details","caption":"Resource","object_name":"Resource Details"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"privileges":{"type":"string_t","description":"A list of privileges assigned to the group.","group":"primary","is_array":true,"requirement":"recommended","caption":"Privileges","type_name":"String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"300600":{"caption":"Group Management: Unknown"},"300699":{"caption":"Group Management: Other"},"300601":{"description":"Assign privileges to a group.","caption":"Group Management: Assign Privileges"},"300602":{"description":"Revoke privileges from a group.","caption":"Group Management: Revoke Privileges"},"300603":{"description":"Add user to a group.","caption":"Group Management: Add User"},"300604":{"description":"Remove user from a group.","caption":"Group Management: Remove User"},"300605":{"description":"A group was deleted.","caption":"Group Management: Delete"},"300606":{"description":"A group was created.","caption":"Group Management: Create"},"300607":{"description":"Add subgroup to a group.","caption":"Group Management: Add Subgroup"},"300608":{"description":"Remove subgroup from a group.","caption":"Group Management: Remove Subgroup"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the IAM activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Identity & Access Management.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"optional","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Group Management.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"group_management","description":"Group Management events report management updates to a group, including updates to membership and permissions.","uid":3006,"extends":"iam","category":"iam","references":[{"description":"D3FEND™ Ontology d3f:GroupManagementEvent","url":"https://d3fend.mitre.org/event/d3f:GroupManagementEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Identity & Access Management","caption":"Group Management","category_uid":3},"datastore_activity":{"attributes":{"query_info":{"type":"object_t","description":"The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"ai_model":{"type":"object_t","description":"The AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.","group":"context","requirement":"recommended","profiles":["ai_operation"],"object_type":"ai_model","caption":"AI Model","object_name":"AI Model"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying http response.","group":"primary","requirement":"recommended","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"6005":{"description":"Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).","caption":"Datastore Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"type":{"type":"string_t","description":"The datastore resource type (e.g. database, datastore, or table).","requirement":"optional","caption":"Datastore Type","type_name":"String"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"message_context":{"type":"object_t","description":"Communication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.","group":"context","requirement":"optional","profiles":["ai_operation"],"object_type":"message_context","caption":"Message Context","object_name":"Message Context"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The 'Connect' activity involves establishing a connection to the datastore.","caption":"Connect"},"6":{"description":"The 'Create' activity involves generating new data record details.","caption":"Create"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The 'Read' activity involves accessing specific data record details.","caption":"Read"},"2":{"description":"The 'Update' activity pertains to modifying specific data record details.","caption":"Update"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The 'Query' activity involves retrieving a filtered subset of data based on specific criteria.","caption":"Query"},"5":{"description":"The 'Write' activity involves writing specific data record details.","caption":"Write"},"7":{"description":"The 'Delete' activity involves removing specific data record details.","caption":"Delete"},"8":{"description":"The 'List' activity provides an overview of existing data records.","caption":"List"},"9":{"description":"The 'Encrypt' activity involves securing data by encrypting a specific data record.","caption":"Encrypt"},"10":{"description":"The 'Decrypt' activity involves converting encrypted data back to its original format.","caption":"Decrypt"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"type_id":{"type":"integer_t","enum":{"3":{"caption":"Table"},"0":{"description":"The datastore resource type is unknown.","caption":"Unknown"},"1":{"caption":"Database"},"2":{"caption":"Databucket"},"99":{"description":"The datastore resource type is not mapped.","caption":"Other"}},"description":"The normalized datastore resource type identifier.","requirement":"recommended","caption":"Datastore Type ID","sibling":"type","type_name":"Integer"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"databucket":{"type":"object_t","description":"The data bucket object is a basic container that holds data, typically organized through the use of data partitions.","group":"primary","requirement":"recommended","object_type":"databucket","caption":"Databucket","object_name":"Databucket"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"database":{"type":"object_t","description":"The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.","group":"primary","requirement":"recommended","object_type":"database","caption":"Database","object_name":"Database"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600500":{"caption":"Datastore Activity: Unknown"},"600599":{"caption":"Datastore Activity: Other"},"600501":{"description":"The 'Read' activity involves accessing specific data record details.","caption":"Datastore Activity: Read"},"600502":{"description":"The 'Update' activity pertains to modifying specific data record details.","caption":"Datastore Activity: Update"},"600503":{"description":"The 'Connect' activity involves establishing a connection to the datastore.","caption":"Datastore Activity: Connect"},"600504":{"description":"The 'Query' activity involves retrieving a filtered subset of data based on specific criteria.","caption":"Datastore Activity: Query"},"600505":{"description":"The 'Write' activity involves writing specific data record details.","caption":"Datastore Activity: Write"},"600506":{"description":"The 'Create' activity involves generating new data record details.","caption":"Datastore Activity: Create"},"600507":{"description":"The 'Delete' activity involves removing specific data record details.","caption":"Datastore Activity: Delete"},"600508":{"description":"The 'List' activity provides an overview of existing data records.","caption":"Datastore Activity: List"},"600509":{"description":"The 'Encrypt' activity involves securing data by encrypting a specific data record.","caption":"Datastore Activity: Encrypt"},"600510":{"description":"The 'Decrypt' activity involves converting encrypted data back to its original format.","caption":"Datastore Activity: Decrypt"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"table":{"type":"object_t","description":"The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.","group":"primary","requirement":"recommended","object_type":"table","caption":"Table","object_name":"Table"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the activity.","group":"primary","requirement":"required","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying http request.","group":"primary","requirement":"recommended","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Datastore Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"Details about the endpoint hosting the datastore application or service.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"datastore_activity","description":"Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).","uid":6005,"extends":"application","category":"application","constraints":{"at_least_one":["database","databucket","table"]},"profiles":["ai_operation","cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Application Activity","caption":"Datastore Activity","category_uid":6},"user_inventory":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5003":{"description":"User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.","caption":"User Inventory Info"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The user that is being discovered by an inventory process.","group":"primary","requirement":"required","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500300":{"caption":"User Inventory Info: Unknown"},"500399":{"caption":"User Inventory Info: Other"},"500301":{"description":"The discovered information is via a log.","caption":"User Inventory Info: Log"},"500302":{"description":"The discovered information is via a collection process.","caption":"User Inventory Info: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: User Inventory Info.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"user_inventory","description":"User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.","uid":5003,"extends":"discovery","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"User Inventory Info","category_uid":5},"api_activity":{"attributes":{"ai_model":{"type":"object_t","description":"The AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.","group":"context","requirement":"recommended","profiles":["ai_operation"],"object_type":"ai_model","caption":"AI Model","object_name":"AI Model"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"resources":{"type":"object_t","description":"Details about resources that were affected by the activity/event.","group":"primary","is_array":true,"requirement":"recommended","object_type":"resource_details","caption":"Resources Array","object_name":"Resource Details"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying http response.","group":"primary","requirement":"recommended","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"6003":{"description":"API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)","caption":"API Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"message_context":{"type":"object_t","description":"Communication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.","group":"context","requirement":"optional","profiles":["ai_operation"],"object_type":"message_context","caption":"Message Context","object_name":"Message Context"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The API call in the event pertains to a 'update' activity.","caption":"Update"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The API call in the event pertains to a 'create' activity.","caption":"Create"},"2":{"description":"The API call in the event pertains to a 'read' activity.","caption":"Read"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The API call in the event pertains to a 'delete' activity.","caption":"Delete"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600300":{"caption":"API Activity: Unknown"},"600399":{"caption":"API Activity: Other"},"600301":{"description":"The API call in the event pertains to a 'create' activity.","caption":"API Activity: Create"},"600302":{"description":"The API call in the event pertains to a 'read' activity.","caption":"API Activity: Read"},"600303":{"description":"The API call in the event pertains to a 'update' activity.","caption":"API Activity: Update"},"600304":{"description":"The API call in the event pertains to a 'delete' activity.","caption":"API Activity: Delete"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"trace":{"type":"object_t","description":"The trace object contains information about distributed traces which are critical to observability and describe how requests move through a system, capturing each step's timing and status.","group":"primary","requirement":"recommended","profiles":["trace"],"object_type":"trace","caption":"Trace","object_name":"Trace"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the activity.","group":"primary","requirement":"required","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"primary","requirement":"required","profiles":null,"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying http request.","group":"primary","requirement":"recommended","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: API Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The network destination endpoint.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"api_activity","description":"API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)","uid":6003,"extends":"application","category":"application","profiles":["ai_operation","cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control","trace"],"category_name":"Application Activity","caption":"API Activity","category_uid":6},"authorize_session":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying HTTP response.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"3003":{"description":"Authorize Session events report privileges or groups assigned to a new user session, usually at login time.","caption":"Authorize Session"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The user to which new privileges were assigned.","group":"primary","requirement":"required","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Assign special privileges to a new logon.","caption":"Assign Privileges"},"2":{"description":"Assign special groups to a new logon.","caption":"Assign Groups"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"group":{"type":"object_t","description":"Group that was assigned to the new user session.","group":"primary","requirement":"recommended","object_type":"group","caption":"Group","object_name":"Group"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"3":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"privileges":{"type":"string_t","description":"The list of sensitive privileges, assigned to the new user session.","group":"primary","is_array":true,"requirement":"recommended","caption":"Privileges","type_name":"String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"300300":{"caption":"Authorize Session: Unknown"},"300399":{"caption":"Authorize Session: Other"},"300301":{"description":"Assign special privileges to a new logon.","caption":"Authorize Session: Assign Privileges"},"300302":{"description":"Assign special groups to a new logon.","caption":"Authorize Session: Assign Groups"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the IAM activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Identity & Access Management.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"optional","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Authorize Session.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The Endpoint for which the user session was targeted.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"authorize_session","description":"Authorize Session events report privileges or groups assigned to a new user session, usually at login time.","uid":3003,"extends":"iam","category":"iam","constraints":{"just_one":["privileges","group"]},"references":[{"description":"D3FEND™ Ontology d3f:AuthorizationEvent","url":"https://d3fend.mitre.org/event/d3f:AuthorizationEvent/"}],"associations":{"session":["user"],"user":["session"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Identity & Access Management","caption":"Authorize Session","category_uid":3},"application_security_posture_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes likeseverity_id.type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2007":{"description":"The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","caption":"Application Security Posture Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A finding was closed.","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A finding was created.","caption":"Create"},"2":{"description":"A finding was updated.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the finding activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"Describes the affected device/host. If applicable, it can be used in conjunction with Resource(s). e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.
","group":"context","requirement":"optional","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200700":{"caption":"Application Security Posture Finding: Unknown"},"200799":{"caption":"Application Security Posture Finding: Other"},"200701":{"description":"A finding was created.","caption":"Application Security Posture Finding: Create"},"200702":{"description":"A finding was updated.","caption":"Application Security Posture Finding: Update"},"200703":{"description":"A finding was closed.","caption":"Application Security Posture Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as:class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"group","caption":"Assignee Group","object_name":"Group"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The finding activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","group":"primary","requirement":"required","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"primary","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"recommended","profiles":["incident"],"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"application":{"type":"object_t","description":"An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.","group":"primary","requirement":"recommended","object_type":"application","caption":"Related Application","object_name":"Application"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"A user provided comment about the finding.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified vulnerabilities or weaknesses.","group":"context","requirement":"recommended","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Application Security Posture Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Finding was reviewed, remediated and is now considered resolved.","caption":"Resolved"},"5":{"description":"The Finding was archived.","caption":"Archived"}},"description":"The normalized status identifier of the Finding, set by the consumer.","group":"context","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"user","caption":"Assignee","object_name":"User"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"application_security_posture_finding","description":"The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, thesecurity_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","uid":2007,"extends":"finding","category":"findings","constraints":{"at_least_one":["application","compliance","remediation","vulnerabilities"]},"profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Application Security Posture Finding","category_uid":2},"peripheral_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1010":{"description":"Peripheral Activity events log a system's interactions with external, connectable, and detachable hardware. These events provide visibility into the external devices connected to and used by a system.","caption":"Peripheral Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A peripheral device was enabled on the system.","caption":"Enable"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A peripheral device was connected to the system.","caption":"Connect"},"2":{"description":"A peripheral device was disconnected from the system.","caption":"Disconnect"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A peripheral device was disabled on the system.","caption":"Disable"},"5":{"description":"A peripheral device was ejected from the system. This is typically used for removable media devices. Note: For Mount and Unmount events, see the File System Activity event class.","caption":"Eject"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"peripheral_device":{"type":"object_t","description":"The peripheral device that is the subject of the activity.","group":"primary","requirement":"required","object_type":"peripheral_device","caption":"Peripheral Device","object_name":"Peripheral Device"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"101000":{"caption":"Peripheral Activity: Unknown"},"101099":{"caption":"Peripheral Activity: Other"},"101001":{"description":"A peripheral device was connected to the system.","caption":"Peripheral Activity: Connect"},"101002":{"description":"A peripheral device was disconnected from the system.","caption":"Peripheral Activity: Disconnect"},"101003":{"description":"A peripheral device was enabled on the system.","caption":"Peripheral Activity: Enable"},"101004":{"description":"A peripheral device was disabled on the system.","caption":"Peripheral Activity: Disable"},"101005":{"description":"A peripheral device was ejected from the system. This is typically used for removable media devices. Note: For Mount and Unmount events, see the File System Activity event class.","caption":"Peripheral Activity: Eject"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Peripheral Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"peripheral_activity","description":"Peripheral Activity events log a system's interactions with external, connectable, and detachable hardware. These events provide visibility into the external devices connected to and used by a system.","uid":1010,"extends":"system","category":"system","associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Peripheral Activity","category_uid":1},"networks_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5013":{"description":"Networks Query events report information about network adapters.","caption":"Networks Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501300":{"caption":"Networks Query: Unknown"},"501399":{"caption":"Networks Query: Other"},"501301":{"description":"The discovered results are via a query request.","caption":"Networks Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Networks Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"network_interfaces":{"type":"object_t","description":"The physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.Note: The first element of the array is the network information that pertains to the event.
","group":"primary","is_array":true,"requirement":"required","object_type":"network_interface","caption":"Network Interfaces","object_name":"Network Interface"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers fromstart_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"networks_query","description":"Networks Query events report information about network adapters.","uid":5013,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Networks Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"file_activity":{"attributes":{"file_diff":{"type":"string_t","description":"File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.","group":"primary","requirement":"recommended","caption":"File Diff","type_name":"String"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1001":{"description":"File System Activity events report when a process performs an action on a file or folder.","caption":"File System Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A request to write data to a file on a file system.","caption":"Update"},"6":{"description":"A request to set attributes for a file on a file system.","caption":"Set Attributes"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A request to create a new file on a file system.","caption":"Create"},"2":{"description":"A request to read data from a file on a file system.","caption":"Read"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A request to delete a file on a file system.","caption":"Delete"},"5":{"description":"A request to rename a file on a file system.","caption":"Rename"},"7":{"description":"A request to set security for a file on a file system.","caption":"Set Security"},"8":{"description":"A request to get attributes for a file on a file system.","caption":"Get Attributes"},"9":{"description":"A request to get security for a file on a file system.","caption":"Get Security"},"10":{"description":"A request to encrypt a file on a file system.","caption":"Encrypt"},"11":{"description":"A request to decrypt a file on a file system.","caption":"Decrypt"},"12":{"description":"A request to mount a file on a file system.","caption":"Mount"},"14":{"description":"A request to create a file handle.","caption":"Open"},"13":{"description":"A request to unmount a file from a file system.","caption":"Unmount"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"connection_uid":{"type":"string_t","description":"The network connection identifier.","group":"context","requirement":"optional","caption":"Connection Identifier","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"create_mask":{"type":"string_t","description":"The original Windows mask that is required to create the object.","group":"primary","requirement":"recommended","caption":"Create Mask","type_name":"String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the file object","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100100":{"caption":"File System Activity: Unknown"},"100199":{"caption":"File System Activity: Other"},"100101":{"description":"A request to create a new file on a file system.","caption":"File System Activity: Create"},"100102":{"description":"A request to read data from a file on a file system.","caption":"File System Activity: Read"},"100103":{"description":"A request to write data to a file on a file system.","caption":"File System Activity: Update"},"100104":{"description":"A request to delete a file on a file system.","caption":"File System Activity: Delete"},"100105":{"description":"A request to rename a file on a file system.","caption":"File System Activity: Rename"},"100106":{"description":"A request to set attributes for a file on a file system.","caption":"File System Activity: Set Attributes"},"100107":{"description":"A request to set security for a file on a file system.","caption":"File System Activity: Set Security"},"100108":{"description":"A request to get attributes for a file on a file system.","caption":"File System Activity: Get Attributes"},"100109":{"description":"A request to get security for a file on a file system.","caption":"File System Activity: Get Security"},"100110":{"description":"A request to encrypt a file on a file system.","caption":"File System Activity: Encrypt"},"100111":{"description":"A request to decrypt a file on a file system.","caption":"File System Activity: Decrypt"},"100112":{"description":"A request to mount a file on a file system.","caption":"File System Activity: Mount"},"100113":{"description":"A request to unmount a file from a file system.","caption":"File System Activity: Unmount"},"100114":{"description":"A request to create a file handle.","caption":"File System Activity: Open"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"access_mask":{"type":"integer_t","description":"The access mask in a platform-native format.","group":"context","requirement":"optional","caption":"Access Mask","type_name":"Integer"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: File System Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"component":{"type":"string_t","description":"The name or relative pathname of a sub-component of the data object, if applicable.
For example:attachment.doc, attachment.zip/bad.doc, or part.mime/part.cab/part.uue/part.doc.","group":"primary","requirement":"recommended","caption":"Component","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file_result":{"type":"object_t","description":"The resulting file object when the activity was allowed and successful.","group":"primary","requirement":"recommended","object_type":"file","caption":"File Result","object_name":"File"},"file":{"type":"object_t","description":"The file that is the target of the activity.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"file_activity","description":"File System Activity events report when a process performs an action on a file or folder.","uid":1001,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:FileEvent","url":"https://d3fend.mitre.org/event/d3f:FileEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"File System Activity","category_uid":1},"email_file_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4011":{"description":"Email File Activity events report files within emails.","caption":"Email File Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Email file being scanned (example: security scanning).","caption":"Scan"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Send"},"2":{"caption":"Receive"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"email_uid":{"type":"string_t","description":"The unique identifier of the email, used to correlate related email alert and activity events.","group":"primary","requirement":"required","caption":"Email UID","type_name":"String","@deprecated":{"message":"Use the email.uid attribute instead.","since":"1.4.0"}},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"401100":{"caption":"Email File Activity: Unknown"},"401199":{"caption":"Email File Activity: Other"},"401101":{"caption":"Email File Activity: Send"},"401102":{"caption":"Email File Activity: Receive"},"401103":{"description":"Email file being scanned (example: security scanning).","caption":"Email File Activity: Scan"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Email File Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The email file attachment.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"email_file_activity","description":"Email File Activity events report files within emails.","uid":4011,"extends":"base_event","category":"network","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Network Activity","caption":"Email File Activity","@deprecated":{"message":"Use theEmail Activity class with the email.files[] array instead.","since":"1.3.0"},"category_uid":4},"tunnel_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g., https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4014":{"description":"Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.","caption":"Tunnel Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The user associated with the tunnel activity.","group":"primary","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"tunnel_interface":{"type":"object_t","description":"The information about the virtual tunnel interface, e.g. utun0. This is usually associated with the private (rfc-1918) ip of the tunnel.","group":"primary","requirement":"recommended","object_type":"network_interface","caption":"Tunnel Interface","object_name":"Network Interface"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Renew a tunnel.","caption":"Renew"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Open a tunnel.","caption":"Open"},"2":{"description":"Close a tunnel.","caption":"Close"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"The device that reported the event.","group":"primary","requirement":"recommended","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"401400":{"caption":"Tunnel Activity: Unknown"},"401499":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Tunnel Activity: Other"},"401401":{"description":"Open a tunnel.","caption":"Tunnel Activity: Open"},"401402":{"description":"Close a tunnel.","caption":"Tunnel Activity: Close"},"401403":{"description":"Renew a tunnel.","caption":"Tunnel Activity: Renew"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the tunnel connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"tunnel_type_id":{"type":"integer_t","enum":{"0":{"caption":"Unknown"},"1":{"caption":"Split Tunnel"},"2":{"caption":"Full Tunnel"},"99":{"caption":"Other"}},"description":"The normalized tunnel type ID.","group":"primary","requirement":"recommended","caption":"Type","sibling":"tunnel_type","type_name":"Integer"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"tunnel_type":{"type":"string_t","description":"The tunnel type. Example: Split or Full.","group":"primary","requirement":"recommended","caption":"Type","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"Traffic refers to the amount of data moving across the tunnel at a given point of time. Ex: bytes_in and bytes_out.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"protocol_name":{"type":"string_t","description":"The networking protocol associated with the tunnel. E.g. IPSec, SSL, GRE.","group":"context","requirement":"optional","caption":"Tunnel Protocol","type_name":"String"},"connection_info":{"type":"object_t","description":"The tunnel connection information.","group":"context","requirement":"optional","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Tunnel Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The server responding to the tunnel connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"tunnel_activity","description":"Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.","uid":4014,"extends":"network","category":"network","constraints":{"at_least_one":["connection_info","session","src_endpoint","traffic","tunnel_interface","tunnel_type_id"]},"references":[{"description":"D3FEND™ Ontology d3f:TunnelEvent","url":"https://d3fend.mitre.org/event/d3f:TunnelEvent/"}],"associations":{"user":["src_endpoint"],"src_endpoint":["user"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"Tunnel Activity","category_uid":4},"win/registry_key_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"205004":{"description":"Registry Key Query events report information about discovered Windows registry keys.","caption":"Registry Key Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20500400":{"caption":"Registry Key Query: Unknown"},"20500499":{"caption":"Registry Key Query: Other"},"20500401":{"description":"The discovered results are via a query request.","caption":"Registry Key Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Registry Key Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"registry_key_query","description":"Registry Key Query events report information about discovered Windows registry keys.","extension":"win","uid":205004,"extends":"discovery_result","category":"discovery","extension_id":2,"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Registry Key Query","@deprecated":{"message":"Use theEvidence Info class with the Query Evidence object populated with Registry Key instead.","since":"1.5.0"},"category_uid":5},"win/registry_value_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"205005":{"description":"Registry Value Query events report information about discovered Windows registry values.","caption":"Registry Value Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"reg_value":{"type":"object_t","description":"The registry value that pertains to the event.","group":"primary","extension":"win","requirement":"required","extension_id":2,"object_type":"win/reg_value","caption":"Registry Value","object_name":"Registry Value"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20500500":{"caption":"Registry Value Query: Unknown"},"20500599":{"caption":"Registry Value Query: Other"},"20500501":{"description":"The discovered results are via a query request.","caption":"Registry Value Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Registry Value Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"registry_value_query","description":"Registry Value Query events report information about discovered Windows registry values.","extension":"win","uid":205005,"extends":"discovery_result","category":"discovery","extension_id":2,"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Registry Value Query","@deprecated":{"message":"Use theEvidence Info class with the Query Evidence object populated with Registry Value instead.","since":"1.5.0"},"category_uid":5},"job_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5010":{"description":"Job Query events report information about scheduled jobs.","caption":"Job Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501000":{"caption":"Job Query: Unknown"},"501099":{"caption":"Job Query: Other"},"501001":{"description":"The discovered results are via a query request.","caption":"Job Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"job":{"type":"object_t","description":"The job object that pertains to the event.","group":"primary","requirement":"required","object_type":"job","caption":"Job","object_name":"Job"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Job Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"job_query","description":"Job Query events report information about scheduled jobs.","uid":5010,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Job Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"scheduled_job_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1006":{"description":"Scheduled Job Activity events report activities related to scheduled jobs or tasks.","caption":"Scheduled Job Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"caption":"Delete"},"6":{"caption":"Start"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Create"},"2":{"caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Enable"},"5":{"caption":"Disable"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the job object.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100600":{"caption":"Scheduled Job Activity: Unknown"},"100699":{"caption":"Scheduled Job Activity: Other"},"100601":{"caption":"Scheduled Job Activity: Create"},"100602":{"caption":"Scheduled Job Activity: Update"},"100603":{"caption":"Scheduled Job Activity: Delete"},"100604":{"caption":"Scheduled Job Activity: Enable"},"100605":{"caption":"Scheduled Job Activity: Disable"},"100606":{"caption":"Scheduled Job Activity: Start"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"job":{"type":"object_t","description":"The job object that pertains to the event.","group":"primary","requirement":"required","object_type":"job","caption":"Job","object_name":"Job"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Scheduled Job Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"scheduled_job_activity","description":"Scheduled Job Activity events report activities related to scheduled jobs or tasks.","uid":1006,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:ScheduledJobEvent","url":"https://d3fend.mitre.org/event/d3f:ScheduledJobEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Scheduled Job Activity","category_uid":1},"process_activity":{"attributes":{"ai_model":{"type":"object_t","description":"The AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.","group":"context","requirement":"recommended","profiles":["ai_operation"],"object_type":"ai_model","caption":"AI Model","object_name":"AI Model"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"launch_type_id":{"type":"integer_t","enum":{"3":{"description":"Denotes that theLaunch event represents the \"exec\" step of Unix process creation, where a process replaces its executable image, command line, and environment. WSL1 pico processes on Windows also use the 2-step Unix model.","caption":"Exec"},"0":{"description":"The launch type is unknown or not specified.","caption":"Unknown"},"1":{"description":"Denotes that the Launch event represents atomic creation of a new process on Windows. This launch type ID may also be used to represent both steps of Unix process creation in a single Launch event.","caption":"Spawn"},"2":{"description":"Denotes that the Launch event represents the \"fork\" step of Unix process creation, where a process creates a clone of itself in a parent-child relationship. WSL1 pico processes on Windows also use the 2-step Unix model.","caption":"Fork"},"99":{"description":"The launch type is not mapped. See the launch_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier for the specific type of Launch activity.","group":"primary","references":[{"description":"fork() man page","url":"https://www.man7.org/linux/man-pages/man2/fork.2.html"},{"description":"execve() man page","url":"https://www.man7.org/linux/man-pages/man2/execve.2.html"}],"requirement":"recommended","caption":"Launch Type ID","sibling":"launch_type","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"1007":{"description":"Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.","caption":"Process Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"message_context":{"type":"object_t","description":"Communication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.","group":"context","requirement":"optional","profiles":["ai_operation"],"object_type":"message_context","caption":"Message Context","object_name":"Message Context"},"injection_type_id":{"type":"integer_t","enum":{"3":{"caption":"Queue APC"},"0":{"description":"The injection type is unknown.","caption":"Unknown"},"1":{"caption":"Remote Thread"},"2":{"caption":"Load Library"},"99":{"description":"The injection type is not mapped. See the injection_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the process injection method.","group":"primary","requirement":"recommended","caption":"Injection Type ID","sibling":"injection_type","type_name":"Integer"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A request by the actor to obtain a handle or descriptor to a process with the aim of performing further actions upon that process. The target is usually a different process but this activity can also be reflexive.","caption":"Open"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A request by the actor to launch another process. Refer to the launch_type_id attribute for details of the specific launch type.","caption":"Launch"},"2":{"description":"A request by the actor to terminate a process. This activity is most commonly reflexive, this being the case when a process exits at its own initiation. Note too that Windows security products cannot always identify the actor in the case of inter-process termination. In this case, actor.process and process refer to the exiting process, i.e. indistinguishable from the reflexive case.","caption":"Terminate"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A request by the actor to execute code within the context of a process. The target is usually a different process but this activity can also be reflexive. Refer to the injection_type_id attribute for details of the specific injection type.","references":[{"description":"Guidance on the use of \"Module Activity: Load\" and \"Process Activity: Inject\".","url":"https://github.com/ocsf/ocsf-docs/blob/main/faqs/schema-faq.md#when-should-i-use-a-module-activity-load-event-and-when-should-i-use-a-process-activity-inject-event"}],"caption":"Inject"},"5":{"description":"A request by the actor to change its user identity by invoking the setuid() system call. Common programs like su and sudo use this mechanism. Note that the impersonation mechanism on Windows is not directly equivalent because it acts at the thread level.","caption":"Set User ID"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","references":[{"description":"setuid() man page","url":"https://www.man7.org/linux/man-pages/man2/setuid.2.html"}],"requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"module":{"type":"object_t","description":"The module that was injected by the actor process.","group":"primary","requirement":"recommended","object_type":"module","caption":"Module","object_name":"Module"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"launch_type":{"type":"string_t","description":"The specific type of Launch activity, normalized to the caption of the launch_type_id value. In the case of Other it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Launch Type","type_name":"String"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the target process. For example, the process that started a new process or injected code into another process.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100700":{"caption":"Process Activity: Unknown"},"100799":{"caption":"Process Activity: Other"},"100701":{"description":"A request by the actor to launch another process. Refer to the launch_type_id attribute for details of the specific launch type.","caption":"Process Activity: Launch"},"100702":{"description":"A request by the actor to terminate a process. This activity is most commonly reflexive, this being the case when a process exits at its own initiation. Note too that Windows security products cannot always identify the actor in the case of inter-process termination. In this case, actor.process and process refer to the exiting process, i.e. indistinguishable from the reflexive case.","caption":"Process Activity: Terminate"},"100703":{"description":"A request by the actor to obtain a handle or descriptor to a process with the aim of performing further actions upon that process. The target is usually a different process but this activity can also be reflexive.","caption":"Process Activity: Open"},"100704":{"description":"A request by the actor to execute code within the context of a process. The target is usually a different process but this activity can also be reflexive. Refer to the injection_type_id attribute for details of the specific injection type.","references":[{"description":"Guidance on the use of \"Module Activity: Load\" and \"Process Activity: Inject\".","url":"https://github.com/ocsf/ocsf-docs/blob/main/faqs/schema-faq.md#when-should-i-use-a-module-activity-load-event-and-when-should-i-use-a-process-activity-inject-event"}],"caption":"Process Activity: Inject"},"100705":{"description":"A request by the actor to change its user identity by invoking the setuid() system call. Common programs like su and sudo use this mechanism. Note that the impersonation mechanism on Windows is not directly equivalent because it acts at the thread level.","caption":"Process Activity: Set User ID"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"injection_type":{"type":"string_t","description":"The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Injection Type","type_name":"String"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"actual_permissions":{"type":"integer_t","description":"The permissions that were granted to the process in a platform-native format.","group":"primary","requirement":"recommended","caption":"Actual Permissions","type_name":"Integer"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"process":{"type":"object_t","description":"The process that was launched, injected into, opened, or terminated.","group":"primary","requirement":"required","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"requested_permissions":{"type":"integer_t","description":"The permissions mask that was requested by the process.","group":"primary","requirement":"recommended","caption":"Requested Permissions","type_name":"Integer"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Process Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"process_activity","description":"Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.","uid":1007,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:ProcessEvent","url":"https://d3fend.mitre.org/event/d3f:ProcessEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["ai_operation","cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Process Activity","category_uid":1},"kernel_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1003":{"description":"Kernel Activity events report when an process creates, reads, or deletes a kernel resource.","caption":"Kernel Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"caption":"Delete"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Create"},"2":{"caption":"Read"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Invoke"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"kernel":{"type":"object_t","description":"The target kernel resource.","group":"primary","requirement":"required","object_type":"kernel","caption":"Kernel","object_name":"Kernel Resource"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100300":{"caption":"Kernel Activity: Unknown"},"100399":{"caption":"Kernel Activity: Other"},"100301":{"caption":"Kernel Activity: Create"},"100302":{"caption":"Kernel Activity: Read"},"100303":{"caption":"Kernel Activity: Delete"},"100304":{"caption":"Kernel Activity: Invoke"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Kernel Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"kernel_activity","description":"Kernel Activity events report when an process creates, reads, or deletes a kernel resource.","uid":1003,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:KernelEvent","url":"https://d3fend.mitre.org/event/d3f:KernelEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Kernel Activity","category_uid":1},"security_finding":{"attributes":{"state_id":{"type":"integer_t","enum":{"3":{"description":"The finding was reviewed, considered as a false positive and is now suppressed.","caption":"Suppressed"},"0":{"description":"The state is unknown.","caption":"Unknown"},"1":{"description":"The finding is new and yet to be reviewed.","caption":"New"},"2":{"description":"The finding is under review.","caption":"In Progress"},"99":{"description":"The state is not mapped. See thestate attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The finding was reviewed and remediated and is now considered resolved.","caption":"Resolved"}},"description":"The normalized state identifier of a security finding.","group":"context","requirement":"required","caption":"State ID","sibling":"state","type_name":"Integer"},"vulnerabilities":{"type":"object_t","description":"This object describes vulnerabilities reported in a security finding.","group":"context","is_array":true,"requirement":"optional","object_type":"vulnerability","caption":"Vulnerabilities","object_name":"Vulnerability Details"},"compliance":{"type":"object_t","description":"The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.","group":"context","requirement":"optional","object_type":"compliance","caption":"Compliance","object_name":"Compliance"},"state":{"type":"string_t","description":"The normalized state of a security finding.","group":"context","requirement":"optional","caption":"State","type_name":"String"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"kill_chain":{"type":"object_t","description":"The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.","group":"context","is_array":true,"requirement":"optional","object_type":"kill_chain_phase","caption":"Kill Chain","object_name":"Kill Chain Phase"},"resources":{"type":"object_t","description":"Describes details about resources that were affected by the activity/event.","group":"primary","is_array":true,"requirement":"recommended","object_type":"resource_details","caption":"Resources Array","object_name":"Resource Details"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"context","is_array":true,"requirement":"optional","profiles":null,"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"2001":{"description":"Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products","caption":"Security Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A security finding was closed.","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A security finding was created.","caption":"Create"},"2":{"description":"A security finding was updated.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"nist":{"type":"string_t","description":"The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.","group":"context","is_array":true,"requirement":"optional","caption":"NIST List","type_name":"String"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"primary","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques associated to the Finding.","group":"context","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":null,"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"cis_csc":{"type":"object_t","description":"The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.","group":"context","is_array":true,"requirement":"optional","object_type":"cis_csc","caption":"CIS CSC","@deprecated":{"message":"Use CIS Controls for standard benchmark controls.","since":"1.5.0"},"object_name":"CIS CSC"},"evidence":{"type":"json_t","description":"The data the finding exposes to the analyst.","group":"context","requirement":"optional","caption":"Evidence","type_name":"JSON","@deprecated":{"message":"Use the evidences attribute instead.","since":"1.1.0"}},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"primary","requirement":"recommended","profiles":null,"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200100":{"caption":"Security Finding: Unknown"},"200199":{"caption":"Security Finding: Other"},"200101":{"description":"A security finding was created.","caption":"Security Finding: Create"},"200102":{"description":"A security finding was updated.","caption":"Security Finding: Update"},"200103":{"description":"A security finding was closed.","caption":"Security Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"data_sources":{"type":"string_t","description":"A list of data sources utilized in generation of the finding.","group":"context","is_array":true,"requirement":"optional","caption":"Data Sources","type_name":"String"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"primary","requirement":"recommended","profiles":null,"caption":"Risk Score","type_name":"Integer"},"finding":{"type":"object_t","description":"The Finding object provides details about a finding/detection generated by a security tool.","group":"primary","requirement":"required","object_type":"finding","caption":"Finding","object_name":"Finding"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"primary","requirement":"recommended","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"primary","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"recommended","caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","profiles":null,"caption":"Confidence","type_name":"String"},"process":{"type":"object_t","description":"The process object.","group":"context","requirement":"optional","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"analytic":{"type":"object_t","description":"The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.","group":"primary","requirement":"recommended","object_type":"analytic","caption":"Analytic","object_name":"Analytic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"primary","requirement":"recommended","profiles":null,"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Security Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"primary","requirement":"recommended","caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"security_finding","description":"Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products","uid":2001,"extends":"base_event","category":"findings","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Security Finding","@deprecated":{"message":"Use the new specific classes according to the use-case:Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding, Data Security Finding.","since":"1.1.0"},"category_uid":2},"email_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"email":{"type":"object_t","description":"The email object.","group":"primary","requirement":"required","object_type":"email","caption":"Email","object_name":"Email"},"banner":{"type":"string_t","description":"The initial connection response that a messaging server receives after it connects to an email server.","group":"context","requirement":"optional","caption":"Protocol Banner","type_name":"String"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4009":{"description":"Email Activity events report SMTP protocol and email activities including those with embedded URLs and files. See the Email object for details.","caption":"Email Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Email being scanned (example: security scanning)","caption":"Scan"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Send"},"2":{"caption":"Receive"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected.","references":[{"description":"For example Office 365 Email Message Trace","url":"href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac"}],"caption":"Trace"},"5":{"description":"Email processed by an MTA, typically combining send, receive, and scan operations into a single activity.","caption":"MTA Relay"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"message_trace_uid":{"type":"string_t","description":"The identifier that tracks a message that travels through multiple points of a messaging service.","group":"primary","references":[{"description":"For example Office 365 Message Trace Report.","url":"https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)"}],"requirement":"recommended","caption":"Message Trace UID","type_name":"String"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"direction":{"type":"string_t","description":"The direction of the email, as defined by the direction_id value.","group":"context","requirement":"optional","caption":"Direction","type_name":"String"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"attempt":{"type":"integer_t","description":"The attempt number for attempting to deliver the email.","group":"context","requirement":"optional","caption":"Attempt","type_name":"Integer"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400900":{"caption":"Email Activity: Unknown"},"400999":{"caption":"Email Activity: Other"},"400901":{"caption":"Email Activity: Send"},"400902":{"caption":"Email Activity: Receive"},"400903":{"description":"Email being scanned (example: security scanning)","caption":"Email Activity: Scan"},"400904":{"description":"Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected.","references":[{"description":"For example Office 365 Email Message Trace","url":"href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac"}],"caption":"Email Activity: Trace"},"400905":{"description":"Email processed by an MTA, typically combining send, receive, and scan operations into a single activity.","caption":"Email Activity: MTA Relay"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) sending the email.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"command":{"type":"string_t","description":"The command issued by the initiator (client), such as SMTP HELO or EHLO.","group":"primary","requirement":"recommended","caption":"Command","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"smtp_hello":{"type":"string_t","description":"The value of the SMTP HELO or EHLO command sent by the initiator (client).","group":"primary","requirement":"recommended","caption":"SMTP Hello","type_name":"String","@deprecated":{"message":"Use the command attribute instead.","since":"1.4.0"}},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"email_auth":{"type":"object_t","description":"The SPF, DKIM and DMARC attributes of an email.","group":"primary","requirement":"recommended","object_type":"email_auth","caption":"Email Authentication","object_name":"Email Authentication"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"from":{"type":"email_t","description":"The sender address from the transmission envelope. This reflects the actual sending party and may differ from the 'From' header in the message.","group":"primary","references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"From","type_name":"Email Address"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"protocol_name":{"type":"string_t","description":"The Protocol Name specifies the email communication protocol, such as SMTP, IMAP, or POP3.","group":"primary","requirement":"recommended","caption":"Protocol Name","type_name":"String"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Email Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) receiving the email.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.direction attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Local network connection (localhost). The connection is intra-device, originating from and destined for services running on the same device.","caption":"Local"}},"description":"The direction of the email relative to the scanning host or organization.
Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.","group":"context","requirement":"required","caption":"Direction ID","sibling":"direction","type_name":"Integer"},"to":{"type":"email_t","description":"The recipient address from the transmission envelope. This may differ from the 'To' header and represents where the message was actually delivered.","group":"primary","is_array":true,"references":[{"description":"RFC 5322","url":"https://www.rfc-editor.org/rfc/rfc5322"}],"requirement":"recommended","caption":"To","type_name":"Email Address"},"raw_data_size":{"type":"long_t","description":"The size of the raw data which was transformed into an OCSF event, in bytes.","group":"context","requirement":"optional","caption":"Raw Data Size","type_name":"Long"},"status":{"type":"string_t","description":"The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Status","type_name":"String"},"raw_data":{"type":"string_t","description":"The raw event/finding data as received from the source.","group":"context","requirement":"optional","caption":"Raw Data","type_name":"String"},"status_id":{"type":"integer_t","enum":{"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"caption":"Success"},"2":{"caption":"Failure"},"99":{"description":"The status is not mapped. See thestatus attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"email_activity","description":"Email Activity events report SMTP protocol and email activities including those with embedded URLs and files. See theEmail object for details.","uid":4009,"extends":"base_event","category":"network","references":[{"description":"D3FEND™ Ontology d3f:EmailEvent","url":"https://d3fend.mitre.org/event/d3f:EmailEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Network Activity","caption":"Email Activity","category_uid":4},"data_security_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like severity_id. You can populate this object, if the specific resource type objects available in the class (database, databucket, table, file) aren't sufficient; OR
You can also choose to duplicate uid, name of the specific resources objects, for a consistent access to resource uids across all findings.","group":"primary","is_array":true,"requirement":"recommended","object_type":"resource_details","caption":"Additional Resources","object_name":"Resource Details"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"priority":{"type":"string_t","description":"The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Priority","type_name":"String"},"verdict_id":{"type":"integer_t","enum":{"3":{"description":"The incident can be disregarded as it is unimportant, an error or accident.","caption":"Disregard"},"6":{"description":"The incident is a test.","caption":"Test"},"0":{"description":"The type is unknown.","caption":"Unknown"},"1":{"description":"The incident is a false positive.","caption":"False Positive"},"2":{"description":"The incident is a true positive.","caption":"True Positive"},"99":{"description":"The type is not mapped. See the type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2006":{"description":"A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.","caption":"Data Security Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"data_security":{"type":"object_t","description":"The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).","group":"context","requirement":"recommended","object_type":"data_security","caption":"Data Security","object_name":"Data Security"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.).","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A new Data Security finding is created.","caption":"Create"},"2":{"description":"An existing Data Security finding is updated with more information.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative.","caption":"Suppressed","@deprecated":{"message":"Use status_id attribute instead.","since":"1.4.0"}}},"description":"The normalized identifier of the Data Security Finding activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict","type_name":"String"},"databucket":{"type":"object_t","description":"Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.","group":"primary","requirement":"recommended","object_type":"databucket","caption":"Databucket","object_name":"Databucket"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"database":{"type":"object_t","description":"Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.","group":"primary","requirement":"recommended","object_type":"database","caption":"Database","object_name":"Database"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"Describes the device where classified or sensitive data is stored in, or was accessed from.","group":"context","requirement":"recommended","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"Describes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200600":{"caption":"Data Security Finding: Unknown"},"200699":{"caption":"Data Security Finding: Other"},"200601":{"description":"A new Data Security finding is created.","caption":"Data Security Finding: Create"},"200602":{"description":"An existing Data Security finding is updated with more information.","caption":"Data Security Finding: Update"},"200603":{"description":"An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.).","caption":"Data Security Finding: Close"},"200604":{"description":"An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative.","caption":"Data Security Finding: Suppressed","@deprecated":{"message":"Use status_id attribute instead.","since":"1.4.0"}}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"table":{"type":"object_t","description":"Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.","group":"primary","requirement":"recommended","object_type":"table","caption":"Table","object_name":"Table"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"group","caption":"Assignee Group","object_name":"Group"},"src_endpoint":{"type":"object_t","description":"Details about the source endpoint where classified or sensitive data was accessed from.","group":"context","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The Data Security finding activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","group":"primary","requirement":"required","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"context","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"optional","profiles":null,"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. For example, an activity_id of 'Create' could constitute an alertable signal and the value would be true, while 'Close' likely would not and either omit the attribute or set its value to false. Note that other events with the security_control profile may also be deemed alertable signals and may also carry is_alert = true attributes.","group":"primary","requirement":"recommended","profiles":null,"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"A user provided comment about the finding.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Data Security Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"Describes the endpoint where classified or sensitive data is stored in, or was accessed from.","group":"context","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Finding was reviewed, remediated and is now considered resolved.","caption":"Resolved"},"5":{"description":"The Finding was archived.","caption":"Archived"}},"description":"The normalized status identifier of the Finding, set by the consumer.","group":"context","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"user","caption":"Assignee","object_name":"User"},"file":{"type":"object_t","description":"Describes a file that contains classified or sensitive data.","group":"primary","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"context","requirement":"optional","profiles":null,"caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"data_security_finding","description":"A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, thesecurity_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","uid":2006,"extends":"finding","category":"findings","profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Data Security Finding","category_uid":2},"win/registry_key_activity":{"attributes":{"prev_reg_key":{"type":"object_t","description":"The registry key before the mutation","group":"primary","extension":"win","requirement":"recommended","extension_id":2,"object_type":"win/reg_key","caption":"Previous Registry Key","object_name":"Registry Key"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"201001":{"description":"Registry Key Activity events report when a process performs an action on a Windows registry key.","caption":"Registry Key Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"caption":"Modify"},"6":{"caption":"Set Security"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Create"},"2":{"caption":"Read"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Delete"},"5":{"caption":"Rename"},"7":{"caption":"Restore"},"8":{"caption":"Import"},"9":{"caption":"Export"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"create_mask":{"type":"string_t","description":"The original Windows mask that is required to create the object.","group":"primary","requirement":"recommended","caption":"Create Mask","type_name":"String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the reg_key object.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"open_mask":{"type":"integer_t","description":"The Windows options needed to open a registry key.","group":"primary","requirement":"recommended","caption":"Open Mask","type_name":"Integer"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20100100":{"caption":"Registry Key Activity: Unknown"},"20100199":{"caption":"Registry Key Activity: Other"},"20100101":{"caption":"Registry Key Activity: Create"},"20100102":{"caption":"Registry Key Activity: Read"},"20100103":{"caption":"Registry Key Activity: Modify"},"20100104":{"caption":"Registry Key Activity: Delete"},"20100105":{"caption":"Registry Key Activity: Rename"},"20100106":{"caption":"Registry Key Activity: Set Security"},"20100107":{"caption":"Registry Key Activity: Restore"},"20100108":{"caption":"Registry Key Activity: Import"},"20100109":{"caption":"Registry Key Activity: Export"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"access_mask":{"type":"integer_t","description":"The access mask in a platform-native format.","group":"primary","requirement":"recommended","caption":"Access Mask","type_name":"Integer"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Registry Key Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"registry_key_activity","description":"Registry Key Activity events report when a process performs an action on a Windows registry key.","extension":"win","uid":201001,"extends":"system","category":"system","extension_id":2,"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Registry Key Activity","category_uid":1},"base_event":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"0":{"description":"The base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.","caption":"Base Event"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"0":{"caption":"Uncategorized"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"0":{"caption":"Base Event: Unknown"},"99":{"caption":"Base Event: Other"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Base Event.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"base_event","description":"The base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.","uid":0,"category":"other","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"caption":"Base Event","category_uid":0},"ftp_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g.,https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"port":{"type":"port_t","description":"The dynamic port established for impending data transfers.","group":"primary","requirement":"recommended","caption":"Port","type_name":"Port"},"class_uid":{"type":"integer_t","enum":{"4008":{"description":"File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.","caption":"FTP Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"type":{"type":"string_t","description":"The type of FTP network connection (e.g. active, passive).","group":"primary","requirement":"recommended","caption":"Type","type_name":"String"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Poll directory for specific file(s) or folder(s) at the FTP or SFTP site location.","caption":"Poll"},"6":{"description":"List files in a specified directory.","caption":"List"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"File upload to the FTP or SFTP site.","caption":"Put"},"2":{"description":"File download from the FTP or SFTP site.","caption":"Get"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Delete file(s) from the FTP or SFTP site.","caption":"Delete"},"5":{"description":"Rename the file(s) in the FTP or SFTP site.","caption":"Rename"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"name":{"type":"string_t","description":"The name of the data affiliated with the command.","group":"primary","requirement":"recommended","caption":"Name","type_name":"String"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"command_responses":{"type":"string_t","description":"The list of responses to the FTP command.","group":"primary","is_array":true,"requirement":"recommended","caption":"Command Responses","type_name":"String"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400800":{"caption":"FTP Activity: Unknown"},"400899":{"caption":"FTP Activity: Other"},"400801":{"description":"File upload to the FTP or SFTP site.","caption":"FTP Activity: Put"},"400802":{"description":"File download from the FTP or SFTP site.","caption":"FTP Activity: Get"},"400803":{"description":"Poll directory for specific file(s) or folder(s) at the FTP or SFTP site location.","caption":"FTP Activity: Poll"},"400804":{"description":"Delete file(s) from the FTP or SFTP site.","caption":"FTP Activity: Delete"},"400805":{"description":"Rename the file(s) in the FTP or SFTP site.","caption":"FTP Activity: Rename"},"400806":{"description":"List files in a specified directory.","caption":"FTP Activity: List"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"codes":{"type":"integer_t","description":"The list of return codes to the FTP command.","group":"primary","is_array":true,"requirement":"recommended","caption":"Response Codes","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"command":{"type":"string_t","description":"The FTP command.","group":"primary","requirement":"recommended","caption":"Command","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: FTP Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the FTP activity.","group":"context","requirement":"optional","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"ftp_activity","description":"File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.","uid":4008,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:FTPEvent","url":"https://d3fend.mitre.org/event/d3f:FTPEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"FTP Activity","category_uid":4},"win/windows_resource_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"201003":{"description":"Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.","caption":"Windows Resource Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Access"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"win_resource":{"type":"object_t","description":"The Windows resource object that was accessed, such as a mutant or timer.","group":"primary","extension":"win","requirement":"required","extension_id":2,"object_type":"win/win_resource","caption":"Windows Resource","object_name":"Windows Resource"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20100300":{"caption":"Windows Resource Activity: Unknown"},"20100399":{"caption":"Windows Resource Activity: Other"},"20100301":{"caption":"Windows Resource Activity: Access"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Windows Resource Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"windows_resource_activity","description":"Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.","extension":"win","uid":201003,"extends":"system","category":"system","extension_id":2,"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Windows Resource Activity","category_uid":1},"authentication":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying HTTP response.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"3002":{"description":"Authentication events report authentication session activities, including user attempts to log on or log off, regardless of success, as well as other key stages within the authentication process. These events are typically generated by authentication services, such as Kerberos, OIDC, or SAML, and may include information about the user, the authentication method used, and the status of the authentication attempt.","caption":"Authentication"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The subject (user/role or account) to authenticate.","group":"primary","requirement":"required","object_type":"user","caption":"User","object_name":"User"},"account_switch_type":{"type":"string_t","description":"The account switch method, normalized to the caption of the account_switch_type_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Account Switch Type","type_name":"String"},"logon_type_id":{"type":"integer_t","enum":{"3":{"description":"A user or device logged onto this device from the network.","caption":"Network"},"0":{"description":"The logon type is unknown.","caption":"Unknown"},"1":{"description":"Used only by the System account, for example at system startup.","caption":"System"},"2":{"description":"A local logon to device console.","caption":"Interactive"},"99":{"description":"The logon type is not mapped. See thelogon_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A batch server logon, where processes may be executing on behalf of a user without their direct intervention.","caption":"Batch"},"5":{"description":"A logon by a service or daemon that was started by the OS.","caption":"OS Service"},"7":{"description":"A user unlocked the device.","caption":"Unlock"},"8":{"description":"A user logged on to this device from the network. The user's password in the authentication package was not hashed.","caption":"Network Cleartext"},"9":{"description":"A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.","caption":"New Credentials"},"10":{"description":"A remote logon using Terminal Services or remote desktop application.","caption":"Remote Interactive"},"11":{"description":"A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials.","caption":"Cached Interactive"},"12":{"description":"Same as Remote Interactive. This is used for internal auditing.","caption":"Cached Remote Interactive"},"13":{"description":"Workstation logon.","caption":"Cached Unlock"}},"description":"The normalized logon type identifier.","group":"primary","requirement":"recommended","caption":"Logon Type ID","sibling":"logon_type","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A Kerberos authentication ticket (TGT) was requested.","caption":"Authentication Ticket"},"6":{"description":"A preauthentication stage was engaged.","caption":"Preauth"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A new logon session was requested.","caption":"Logon"},"2":{"description":"A logon session was terminated and no longer exists.","caption":"Logoff"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A Kerberos service ticket was requested.","caption":"Service Ticket Request"},"5":{"description":"A Kerberos service ticket was renewed.","caption":"Service Ticket Renew"},"7":{"description":"A utility or service switched the user account. See the account_switch_type_id attribute for more details.","caption":"Account Switch"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"auth_factors":{"type":"object_t","description":"Describes a category of methods used for identity verification in an authentication attempt.","group":"context","is_array":true,"requirement":"optional","object_type":"auth_factor","caption":"Authentication Factors","object_name":"Authentication Factor"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"auth_protocol":{"type":"string_t","description":"The authentication protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Auth Protocol","type_name":"String"},"is_remote":{"type":"boolean_t","description":"The attempted authentication is over a remote connection.","group":"primary","requirement":"recommended","caption":"Remote","type_name":"Boolean"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"3":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"authentication_token":{"type":"object_t","description":"The authentication token, ticket, or assertion, e.g. Kerberos, OIDC, SAML.","group":"context","references":[{"description":"RFC 4120: The Kerberos Network Authentication Service (V5)","url":"https://www.rfc-editor.org/rfc/rfc4120"},{"description":"OpenID Connect Core 1.0","url":"https://openid.net/specs/openid-connect-core-1_0.html"},{"description":"The OASIS Security Assertion Markup Language (SAML) V2.0","url":"https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf"}],"requirement":"optional","object_type":"authentication_token","caption":"Authentication Token","object_name":"Authentication Token"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"is_new_logon":{"type":"boolean_t","description":"Indicates logon is from a device not seen before or a first time account logon.","group":"context","requirement":"optional","caption":"New Logon","type_name":"Boolean"},"auth_protocol_id":{"type":"integer_t","enum":{"3":{"caption":"Digest"},"6":{"caption":"OAUTH 2.0"},"0":{"description":"The authentication protocol is unknown.","caption":"Unknown"},"1":{"caption":"NTLM"},"2":{"caption":"Kerberos"},"99":{"description":"The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"OpenID"},"5":{"caption":"SAML"},"7":{"caption":"PAP"},"8":{"caption":"CHAP"},"9":{"caption":"EAP"},"10":{"caption":"RADIUS"},"11":{"caption":"Basic Authentication"},"12":{"caption":"LDAP"}},"description":"The normalized identifier of the authentication protocol used to create the user session.","group":"primary","requirement":"recommended","caption":"Auth Protocol ID","sibling":"auth_protocol","type_name":"Integer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"service":{"type":"object_t","description":"The service or gateway to which the user or process is being authenticated","group":"primary","requirement":"recommended","object_type":"service","caption":"Service","object_name":"Service"},"is_mfa":{"type":"boolean_t","description":"Indicates whether Multi Factor Authentication was used during authentication.","group":"primary","requirement":"recommended","caption":"Multi Factor Authentication","type_name":"Boolean"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"account_switch_type_id":{"type":"integer_t","enum":{"0":{"description":"The account switch type is unknown.","caption":"Unknown"},"1":{"description":"A utility like sudo, su, or equivalent was used to perform actions in the context of another user.","references":[{"description":"sudo documentation","url":"https://www.sudo.ws/"},{"description":"su Linux manual page","url":"https://man7.org/linux/man-pages/man1/su.1.html"},{"description":"su macOS manual page","url":"https://www.unix.com/man_page/osx/1/su/"}],"caption":"Substitute User"},"2":{"description":"An API like ImpersonateLoggedOnUser() or equivalent was used to perform actions in the context of another user.","references":[{"description":"Microsoft ImpersonateLoggedOnUser() documentation","url":"https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser"}],"caption":"Impersonate"},"99":{"description":"The account switch type is not mapped. See the account_switch_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the account switch method.","group":"primary","requirement":"recommended","caption":"Account Switch Type ID","sibling":"account_switch_type","type_name":"Integer"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"logon_process":{"type":"object_t","description":"The trusted process that validated the authentication credentials.","group":"context","requirement":"optional","object_type":"process","caption":"Logon Process","object_name":"Process"},"is_cleartext":{"type":"boolean_t","description":"Indicates whether the credentials were passed in clear text.Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.
","group":"context","requirement":"optional","caption":"Cleartext Credentials","type_name":"Boolean"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"300200":{"caption":"Authentication: Unknown"},"300299":{"caption":"Authentication: Other"},"300201":{"description":"A new logon session was requested.","caption":"Authentication: Logon"},"300202":{"description":"A logon session was terminated and no longer exists.","caption":"Authentication: Logoff"},"300203":{"description":"A Kerberos authentication ticket (TGT) was requested.","caption":"Authentication: Authentication Ticket"},"300204":{"description":"A Kerberos service ticket was requested.","caption":"Authentication: Service Ticket Request"},"300205":{"description":"A Kerberos service ticket was renewed.","caption":"Authentication: Service Ticket Renew"},"300206":{"description":"A preauthentication stage was engaged.","caption":"Authentication: Preauth"},"300207":{"description":"A utility or service switched the user account. See theaccount_switch_type_id attribute for more details.","caption":"Authentication: Account Switch"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the IAM activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Identity & Access Management.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"optional","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"logon_type":{"type":"string_t","description":"The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Logon Type","type_name":"String"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Authentication.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The endpoint to which the authentication was targeted.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The details about the authentication request. For example, possible details for Windows logon or logoff events are:start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"authentication","description":"Authentication events report authentication session activities, including user attempts to log on or log off, regardless of success, as well as other key stages within the authentication process. These events are typically generated by authentication services, such as Kerberos, OIDC, or SAML, and may include information about the user, the authentication method used, and the status of the authentication attempt.","uid":3002,"extends":"iam","category":"iam","constraints":{"at_least_one":["service","dst_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:AuthenticationEvent","url":"https://d3fend.mitre.org/event/d3f:AuthenticationEvent"}],"associations":{"user":["dst_endpoint"],"dst_endpoint":["user"],"src_endpoint":["actor.user"],"actor.user":["src_endpoint"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Identity & Access Management","caption":"Authentication","category_uid":3},"module_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1005":{"description":"Module Activity events report when an endpoint process acts on amodule.","caption":"Module Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A function exported from the target module was invoked.","caption":"Invoke"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The target module was loaded.","references":[{"description":"Guidance on the use of \"Module Activity: Load\" and \"Process Activity: Inject\".","url":"https://github.com/ocsf/ocsf-docs/blob/main/faqs/schema-faq.md#when-should-i-use-a-module-activity-load-event-and-when-should-i-use-a-process-activity-inject-event"}],"caption":"Load"},"2":{"description":"The target module was unloaded.","caption":"Unload"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"module":{"type":"object_t","description":"The module that was loaded, unloaded, or invoked.","group":"primary","requirement":"required","object_type":"module","caption":"Module","object_name":"Module"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the target module. For example, the process that loaded a module into memory.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100500":{"caption":"Module Activity: Unknown"},"100599":{"caption":"Module Activity: Other"},"100501":{"description":"The target module was loaded.","references":[{"description":"Guidance on the use of \"Module Activity: Load\" and \"Process Activity: Inject\".","url":"https://github.com/ocsf/ocsf-docs/blob/main/faqs/schema-faq.md#when-should-i-use-a-module-activity-load-event-and-when-should-i-use-a-process-activity-inject-event"}],"caption":"Module Activity: Load"},"100502":{"description":"The target module was unloaded.","caption":"Module Activity: Unload"},"100503":{"description":"A function exported from the target module was invoked.","caption":"Module Activity: Invoke"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Module Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"module_activity","description":"Module Activity events report when an endpoint process acts on amodule.","uid":1005,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:LoadLibraryEvent","url":"https://d3fend.mitre.org/event/d3f:LoadLibraryEvent/"},{"description":"D3FEND™ Ontology d3f:UnloadLibraryEvent","url":"https://d3fend.mitre.org/event/d3f:UnloadLibraryEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Module Activity","category_uid":1},"airborne_broadcast_activity":{"attributes":{"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"recommended","object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"8002":{"description":"Airborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers. Based on the ADS-B standards described in Code of Federal Regulations (CFR) Title 14 Chapter I Subchapter F Part 91 and in other general Federal Aviation Administration (FAA) supplemental orders and guidance described here.","caption":"Airborne Broadcast Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"ADS-B information is being captured (collected).","caption":"Capture"},"2":{"description":"ADS-B information is being recorded, for example by a standalone transceiver.","caption":"Record"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"primary","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"8":{"description":"Unmanned Systems events report the activity, existence, and/or state of unmanned systems for tracking, mission planning, and other related activities.","uid":8,"caption":"Unmanned Systems"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"unmanned_system_operator":{"type":"object_t","description":"The human or machine operator of an Unmanned System.","group":"primary","requirement":"required","object_type":"user","caption":"Unmanned Systems Operator","object_name":"User"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"800200":{"caption":"Airborne Broadcast Activity: Unknown"},"800299":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Airborne Broadcast Activity: Other"},"800201":{"description":"ADS-B information is being captured (collected).","caption":"Airborne Broadcast Activity: Capture"},"800202":{"description":"ADS-B information is being recorded, for example by a standalone transceiver.","caption":"Airborne Broadcast Activity: Record"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"unmanned_aerial_system":{"type":"object_t","description":"The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.","group":"primary","requirement":"required","object_type":"unmanned_aerial_system","caption":"Unmanned Aerial System","object_name":"Unmanned Aerial System"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"rssi":{"type":"integer_t","description":"Recent average RSSI (signal power) measured in dbFS. This value will always be negative, e.g., -87.13.","group":"context","requirement":"optional","caption":"RSSI","type_name":"Integer"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The source network endpoint for the ADS-B system.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Unmanned Systems.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"unmanned_system_operating_area":{"type":"object_t","description":"The UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.","group":"primary","requirement":"recommended","object_type":"unmanned_system_operating_area","caption":"UAS Operating Area","object_name":"Unmanned System Operating Area"},"traffic":{"type":"object_t","description":"Traffic refers to the amount of data transmitted from a ADS-B remote monitoring system at a given point of time. Ex: bytes_in and bytes_out.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"protocol_name":{"type":"string_t","description":"The specific protocol associated with the ADS-B system. E.g. ADS-B UAT or ADS-B ES.","group":"primary","requirement":"recommended","caption":"ADS-B Protocol","type_name":"String"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"context","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Airborne Broadcast Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The destination network endpoint for the ADS-B system, if telemetry is being remotely broadcasted.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"airborne_broadcast_activity","description":"Airborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers. Based on the ADS-B standards described in Code of Federal Regulations (CFR) Title 14 Chapter I Subchapter F Part 91 and in other general Federal Aviation Administration (FAA) supplemental orders and guidance described here.","uid":8002,"extends":"unmanned_systems","category":"unmanned_systems","constraints":{"at_least_one":["aircraft","unmanned_aerial_system","unmanned_system_operating_area"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Unmanned Systems","caption":"Airborne Broadcast Activity","category_uid":8},"rdp_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g.,https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4005":{"description":"Remote Desktop Protocol (RDP) Activity events report post-authentication remote client connections between clients and servers over the network.","caption":"RDP Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The target user associated with the RDP activity.","group":"primary","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"An RDP connection request.","caption":"Connect Request"},"6":{"description":"Network traffic report.","caption":"Traffic"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The initial RDP request.","caption":"Initial Request"},"2":{"description":"The initial RDP response.","caption":"Initial Response"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"An RDP connection response.","caption":"Connect Response"},"5":{"description":"The TLS handshake.","caption":"TLS Handshake"},"7":{"description":"An RDP connection disconnect.","caption":"Disconnect"},"8":{"description":"An RDP connection reconnect.","caption":"Reconnect"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","references":[{"description":"Suricata Event Type: RDP","url":"https://docs.suricata.io/en/latest/output/eve/eve-json-format.html#event-type-rdp"}],"requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"response":{"type":"object_t","description":"The server response in an RDP network connection.","group":"primary","requirement":"recommended","object_type":"response","caption":"API Response Details","object_name":"Response Elements"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"The device instigating the RDP connection.","group":"primary","requirement":"optional","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400500":{"caption":"RDP Activity: Unknown"},"400599":{"caption":"RDP Activity: Other"},"400501":{"description":"The initial RDP request.","caption":"RDP Activity: Initial Request"},"400502":{"description":"The initial RDP response.","caption":"RDP Activity: Initial Response"},"400503":{"description":"An RDP connection request.","caption":"RDP Activity: Connect Request"},"400504":{"description":"An RDP connection response.","caption":"RDP Activity: Connect Response"},"400505":{"description":"The TLS handshake.","caption":"RDP Activity: TLS Handshake"},"400506":{"description":"Network traffic report.","caption":"RDP Activity: Traffic"},"400507":{"description":"An RDP connection disconnect.","caption":"RDP Activity: Disconnect"},"400508":{"description":"An RDP connection reconnect.","caption":"RDP Activity: Reconnect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"capabilities":{"type":"string_t","description":"A list of RDP capabilities.","group":"context","is_array":true,"requirement":"optional","caption":"Capabilities","type_name":"String"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"identifier_cookie":{"type":"string_t","description":"The client identifier cookie during client/server exchange.","group":"context","requirement":"optional","caption":"Identifier Cookie","type_name":"String"},"keyboard_info":{"type":"object_t","description":"The keyboard detailed information.","group":"context","requirement":"optional","object_type":"keyboard_info","caption":"Keyboard Information","object_name":"Keyboard Information"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"request":{"type":"object_t","description":"The client request in an RDP network connection.","group":"primary","requirement":"recommended","object_type":"request","caption":"API Request Details","object_name":"Request Elements"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"certificate_chain":{"type":"string_t","description":"The list of observed certificates in an RDP TLS connection.","group":"primary","is_array":true,"requirement":"recommended","caption":"Certificate Chain","type_name":"String"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The remote desktop connection details, either connection-based or connectionless.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: RDP Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the RDP activity.","group":"context","requirement":"optional","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"rdp_activity","description":"Remote Desktop Protocol (RDP) Activity events report post-authentication remote client connections between clients and servers over the network.","uid":4005,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:RDPEvent","url":"https://d3fend.mitre.org/event/d3f:RDPEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"RDP Activity","category_uid":4},"compliance_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes likeseverity_id.type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2003":{"description":"Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","caption":"Compliance Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A finding was closed.","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A finding was created.","caption":"Create"},"2":{"description":"A finding was updated.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the finding activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"evidences":{"type":"object_t","description":"Describes various evidence artifacts associated with the compliance finding.","group":"context","is_array":true,"requirement":"optional","object_type":"evidences","caption":"Evidence Artifacts","object_name":"Evidence Artifacts"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"resource":{"type":"object_t","description":"Describes details about the resource that is the subject of the compliance check.","group":"primary","requirement":"recommended","object_type":"resource_details","caption":"Resource","@deprecated":{"message":"Use the resources attribute instead.","since":"1.3.0"},"object_name":"Resource Details"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"Describes the affected device/host. If applicable, it can be used in conjunction with Resource(s). e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.
","group":"context","requirement":"optional","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200300":{"caption":"Compliance Finding: Unknown"},"200399":{"caption":"Compliance Finding: Other"},"200301":{"description":"A finding was created.","caption":"Compliance Finding: Create"},"200302":{"description":"A finding was updated.","caption":"Compliance Finding: Update"},"200303":{"description":"A finding was closed.","caption":"Compliance Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as:class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"group","caption":"Assignee Group","object_name":"Group"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The finding activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","group":"primary","requirement":"required","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"primary","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"recommended","profiles":["incident"],"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"A user provided comment about the finding.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"recommended","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Compliance Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Finding was reviewed, remediated and is now considered resolved.","caption":"Resolved"},"5":{"description":"The Finding was archived.","caption":"Archived"}},"description":"The normalized status identifier of the Finding, set by the consumer.","group":"context","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"user","caption":"Assignee","object_name":"User"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"compliance_finding","description":"Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such asNIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","uid":2003,"extends":"finding","category":"findings","profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Compliance Finding","category_uid":2},"session_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5017":{"description":"User Session Query events report information about existing user sessions.","caption":"User Session Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501700":{"caption":"User Session Query: Unknown"},"501799":{"caption":"User Session Query: Other"},"501701":{"description":"The discovered results are via a query request.","caption":"User Session Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: User Session Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"session_query","description":"User Session Query events report information about existing user sessions.","uid":5017,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"User Session Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"peripheral_device_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5014":{"description":"Peripheral Device Query events report information about peripheral devices.","caption":"Peripheral Device Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"peripheral_device":{"type":"object_t","description":"The peripheral device that triggered the event.","group":"primary","requirement":"required","object_type":"peripheral_device","caption":"Peripheral Device","object_name":"Peripheral Device"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501400":{"caption":"Peripheral Device Query: Unknown"},"501499":{"caption":"Peripheral Device Query: Other"},"501401":{"description":"The discovered results are via a query request.","caption":"Peripheral Device Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Peripheral Device Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"peripheral_device_query","description":"Peripheral Device Query events report information about peripheral devices.","uid":5014,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Peripheral Device Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"scan_activity":{"attributes":{"scan":{"type":"object_t","description":"The Scan object describes characteristics of the scan job.","group":"primary","requirement":"required","object_type":"scan","caption":"Scan","object_name":"Scan"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"num_detections":{"type":"integer_t","description":"The number of detections.","group":"primary","requirement":"recommended","caption":"Detections","type_name":"Integer"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"6007":{"description":"Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.","caption":"Scan Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"num_network_items":{"type":"integer_t","description":"The number of network items scanned.","group":"primary","requirement":"recommended","caption":"Scanned Network Items","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The scan was cancelled.","caption":"Cancelled"},"6":{"description":"The scan could not be completed due to an internal error.","caption":"Error"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The scan was started.","caption":"Started"},"2":{"description":"The scan was completed.","caption":"Completed"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The allocated scan time was insufficient to complete the requested scan.","caption":"Duration Violation"},"5":{"description":"The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.","caption":"Pause Violation"},"7":{"description":"The scan was paused.","caption":"Paused"},"8":{"description":"The scan was resumed from the pause point.","caption":"Resumed"},"9":{"description":"The scan restarted from the beginning of the file enumeration.","caption":"Restarted"},"10":{"description":"The user delayed the scan.","caption":"Delayed"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"num_trusted_items":{"type":"integer_t","description":"The number of trusted items.","group":"primary","requirement":"recommended","caption":"Trusted","type_name":"Integer"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"num_resolutions":{"type":"integer_t","description":"The number of items that were resolved.","group":"primary","requirement":"recommended","caption":"Resolutions","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of the scan job.","group":"occurrence","requirement":"recommended","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600700":{"caption":"Scan Activity: Unknown"},"600799":{"caption":"Scan Activity: Other"},"600701":{"description":"The scan was started.","caption":"Scan Activity: Started"},"600702":{"description":"The scan was completed.","caption":"Scan Activity: Completed"},"600703":{"description":"The scan was cancelled.","caption":"Scan Activity: Cancelled"},"600704":{"description":"The allocated scan time was insufficient to complete the requested scan.","caption":"Scan Activity: Duration Violation"},"600705":{"description":"The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.","caption":"Scan Activity: Pause Violation"},"600706":{"description":"The scan could not be completed due to an internal error.","caption":"Scan Activity: Error"},"600707":{"description":"The scan was paused.","caption":"Scan Activity: Paused"},"600708":{"description":"The scan was resumed from the pause point.","caption":"Scan Activity: Resumed"},"600709":{"description":"The scan restarted from the beginning of the file enumeration.","caption":"Scan Activity: Restarted"},"600710":{"description":"The user delayed the scan.","caption":"Scan Activity: Delayed"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"command_uid":{"type":"string_t","description":"The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.","group":"primary","requirement":"recommended","caption":"Command UID","type_name":"String"},"num_skipped_items":{"type":"integer_t","description":"The number of skipped items.","group":"primary","requirement":"recommended","caption":"Skipped","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"schedule_uid":{"type":"string_t","description":"The unique identifier of the schedule associated with a scan job.","group":"primary","requirement":"recommended","caption":"Schedule UID","type_name":"String"},"num_folders":{"type":"integer_t","description":"The number of folders scanned.","group":"primary","requirement":"recommended","caption":"Scanned Folders","type_name":"Integer"},"num_processes":{"type":"integer_t","description":"The number of processes scanned.","group":"primary","requirement":"recommended","caption":"Scanned Processes","type_name":"Integer"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of the scan job.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy associated with this Scan event; required if the scan was initiated by a policy.","group":"primary","requirement":"recommended","profiles":null,"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"num_registry_items":{"type":"integer_t","description":"The number of registry items scanned.","group":"primary","requirement":"recommended","caption":"Scanned Registry Items","type_name":"Integer"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of the scan job.","group":"occurrence","requirement":"recommended","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Scan Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The duration of the scan","group":"occurrence","requirement":"recommended","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of the scan job.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"scan_activity","description":"Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.","uid":6007,"extends":"application","category":"application","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Application Activity","caption":"Scan Activity","category_uid":6},"network_remediation_activity":{"attributes":{"scan":{"type":"object_t","description":"The remediation scan that pertains to this event.","group":"context","requirement":"optional","object_type":"scan","caption":"Scan","object_name":"Scan"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"7004":{"description":"Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.","caption":"Network Remediation Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Restore"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Isolate"},"2":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Evict"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Harden"},"5":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Detect"}},"description":"Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"7":{"description":"Remediation events report the results of remediation commands targeting files, processes, and other objects.","uid":7,"caption":"Remediation"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"700400":{"caption":"Network Remediation Activity: Unknown"},"700499":{"caption":"Network Remediation Activity: Other"},"700401":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Network Remediation Activity: Isolate"},"700402":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Network Remediation Activity: Evict"},"700403":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Network Remediation Activity: Restore"},"700404":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Network Remediation Activity: Harden"},"700405":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Network Remediation Activity: Detect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"command_uid":{"type":"string_t","description":"The unique identifier of the remediation command that pertains to this event.","group":"primary","requirement":"required","caption":"Command UID","type_name":"String"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Remediation.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection that pertains to the remediation event.","group":"primary","requirement":"required","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"countermeasures":{"type":"object_t","description":"The MITRE D3FEND™ Matrix Countermeasures associated with a remediation.","group":"primary","is_array":true,"requirement":"recommended","object_type":"d3fend","caption":"Countermeasures","object_name":"MITRE D3FEND™"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Network Remediation Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The remediation was partially completed.","caption":"Partial"},"5":{"description":"The remediation was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"network_remediation_activity","description":"Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.","uid":7004,"extends":"remediation_activity","category":"remediation","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Remediation","caption":"Network Remediation Activity","category_uid":7},"account_change":{"attributes":{"policies":{"type":"object_t","description":"Details about the IAM policies associated with the Attach/Detach Policy activities.","group":"context","is_array":true,"requirement":"optional","object_type":"policy","caption":"Policies","object_name":"Policy"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying HTTP response.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"3001":{"description":"Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.","caption":"Account Change"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The user that was a target of an activity.","group":"primary","requirement":"required","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"An attempt was made to change a user account's password.","caption":"Password Change"},"6":{"description":"A user/role was deleted.","caption":"Delete"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A user/role was created.","caption":"Create"},"2":{"description":"A user/role was enabled.","caption":"Enable"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"An attempt was made to reset a user account's password.","caption":"Password Reset"},"5":{"description":"A user/role was disabled.","caption":"Disable"},"7":{"description":"An IAM Policy was attached to a user/role.","caption":"Attach Policy"},"8":{"description":"An IAM Policy was detached from a user/role.","caption":"Detach Policy"},"9":{"description":"A user account was locked out.","caption":"Lock"},"10":{"description":"One or more authentication factors were enabled for a user account.","caption":"MFA Factor Enable"},"11":{"description":"One or more authentication factors were disabled for a user account.","caption":"MFA Factor Disable"},"12":{"description":"A user account was unlocked.","caption":"Unlock"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"auth_factors":{"type":"object_t","description":"Details about the authentication factors associated with the MFA Factor Enable/Disable activities.","group":"context","is_array":true,"requirement":"optional","object_type":"auth_factor","caption":"Authentication Factors","object_name":"Authentication Factor"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"3":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"300100":{"caption":"Account Change: Unknown"},"300199":{"caption":"Account Change: Other"},"300101":{"description":"A user/role was created.","caption":"Account Change: Create"},"300102":{"description":"A user/role was enabled.","caption":"Account Change: Enable"},"300103":{"description":"An attempt was made to change a user account's password.","caption":"Account Change: Password Change"},"300104":{"description":"An attempt was made to reset a user account's password.","caption":"Account Change: Password Reset"},"300105":{"description":"A user/role was disabled.","caption":"Account Change: Disable"},"300106":{"description":"A user/role was deleted.","caption":"Account Change: Delete"},"300107":{"description":"An IAM Policy was attached to a user/role.","caption":"Account Change: Attach Policy"},"300108":{"description":"An IAM Policy was detached from a user/role.","caption":"Account Change: Detach Policy"},"300109":{"description":"A user account was locked out.","caption":"Account Change: Lock"},"300110":{"description":"One or more authentication factors were enabled for a user account.","caption":"Account Change: MFA Factor Enable"},"300111":{"description":"One or more authentication factors were disabled for a user account.","caption":"Account Change: MFA Factor Disable"},"300112":{"description":"A user account was unlocked.","caption":"Account Change: Unlock"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the IAM activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"user_result":{"type":"object_t","description":"The result of the user account change. It should contain the new values of the changed attributes.","group":"primary","requirement":"recommended","object_type":"user","caption":"User Result","object_name":"User"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Identity & Access Management.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"Details about the IAM policy associated to the Attach/Detach Policy activities.","group":"context","requirement":"optional","profiles":null,"object_type":"policy","caption":"Policy","@deprecated":{"message":"Use the policies attribute instead.","since":"1.4.0"},"object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"optional","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Account Change.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"account_change","description":"Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.","uid":3001,"extends":"iam","category":"iam","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Identity & Access Management","caption":"Account Change","category_uid":3},"win/prefetch_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"run_count":{"type":"integer_t","description":"The prefetch file run count.","group":"primary","extension":"win","requirement":"recommended","extension_id":2,"caption":"Run Count","type_name":"Integer"},"last_run_time":{"type":"timestamp_t","description":"The prefetch file last run time.","group":"occurrence","requirement":"recommended","caption":"Last Run","type_name":"Timestamp"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"205019":{"description":"Prefetch Query events report information about Windows prefetch files.","caption":"Prefetch Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"name":{"type":"string_t","description":"The name of the prefetch file that is the target of the query.","group":"primary","requirement":"required","caption":"Name","type_name":"String"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20501900":{"caption":"Prefetch Query: Unknown"},"20501999":{"caption":"Prefetch Query: Other"},"20501901":{"description":"The discovered results are via a query request.","caption":"Prefetch Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Prefetch Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"last_run_time_dt":{"type":"datetime_t","description":"The prefetch file last run time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Last Run","type_name":"Datetime"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"prefetch_query","description":"Prefetch Query events report information about Windows prefetch files.","extension":"win","uid":205019,"extends":"discovery_result","category":"discovery","extension_id":2,"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Prefetch Query","@deprecated":{"message":"Use theEvidence Info class with the Query Evidence object populated with File instead.","since":"1.5.0"},"category_uid":5},"user_access":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"resources":{"type":"object_t","description":"Resources that the privileges give access to.","group":"primary","is_array":true,"requirement":"recommended","object_type":"resource_details","caption":"Resources Array","object_name":"Resource Details"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying HTTP response.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"3005":{"description":"User Access Management events report management updates to a user's privileges.","caption":"User Access Management"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"User to which privileges were assigned.","group":"primary","requirement":"required","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Assign privileges to a user.","caption":"Assign Privileges"},"2":{"description":"Revoke privileges from a user.","caption":"Revoke Privileges"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"3":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"resource":{"type":"object_t","description":"Resource that the privileges give access to.","group":"primary","requirement":"recommended","object_type":"resource_details","caption":"Resource","@deprecated":{"message":"Use the resources attribute instead.","since":"1.5.0"},"object_name":"Resource Details"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"privileges":{"type":"string_t","description":"List of privileges assigned to a user.","group":"primary","is_array":true,"requirement":"required","caption":"Privileges","type_name":"String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"300500":{"caption":"User Access Management: Unknown"},"300599":{"caption":"User Access Management: Other"},"300501":{"description":"Assign privileges to a user.","caption":"User Access Management: Assign Privileges"},"300502":{"description":"Revoke privileges from a user.","caption":"User Access Management: Revoke Privileges"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the IAM activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Identity & Access Management.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"optional","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: User Access Management.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"user_access","description":"User Access Management events report management updates to a user's privileges.","uid":3005,"extends":"iam","category":"iam","references":[{"description":"D3FEND™ Ontology d3f:PermissionGrantingEvent","url":"https://d3fend.mitre.org/event/d3f:PermissionGrantingEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Identity & Access Management","caption":"User Access Management","category_uid":3},"smb_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g.,https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"dce_rpc":{"type":"object_t","description":"The DCE/RPC object describes the remote procedure call system for distributed computing environments.","group":"context","requirement":"optional","object_type":"dce_rpc","caption":"Distributed Computing Environment/Remote Procedure Call (DCE/RPC)","object_name":"DCE/RPC"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4006":{"description":"Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.","caption":"SMB Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"open_type":{"type":"string_t","description":"Indicates how the file was opened (e.g. normal, delete on close).","group":"primary","requirement":"recommended","caption":"Open Type","type_name":"String"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The event pertains to file creation activity (a file is created if it does not exist and fails if it does).","caption":"File Create"},"6":{"description":"The event pertains to file overwrite activity (the file is opened in a truncated form if it exists and created otherwise)","caption":"File Overwrite If"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The event pertains to file superseded activity (overwritten if it exists and created if not).","caption":"File Supersede"},"2":{"description":"The event pertains to file open activity (the file is opened if it exists and fails to open if it doesn't).","caption":"File Open"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The event pertains to file open activity (the file is opened if it exists and is created if it doesn't).","caption":"File Open If"},"5":{"description":"The event pertains to file overwrite activity (the file is opened in a truncated form if it exists and fails if it doesn't).","caption":"File Overwrite"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"share":{"type":"string_t","description":"The SMB share name.","group":"primary","requirement":"recommended","caption":"Share","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"share_type":{"type":"string_t","description":"The SMB share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Share Type","type_name":"String"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"response":{"type":"object_t","description":"The server response in an SMB network connection.","group":"primary","requirement":"recommended","object_type":"response","caption":"API Response Details","object_name":"Response Elements"},"client_dialects":{"type":"string_t","description":"The list of SMB dialects that the client speaks.","group":"context","is_array":true,"requirement":"recommended","caption":"Client Dialects","type_name":"String"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400600":{"caption":"SMB Activity: Unknown"},"400699":{"caption":"SMB Activity: Other"},"400601":{"description":"The event pertains to file superseded activity (overwritten if it exists and created if not).","caption":"SMB Activity: File Supersede"},"400602":{"description":"The event pertains to file open activity (the file is opened if it exists and fails to open if it doesn't).","caption":"SMB Activity: File Open"},"400603":{"description":"The event pertains to file creation activity (a file is created if it does not exist and fails if it does).","caption":"SMB Activity: File Create"},"400604":{"description":"The event pertains to file open activity (the file is opened if it exists and is created if it doesn't).","caption":"SMB Activity: File Open If"},"400605":{"description":"The event pertains to file overwrite activity (the file is opened in a truncated form if it exists and fails if it doesn't).","caption":"SMB Activity: File Overwrite"},"400606":{"description":"The event pertains to file overwrite activity (the file is opened in a truncated form if it exists and created otherwise)","caption":"SMB Activity: File Overwrite If"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"command":{"type":"string_t","description":"The command name (e.g. SMB2_COMMAND_CREATE, SMB1_COMMAND_WRITE_ANDX).","group":"primary","requirement":"recommended","caption":"Command","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"share_type_id":{"type":"integer_t","enum":{"3":{"caption":"Print"},"0":{"description":"The share type is unknown.","caption":"Unknown"},"1":{"caption":"File"},"2":{"caption":"Pipe"},"99":{"description":"The share type is not mapped. See the share_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the SMB share type.","group":"primary","requirement":"recommended","caption":"Share Type ID","sibling":"share_type","type_name":"Integer"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"tree_uid":{"type":"string_t","description":"The tree id is a unique SMB identifier which represents an open connection to a share.","group":"primary","requirement":"recommended","caption":"Tree UID","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"dialect":{"type":"string_t","description":"The negotiated protocol dialect.","group":"context","requirement":"recommended","caption":"Dialect","type_name":"String"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: SMB Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the SMB activity.","group":"primary","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"smb_activity","description":"Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.","uid":4006,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:SMBEvent","url":"https://d3fend.mitre.org/event/d3f:SMBEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"SMB Activity","category_uid":4},"cloud_resources_inventory_info":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"resources":{"type":"object_t","description":"The cloud resource(s) that are being discovered by an inventory process. Use this object if there is not a direct object match in the class.","group":"primary","is_array":true,"requirement":"recommended","object_type":"resource_details","caption":"Cloud Resources","object_name":"Resource Details"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5023":{"description":"Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.","caption":"Cloud Resources Inventory Info"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Cloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.","group":"primary","requirement":"recommended","profiles":null,"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"container":{"type":"object_t","description":"A cloud-based container image or running container discovered by an inventory process.","group":"primary","requirement":"recommended","profiles":null,"object_type":"container","caption":"Container","object_name":"Container"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"idp":{"type":"object_t","description":"The Identity Provider that is being discovered by an inventory process, or that is related to the cloud resource(s) being discovered by an inventory process.","group":"primary","requirement":"recommended","object_type":"idp","caption":"Identity Provider","object_name":"Identity Provider"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"databucket":{"type":"object_t","description":"A cloud-based data bucket or other object storage discovered by an inventory process.","group":"primary","requirement":"recommended","object_type":"databucket","caption":"Databucket","object_name":"Databucket"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"database":{"type":"object_t","description":"A cloud-based database discovered by an inventory process.","group":"primary","requirement":"recommended","object_type":"database","caption":"Database","object_name":"Database"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"502300":{"caption":"Cloud Resources Inventory Info: Unknown"},"502399":{"caption":"Cloud Resources Inventory Info: Other"},"502301":{"description":"The discovered information is via a log.","caption":"Cloud Resources Inventory Info: Log"},"502302":{"description":"The discovered information is via a collection process.","caption":"Cloud Resources Inventory Info: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"table":{"type":"object_t","description":"A cloud-based database table discovered by an inventory process.","group":"primary","requirement":"recommended","object_type":"table","caption":"Table","object_name":"Table"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Cloud Resources Inventory Info.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"region":{"type":"string_t","description":"The cloud region where the resource is located, e.g., us-isof-south-1, eastus2, us-central1, etc.","group":"context","requirement":"recommended","profiles":null,"caption":"Region","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"cloud_resources_inventory_info","description":"Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.","uid":5023,"extends":"discovery","category":"discovery","constraints":{"at_least_one":["cloud","container","database","databucket","idp","resources","table"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Cloud Resources Inventory Info","category_uid":5},"kernel_object_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5006":{"description":"Kernel Object Query events report information about discovered kernel resources.","caption":"Kernel Object Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"kernel":{"type":"object_t","description":"The kernel object that pertains to the event.","group":"primary","requirement":"required","object_type":"kernel","caption":"Kernel","object_name":"Kernel Resource"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500600":{"caption":"Kernel Object Query: Unknown"},"500699":{"caption":"Kernel Object Query: Other"},"500601":{"description":"The discovered results are via a query request.","caption":"Kernel Object Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Kernel Object Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"kernel_object_query","description":"Kernel Object Query events report information about discovered kernel resources.","uid":5006,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Kernel Object Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"memory_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1004":{"description":"Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).","caption":"Memory Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"caption":"Delete Page"},"6":{"description":"Data Execution Permission","caption":"Enable DEP"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Allocate Page"},"2":{"caption":"Modify Page"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Buffer Overflow"},"5":{"description":"Data Execution Permission","caption":"Disable DEP"},"7":{"description":"Read (Example: ReadProcessMemory)","caption":"Read"},"8":{"description":"Write (Example: WriteProcessMemory)","caption":"Write"},"9":{"description":"Map View (Example: MapViewOfFile2)","caption":"Map View"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100400":{"caption":"Memory Activity: Unknown"},"100499":{"caption":"Memory Activity: Other"},"100401":{"caption":"Memory Activity: Allocate Page"},"100402":{"caption":"Memory Activity: Modify Page"},"100403":{"caption":"Memory Activity: Delete Page"},"100404":{"caption":"Memory Activity: Buffer Overflow"},"100405":{"description":"Data Execution Permission","caption":"Memory Activity: Disable DEP"},"100406":{"description":"Data Execution Permission","caption":"Memory Activity: Enable DEP"},"100407":{"description":"Read (Example: ReadProcessMemory)","caption":"Memory Activity: Read"},"100408":{"description":"Write (Example: WriteProcessMemory)","caption":"Memory Activity: Write"},"100409":{"description":"Map View (Example: MapViewOfFile2)","caption":"Memory Activity: Map View"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"actual_permissions":{"type":"integer_t","description":"The permissions that were granted to access memory.","group":"primary","requirement":"recommended","caption":"Actual Permissions","type_name":"Integer"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"size":{"type":"long_t","description":"The memory size that was access or requested.","group":"primary","requirement":"recommended","caption":"Size","type_name":"Long"},"process":{"type":"object_t","description":"The process that had memory allocated, read/written, or had other manipulation activities performed on it.","group":"primary","requirement":"required","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"requested_permissions":{"type":"integer_t","description":"The permissions mask that was requested to access memory.","group":"primary","requirement":"recommended","caption":"Requested Permissions","type_name":"Integer"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Memory Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"memory_activity","description":"Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).","uid":1004,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:MemoryEvent","url":"https://d3fend.mitre.org/event/d3f:MemoryEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Memory Activity","category_uid":1},"file_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5007":{"description":"File Query events report information about files that are present on the system.","caption":"File Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500700":{"caption":"File Query: Unknown"},"500799":{"caption":"File Query: Other"},"500701":{"description":"The discovered results are via a query request.","caption":"File Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: File Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the query.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"file_query","description":"File Query events report information about files that are present on the system.","uid":5007,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"File Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"application_error":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"6008":{"description":"Application Error events describe issues with an applications. The error message should be put in the event's message attribute. The metadata.product attribute can be used to capture the originating application information. The host profile can used to include the generating device information. This class is helpful for applications that generate or handle OCSF events and can also be used for errors in upstream products and services.","caption":"Application Error"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The application has experienced an error.","caption":"General Error"},"2":{"description":"The application has experienced an error translating (mapping) a raw event to OCSF. Including the original raw event in the raw_data field is highly recommended.","caption":"Translation Error"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600800":{"caption":"Application Error: Unknown"},"600899":{"caption":"Application Error: Other"},"600801":{"description":"The application has experienced an error.","caption":"Application Error: General Error"},"600802":{"description":"The application has experienced an error translating (mapping) a raw event to OCSF. Including the original raw event in the raw_data field is highly recommended.","caption":"Application Error: Translation Error"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The error message as reported by the application.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Application Error.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"application_error","description":"Application Error events describe issues with an applications. The error message should be put in the event'smessage attribute. The metadata.product attribute can be used to capture the originating application information. The host profile can used to include the generating device information. This class is helpful for applications that generate or handle OCSF events and can also be used for errors in upstream products and services.","uid":6008,"extends":"application","category":"application","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Application Activity","caption":"Application Error","category_uid":6},"win/windows_service_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"201004":{"description":"Windows Service Activity events report when a process interacts with the Service Control Manager.","caption":"Windows Service Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A stopped service is started, for example by calling StartService. Refer to the service attribute for details.","caption":"Start"},"6":{"description":"A paused service is continued, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details.","caption":"Continue"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A service is created, for example by calling CreateService. Refer to the win_service attribute for details.","caption":"Create"},"2":{"description":"A service is reconfigured, for example by calling ChangeServiceConfig or ChangeServiceConfig2. Refer to the win_service attribute for details.","caption":"Reconfigure"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A running or paused service is stopped, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details.","caption":"Stop"},"5":{"description":"A running service is paused, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details.","caption":"Pause"},"7":{"description":"A service is deleted, for example by calling DeleteService. Refer to the win_service attribute for details.","caption":"Delete"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"win_service":{"type":"object_t","description":"The Windows service.","group":"primary","extension":"win","requirement":"required","extension_id":2,"object_type":"win/win_service","caption":"Windows Service","object_name":"Windows Service"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20100400":{"caption":"Windows Service Activity: Unknown"},"20100499":{"caption":"Windows Service Activity: Other"},"20100401":{"description":"A service is created, for example by calling CreateService. Refer to the win_service attribute for details.","caption":"Windows Service Activity: Create"},"20100402":{"description":"A service is reconfigured, for example by calling ChangeServiceConfig or ChangeServiceConfig2. Refer to the win_service attribute for details.","caption":"Windows Service Activity: Reconfigure"},"20100403":{"description":"A stopped service is started, for example by calling StartService. Refer to the service attribute for details.","caption":"Windows Service Activity: Start"},"20100404":{"description":"A running or paused service is stopped, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details.","caption":"Windows Service Activity: Stop"},"20100405":{"description":"A running service is paused, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details.","caption":"Windows Service Activity: Pause"},"20100406":{"description":"A paused service is continued, for example by calling ControlService or ControlServiceEx. Refer to the win_service attribute for details.","caption":"Windows Service Activity: Continue"},"20100407":{"description":"A service is deleted, for example by calling DeleteService. Refer to the win_service attribute for details.","caption":"Windows Service Activity: Delete"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Windows Service Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"windows_service_activity","description":"Windows Service Activity events report when a process interacts with the Service Control Manager.","extension":"win","uid":201004,"extends":"system","category":"system","extension_id":2,"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Windows Service Activity","category_uid":1},"process_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5015":{"description":"Process Query events report information about running processes.","caption":"Process Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501500":{"caption":"Process Query: Unknown"},"501599":{"caption":"Process Query: Other"},"501501":{"description":"The discovered results are via a query request.","caption":"Process Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"process":{"type":"object_t","description":"The process object.","group":"primary","requirement":"required","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Process Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"process_query","description":"Process Query events report information about running processes.","uid":5015,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Process Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"module_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5011":{"description":"Module Query events report information about loaded modules.","caption":"Module Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"module":{"type":"object_t","description":"The module that pertains to the event.","group":"primary","requirement":"required","object_type":"module","caption":"Module","object_name":"Module"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501100":{"caption":"Module Query: Unknown"},"501199":{"caption":"Module Query: Other"},"501101":{"description":"The discovered results are via a query request.","caption":"Module Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"process":{"type":"object_t","description":"The process that loaded the module.","group":"primary","requirement":"required","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Module Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"module_query","description":"Module Query events report information about loaded modules.","uid":5011,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Module Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"vulnerability_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like severity_id.type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2002":{"description":"The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","caption":"Vulnerability Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A finding was closed.","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A finding was created.","caption":"Create"},"2":{"description":"A finding was updated.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the finding activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"resource":{"type":"object_t","description":"Describes details about the resource that is affected by the vulnerability/vulnerabilities.","group":"primary","requirement":"recommended","object_type":"resource_details","caption":"Resource","@deprecated":{"message":"Use the resources attribute instead.","since":"1.3.0"},"object_name":"Resource Details"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"Describes the affected device/host. If applicable, it can be used in conjunction with Resource(s). e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.
","group":"context","requirement":"optional","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200200":{"caption":"Vulnerability Finding: Unknown"},"200299":{"caption":"Vulnerability Finding: Other"},"200201":{"description":"A finding was created.","caption":"Vulnerability Finding: Create"},"200202":{"description":"A finding was updated.","caption":"Vulnerability Finding: Update"},"200203":{"description":"A finding was closed.","caption":"Vulnerability Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as:class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"group","caption":"Assignee Group","object_name":"Group"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The finding activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","group":"primary","requirement":"required","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"primary","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"recommended","profiles":["incident"],"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"A user provided comment about the finding.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Vulnerability Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Finding was reviewed, remediated and is now considered resolved.","caption":"Resolved"},"5":{"description":"The Finding was archived.","caption":"Archived"}},"description":"The normalized status identifier of the Finding, set by the consumer.","group":"context","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"user","caption":"Assignee","object_name":"User"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"vulnerability_finding","description":"The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Note: if the event producer is a security control, thesecurity_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","uid":2002,"extends":"finding","category":"findings","profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Vulnerability Finding","category_uid":2},"network_file_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g., https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"expiration_time":{"type":"timestamp_t","description":"The share expiration time.","group":"context","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4010":{"description":"Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.","caption":"Network File Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Update a file.","caption":"Update"},"6":{"description":"Copy a file.","caption":"Copy"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Upload a file.","caption":"Upload"},"2":{"description":"Download a file.","caption":"Download"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Delete a file.","caption":"Delete"},"5":{"description":"Rename a file.","caption":"Rename"},"7":{"description":"Move a file.","caption":"Move"},"8":{"description":"Restore a file.","caption":"Restore"},"9":{"description":"Preview a file.","caption":"Preview"},"10":{"description":"Lock a file.","caption":"Lock"},"11":{"description":"Unlock a file.","caption":"Unlock"},"12":{"description":"Share a file.","caption":"Share"},"14":{"description":"Open a file.","caption":"Open"},"15":{"description":"Mark a file or folder to sync with a computer.","caption":"Sync"},"16":{"description":"Mark a file or folder to not sync with a computer.","caption":"Unsync"},"13":{"description":"Unshare a file.","caption":"Unshare"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor that performed the activity on the target file.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"401000":{"caption":"Network File Activity: Unknown"},"401099":{"caption":"Network File Activity: Other"},"401001":{"description":"Upload a file.","caption":"Network File Activity: Upload"},"401002":{"description":"Download a file.","caption":"Network File Activity: Download"},"401003":{"description":"Update a file.","caption":"Network File Activity: Update"},"401004":{"description":"Delete a file.","caption":"Network File Activity: Delete"},"401005":{"description":"Rename a file.","caption":"Network File Activity: Rename"},"401006":{"description":"Copy a file.","caption":"Network File Activity: Copy"},"401007":{"description":"Move a file.","caption":"Network File Activity: Move"},"401008":{"description":"Restore a file.","caption":"Network File Activity: Restore"},"401009":{"description":"Preview a file.","caption":"Network File Activity: Preview"},"401010":{"description":"Lock a file.","caption":"Network File Activity: Lock"},"401011":{"description":"Unlock a file.","caption":"Network File Activity: Unlock"},"401012":{"description":"Share a file.","caption":"Network File Activity: Share"},"401013":{"description":"Unshare a file.","caption":"Network File Activity: Unshare"},"401014":{"description":"Open a file.","caption":"Network File Activity: Open"},"401015":{"description":"Mark a file or folder to sync with a computer.","caption":"Network File Activity: Sync"},"401016":{"description":"Mark a file or folder to not sync with a computer.","caption":"Network File Activity: Unsync"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The endpoint that performed the activity on the target file.","group":"primary","requirement":"required","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"context","requirement":"optional","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Network File Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The endpoint that received the activity on the target file.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the activity.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"network_file_activity","description":"Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.","uid":4010,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:NetworkEvent","url":"https://d3fend.mitre.org/event/d3f:NetworkEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"Network File Activity","@deprecated":{"message":"Use the new class:'File Hosting Activity' in the 'Application' category.","since":"1.1.0"},"category_uid":4},"inventory_info":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5001":{"description":"Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.","caption":"Device Inventory Info"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"The device that is being discovered by an inventory process.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500100":{"caption":"Device Inventory Info: Unknown"},"500199":{"caption":"Device Inventory Info: Other"},"500101":{"description":"The discovered information is via a log.","caption":"Device Inventory Info: Log"},"500102":{"description":"The discovered information is via a collection process.","caption":"Device Inventory Info: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Device Inventory Info.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"inventory_info","description":"Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.","uid":5001,"extends":"discovery","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Device Inventory Info","category_uid":5},"folder_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"folder":{"type":"object_t","description":"The folder that is the target of the query.","group":"primary","requirement":"required","object_type":"file","caption":"Folder","object_name":"File"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5008":{"description":"Folder Query events report information about folders that are present on the system.","caption":"Folder Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500800":{"caption":"Folder Query: Unknown"},"500899":{"caption":"Folder Query: Other"},"500801":{"description":"The discovered results are via a query request.","caption":"Folder Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Folder Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"folder_query","description":"Folder Query events report information about folders that are present on the system.","uid":5008,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Folder Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"event_log_actvity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1008":{"description":"Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.","caption":"Event Log Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Export the event log database, file, or cache.","caption":"Export"},"6":{"description":"Start the event logging service.","caption":"Start"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Clear the event log database, file, or cache.","caption":"Clear"},"2":{"description":"Delete the event log database, file, or cache.","caption":"Delete"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Archive the event log database, file, or cache.","caption":"Archive"},"5":{"description":"Rotate the event log database, file, or cache.","caption":"Rotate"},"7":{"description":"Stop the event logging service.","caption":"Stop"},"8":{"description":"Restart the event logging service.","caption":"Restart"},"9":{"description":"Enable the event logging service.","caption":"Enable"},"10":{"description":"Disable the event logging service.","caption":"Disable"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"The device that reported the event.","group":"primary","requirement":"recommended","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"log_type_id":{"type":"integer_t","enum":{"0":{"description":"The log type is unknown.","caption":"Unknown"},"1":{"description":"The log type is an Operating System log.","caption":"OS"},"2":{"description":"The log type is an Application log.","caption":"Application"},"99":{"description":"The log type is not mapped. See the log_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized log type identifier.","group":"primary","requirement":"recommended","caption":"Log Type ID","sibling":"log_type","type_name":"Integer"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity.","group":"primary","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100800":{"caption":"Event Log Activity: Unknown"},"100899":{"caption":"Event Log Activity: Other"},"100801":{"description":"Clear the event log database, file, or cache.","caption":"Event Log Activity: Clear"},"100802":{"description":"Delete the event log database, file, or cache.","caption":"Event Log Activity: Delete"},"100803":{"description":"Export the event log database, file, or cache.","caption":"Event Log Activity: Export"},"100804":{"description":"Archive the event log database, file, or cache.","caption":"Event Log Activity: Archive"},"100805":{"description":"Rotate the event log database, file, or cache.","caption":"Event Log Activity: Rotate"},"100806":{"description":"Start the event logging service.","caption":"Event Log Activity: Start"},"100807":{"description":"Stop the event logging service.","caption":"Event Log Activity: Stop"},"100808":{"description":"Restart the event logging service.","caption":"Event Log Activity: Restart"},"100809":{"description":"Enable the event logging service.","caption":"Event Log Activity: Enable"},"100810":{"description":"Disable the event logging service.","caption":"Event Log Activity: Disable"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The source endpoint for the event log activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"log_provider":{"type":"string_t","description":"The logging provider or logging service targeted by
the activity.Microsoft-Windows-Security-Auditing, Auditd, or Syslog.","group":"primary","requirement":"recommended","caption":"Log Provider","type_name":"String"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Event Log Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The targeted
endpoint for the event log activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.0, 8, or 21 for Windows ClearEventLog.","group":"primary","requirement":"recommended","caption":"Status Code","type_name":"String"},"raw_data_size":{"type":"long_t","description":"The size of the raw data which was transformed into an OCSF event, in bytes.","group":"context","requirement":"optional","caption":"Raw Data Size","type_name":"Long"},"status":{"type":"string_t","description":"The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Status","type_name":"String"},"raw_data":{"type":"string_t","description":"The raw event/finding data as received from the source.","group":"context","requirement":"optional","caption":"Raw Data","type_name":"String"},"status_id":{"type":"integer_t","enum":{"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"caption":"Success"},"2":{"caption":"Failure"},"99":{"description":"The status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"log_type":{"type":"string_t","description":"The log type, normalized to the caption of the log_type_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Log Type","type_name":"String"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event outcome.Success, Privilege Missing, or Invalid Parameter for Windows ClearEventLog.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"log_name":{"type":"string_t","description":"The name of the event log targeted by
the activity. Example: WindowsSecurity.","group":"primary","requirement":"recommended","caption":"Log Name","type_name":"String"},"file":{"type":"object_t","description":"The file targeted by
the activity. Example:/var/log/audit.log","group":"primary","requirement":"recommended","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"event_log_actvity","description":"Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.","uid":1008,"extends":"system","category":"system","constraints":{"at_least_one":["log_file","log_name","log_provider","log_type","log_type_id"]},"references":[{"description":"D3FEND™ Ontology d3f:EventLogEvent","url":"https://d3fend.mitre.org/event/d3f:EventLogEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Event Log Activity","category_uid":1},"http_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g.,https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"The HTTP Response from a web server to a requester.","group":"primary","requirement":"recommended","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"4002":{"description":"HTTP Activity events report HTTP connection and traffic information.","caption":"HTTP Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.","caption":"Get"},"6":{"description":"The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.","caption":"Post"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The CONNECT method establishes a tunnel to the server identified by the target resource.","caption":"Connect"},"2":{"description":"The DELETE method deletes the specified resource.","caption":"Delete"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The HEAD method asks for a response identical to a GET request, but without the response body.","caption":"Head"},"5":{"description":"The OPTIONS method describes the communication options for the target resource.","caption":"Options"},"7":{"description":"The PUT method replaces all current representations of the target resource with the request payload.","caption":"Put"},"8":{"description":"The TRACE method performs a message loop-back test along the path to the target resource.","caption":"Trace"},"9":{"description":"The PATCH method applies partial modifications to a resource.","caption":"Patch"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400200":{"caption":"HTTP Activity: Unknown"},"400299":{"caption":"HTTP Activity: Other"},"400201":{"description":"The CONNECT method establishes a tunnel to the server identified by the target resource.","caption":"HTTP Activity: Connect"},"400202":{"description":"The DELETE method deletes the specified resource.","caption":"HTTP Activity: Delete"},"400203":{"description":"The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.","caption":"HTTP Activity: Get"},"400204":{"description":"The HEAD method asks for a response identical to a GET request, but without the response body.","caption":"HTTP Activity: Head"},"400205":{"description":"The OPTIONS method describes the communication options for the target resource.","caption":"HTTP Activity: Options"},"400206":{"description":"The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.","caption":"HTTP Activity: Post"},"400207":{"description":"The PUT method replaces all current representations of the target resource with the request payload.","caption":"HTTP Activity: Put"},"400208":{"description":"The TRACE method performs a message loop-back test along the path to the target resource.","caption":"HTTP Activity: Trace"},"400209":{"description":"The PATCH method applies partial modifications to a resource.","caption":"HTTP Activity: Patch"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"http_status":{"type":"integer_t","description":"The Hypertext Transfer Protocol (HTTP) status code returned to the client.","group":"primary","requirement":"recommended","caption":"HTTP Status","type_name":"Integer","@deprecated":{"message":"Use the http_response.code attribute instead.","since":"1.1.0"}},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"trace":{"type":"object_t","description":"The trace object contains information about distributed traces which are critical to observability and describe how requests move through a system, capturing each step's timing and status.","group":"primary","requirement":"recommended","profiles":["trace"],"object_type":"trace","caption":"Trace","object_name":"Trace"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"The HTTP Request Object documents attributes of a request made to a web server.","group":"primary","requirement":"recommended","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"http_cookies":{"type":"object_t","description":"The cookies object describes details about HTTP cookies","group":"primary","is_array":true,"requirement":"recommended","object_type":"http_cookie","caption":"HTTP Cookies","object_name":"HTTP Cookie"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: HTTP Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the HTTP activity.","group":"context","requirement":"optional","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"http_activity","description":"HTTP Activity events report HTTP connection and traffic information.","uid":4002,"extends":"network","category":"network","constraints":{"at_least_one":["http_request","http_response"]},"references":[{"description":"D3FEND™ Ontology d3f:HTTPEvent","url":"https://d3fend.mitre.org/event/d3f:HTTPEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control","trace"],"category_name":"Network Activity","caption":"HTTP Activity","category_uid":4},"detection_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes likeseverity_id.type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2004":{"description":"A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","caption":"Detection Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"anomaly_analyses":{"type":"object_t","description":"Describes baseline information about normal activity patterns, along with any detected deviations or anomalies that triggered this finding.","group":"context","is_array":true,"requirement":"optional","object_type":"anomaly_analysis","caption":"Anomaly Analyses","object_name":"Anomaly Analysis"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A finding was closed.","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A finding was created.","caption":"Create"},"2":{"description":"A finding was updated.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the finding activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Details","type_name":"String"},"evidences":{"type":"object_t","description":"Describes various evidence artifacts associated to the activity/activities that triggered a security detection.","group":"primary","is_array":true,"requirement":"recommended","object_type":"evidences","caption":"Evidence Artifacts","object_name":"Evidence Artifacts"},"malware_scan_info":{"type":"object_t","description":"Describes details about malware scan job that triggered this Detection Finding.","group":"context","requirement":"optional","profiles":null,"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"Describes the affected device/host. If applicable, it can be used in conjunction with Resource(s). e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.
","group":"context","requirement":"optional","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200400":{"caption":"Detection Finding: Unknown"},"200499":{"caption":"Detection Finding: Other"},"200401":{"description":"A finding was created.","caption":"Detection Finding: Create"},"200402":{"description":"A finding was updated.","caption":"Detection Finding: Update"},"200403":{"description":"A finding was closed.","caption":"Detection Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as:class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"group","caption":"Assignee Group","object_name":"Group"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The finding activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","group":"primary","requirement":"required","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"context","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"optional","profiles":null,"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. For example, an activity_id of 'Create' could constitute an alertable signal and the value would be true, while 'Close' likely would not and either omit the attribute or set its value to false. Note that other events with the security_control profile may also be deemed alertable signals and may also carry is_alert = true attributes.","group":"primary","requirement":"recommended","profiles":null,"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":null,"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"A user provided comment about the finding.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Detection Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Finding was reviewed, remediated and is now considered resolved.","caption":"Resolved"},"5":{"description":"The Finding was archived.","caption":"Archived"}},"description":"The normalized status identifier of the Finding, set by the consumer.","group":"context","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"user","caption":"Assignee","object_name":"User"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"context","requirement":"optional","profiles":null,"caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"detection_finding","description":"A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, thesecurity_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.","uid":2004,"extends":"finding","category":"findings","profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Detection Finding","category_uid":2},"startup_item_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"startup_item":{"type":"object_t","description":"The startup item object describes an application component that has associated startup criteria and configurations.","group":"primary","requirement":"required","object_type":"startup_item","caption":"Startup Item","object_name":"Startup Item"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5022":{"description":"Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.","caption":"Startup Item Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"502200":{"caption":"Startup Item Query: Unknown"},"502299":{"caption":"Startup Item Query: Other"},"502201":{"description":"The discovered results are via a query request.","caption":"Startup Item Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Startup Item Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"startup_item_query","description":"Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.","uid":5022,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Startup Item Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"ssh_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g., https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"client_hassh":{"type":"object_t","description":"The Client HASSH fingerprinting object.","group":"primary","requirement":"recommended","object_type":"hassh","caption":"Client HASSH","object_name":"HASSH"},"class_uid":{"type":"integer_t","enum":{"4007":{"description":"SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.","caption":"SSH Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The network connection was abnormally terminated or closed by a middle device like firewalls.","caption":"Reset"},"6":{"description":"Network traffic report.","caption":"Traffic"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A new network connection was opened.","caption":"Open"},"2":{"description":"The network connection was closed.","caption":"Close"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The network connection failed. For example a connection timeout or no route to host.","caption":"Fail"},"5":{"description":"The network connection was refused. For example an attempt to connect to a server port which is not open.","caption":"Refuse"},"7":{"description":"A network endpoint began listening for new network connections.","caption":"Listen"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"auth_type_id":{"type":"integer_t","enum":{"3":{"description":"Authentication based on the client host's identity.","caption":"Host Based"},"6":{"description":"Paired public key authentication.","caption":"Public Key"},"0":{"description":"The authentication type is unknown.","caption":"Unknown"},"1":{"description":"Authentication using digital certificates.","caption":"Certificate Based"},"2":{"description":"GSSAPI for centralized authentication.","caption":"GSSAPI"},"99":{"description":"The authentication type is not mapped. See the auth_type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Multi-step, interactive authentication.","caption":"Keyboard Interactive"},"5":{"description":"Password Authentication.","caption":"Password"}},"description":"The normalized identifier of the SSH authentication type.","group":"primary","requirement":"recommended","caption":"Authentication Type ID","sibling":"auth_type","type_name":"Integer"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"server_hassh":{"type":"object_t","description":"The Server HASSH fingerprinting object.","group":"primary","requirement":"recommended","object_type":"hassh","caption":"Server HASSH","object_name":"HASSH"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400700":{"caption":"SSH Activity: Unknown"},"400799":{"caption":"SSH Activity: Other"},"400701":{"description":"A new network connection was opened.","caption":"SSH Activity: Open"},"400702":{"description":"The network connection was closed.","caption":"SSH Activity: Close"},"400703":{"description":"The network connection was abnormally terminated or closed by a middle device like firewalls.","caption":"SSH Activity: Reset"},"400704":{"description":"The network connection failed. For example a connection timeout or no route to host.","caption":"SSH Activity: Fail"},"400705":{"description":"The network connection was refused. For example an attempt to connect to a server port which is not open.","caption":"SSH Activity: Refuse"},"400706":{"description":"Network traffic report.","caption":"SSH Activity: Traffic"},"400707":{"description":"A network endpoint began listening for new network connections.","caption":"SSH Activity: Listen"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"auth_type":{"type":"string_t","description":"The SSH authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Authentication Type","type_name":"String"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: SSH Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that is the target of the SSH activity.","group":"context","requirement":"optional","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"ssh_activity","description":"SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.","uid":4007,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:SSHEvent","url":"https://d3fend.mitre.org/event/d3f:SSHEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"SSH Activity","category_uid":4},"web_resource_access_activity":{"attributes":{"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the HTTP response, if available.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"6004":{"description":"Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.","caption":"Web Resource Access Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The incoming request's access has been revoked due to security policy enforcements.","caption":"Access Revoke"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The incoming request has permission to the web resource.","caption":"Access Grant"},"2":{"description":"The incoming request does not have permission to the web resource.","caption":"Access Deny"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"An error occurred during processing the request.","caption":"Access Error"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes, if available.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600400":{"caption":"Web Resource Access Activity: Unknown"},"600499":{"caption":"Web Resource Access Activity: Other"},"600401":{"description":"The incoming request has permission to the web resource.","caption":"Web Resource Access Activity: Access Grant"},"600402":{"description":"The incoming request does not have permission to the web resource.","caption":"Web Resource Access Activity: Access Deny"},"600403":{"description":"The incoming request's access has been revoked due to security policy enforcements.","caption":"Web Resource Access Activity: Access Revoke"},"600404":{"description":"An error occurred during processing the request.","caption":"Web Resource Access Activity: Access Error"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source endpoint of the request.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"required","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Web Resource Access Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"Details about the proxy service, if available.","group":"context","requirement":"optional","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"web_resources":{"type":"object_t","description":"Details about the resource that is the target of the activity.","group":"primary","is_array":true,"requirement":"required","object_type":"web_resource","caption":"Web Resources","object_name":"Web Resource"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"web_resource_access_activity","description":"Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.","uid":6004,"extends":"application","category":"application","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Application Activity","caption":"Web Resource Access Activity","@deprecated":{"message":"Use theWeb Resources Activity class with the Security Control and/or Network Proxy profile instead.","since":"1.1.0"},"category_uid":6},"script_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"script":{"type":"object_t","description":"The script that was the target of the activity.","group":"primary","requirement":"required","object_type":"script","caption":"Script","object_name":"Script"},"class_uid":{"type":"integer_t","enum":{"1009":{"description":"Script Activity events report when a process executes a script.","caption":"Script Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Execute"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100900":{"caption":"Script Activity: Unknown"},"100999":{"caption":"Script Activity: Other"},"100901":{"caption":"Script Activity: Execute"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Script Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"script_activity","description":"Script Activity events report when a process executes a script.","uid":1009,"extends":"system","category":"system","associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Script Activity","category_uid":1},"entity_management":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the underlying HTTP response.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"3004":{"description":"Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.","caption":"Entity Management"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"entity_result":{"type":"object_t","description":"The updated managed entity.","group":"primary","requirement":"recommended","object_type":"managed_entity","caption":"Entity Result","object_name":"Managed Entity"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Update an existing managed entity.","caption":"Update"},"6":{"description":"Enroll an existing managed entity.","caption":"Enroll"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Create a new managed entity.","caption":"Create"},"2":{"description":"Read an existing managed entity.","caption":"Read"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Delete a managed entity.","caption":"Delete"},"5":{"description":"Move or rename an existing managed entity.","caption":"Move"},"7":{"description":"Unenroll an existing managed entity.","caption":"Unenroll"},"8":{"description":"Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change.","caption":"Enable"},"9":{"description":"Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change.","caption":"Disable"},"10":{"description":"Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine.","caption":"Activate"},"11":{"description":"Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine.","caption":"Deactivate"},"12":{"description":"Suspend an existing managed entity.","caption":"Suspend"},"13":{"description":"Resume (unsuspend) an existing managed entity.","caption":"Resume"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"access_list":{"type":"string_t","description":"The list of requested access rights.","group":"context","is_array":true,"requirement":"optional","caption":"Access List","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"3":{"description":"Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.","uid":3,"caption":"Identity & Access Management"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"recommended","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"300400":{"caption":"Entity Management: Unknown"},"300499":{"caption":"Entity Management: Other"},"300401":{"description":"Create a new managed entity.","caption":"Entity Management: Create"},"300402":{"description":"Read an existing managed entity.","caption":"Entity Management: Read"},"300403":{"description":"Update an existing managed entity.","caption":"Entity Management: Update"},"300404":{"description":"Delete a managed entity.","caption":"Entity Management: Delete"},"300405":{"description":"Move or rename an existing managed entity.","caption":"Entity Management: Move"},"300406":{"description":"Enroll an existing managed entity.","caption":"Entity Management: Enroll"},"300407":{"description":"Unenroll an existing managed entity.","caption":"Entity Management: Unenroll"},"300408":{"description":"Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change.","caption":"Entity Management: Enable"},"300409":{"description":"Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change.","caption":"Entity Management: Disable"},"300410":{"description":"Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine.","caption":"Entity Management: Activate"},"300411":{"description":"Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine.","caption":"Entity Management: Deactivate"},"300412":{"description":"Suspend an existing managed entity.","caption":"Entity Management: Suspend"},"300413":{"description":"Resume (unsuspend) an existing managed entity.","caption":"Entity Management: Resume"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"access_mask":{"type":"integer_t","description":"The access mask in a platform-native format.","group":"context","requirement":"optional","caption":"Access Mask","type_name":"Integer"},"entity":{"type":"object_t","description":"The managed entity that is being acted upon.","group":"primary","requirement":"required","object_type":"managed_entity","caption":"Entity","object_name":"Managed Entity"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the source of the IAM activity.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Identity & Access Management.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"optional","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"The user provided comment about why the entity was changed.","group":"primary","requirement":"recommended","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Entity Management.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"entity_management","description":"Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.","uid":3004,"extends":"iam","category":"iam","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Identity & Access Management","caption":"Entity Management","category_uid":3},"web_resources_activity":{"attributes":{"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the HTTP response, if available.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"6001":{"description":"Web Resources Activity events describe actions executed on a set of Web Resources.","caption":"Web Resources Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"One or more web resources were updated.","caption":"Update"},"6":{"description":"One or more web resources were imported into an Application.","caption":"Import"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"One or more web resources were created.","caption":"Create"},"2":{"description":"One or more web resources were read / viewed.","caption":"Read"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"One or more web resources were deleted.","caption":"Delete"},"5":{"description":"A search was performed on one or more web resources.","caption":"Search"},"7":{"description":"One or more web resources were exported from an Application.","caption":"Export"},"8":{"description":"One or more web resources were shared.","caption":"Share"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes, if available.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"web_resources_result":{"type":"object_t","description":"The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.","group":"primary","is_array":true,"requirement":"recommended","object_type":"web_resource","caption":"Web Resources Result","object_name":"Web Resource"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600100":{"caption":"Web Resources Activity: Unknown"},"600199":{"caption":"Web Resources Activity: Other"},"600101":{"description":"One or more web resources were created.","caption":"Web Resources Activity: Create"},"600102":{"description":"One or more web resources were read / viewed.","caption":"Web Resources Activity: Read"},"600103":{"description":"One or more web resources were updated.","caption":"Web Resources Activity: Update"},"600104":{"description":"One or more web resources were deleted.","caption":"Web Resources Activity: Delete"},"600105":{"description":"A search was performed on one or more web resources.","caption":"Web Resources Activity: Search"},"600106":{"description":"One or more web resources were imported into an Application.","caption":"Web Resources Activity: Import"},"600107":{"description":"One or more web resources were exported from an Application.","caption":"Web Resources Activity: Export"},"600108":{"description":"One or more web resources were shared.","caption":"Web Resources Activity: Share"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"Details about the endpoint from which the request originated.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"recommended","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Web Resources Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"Details about server providing the web resources.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"web_resources":{"type":"object_t","description":"Describes details about web resources that were affected by an activity/event.","group":"primary","is_array":true,"requirement":"required","object_type":"web_resource","caption":"Web Resources","object_name":"Web Resource"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"web_resources_activity","description":"Web Resources Activity events describe actions executed on a set of Web Resources.","uid":6001,"extends":"application","category":"application","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Application Activity","caption":"Web Resources Activity","category_uid":6},"email_url_activity":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4012":{"description":"Email URL Activity events report URLs within an email.","caption":"Email URL Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Email URL being scanned (example: security scanning).","caption":"Scan"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Send"},"2":{"caption":"Receive"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"email_uid":{"type":"string_t","description":"The unique identifier of the email, used to correlate related email alert and activity events.","group":"primary","requirement":"required","caption":"Email UID","type_name":"String","@deprecated":{"message":"Use the email.uid attribute instead.","since":"1.4.0"}},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"url":{"type":"object_t","description":"The URL included in the email content.","group":"primary","requirement":"required","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"401200":{"caption":"Email URL Activity: Unknown"},"401299":{"caption":"Email URL Activity: Other"},"401201":{"caption":"Email URL Activity: Send"},"401202":{"caption":"Email URL Activity: Receive"},"401203":{"description":"Email URL being scanned (example: security scanning).","caption":"Email URL Activity: Scan"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Email URL Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"email_url_activity","description":"Email URL Activity events report URLs within an email.","uid":4012,"extends":"base_event","category":"network","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Network Activity","caption":"Email URL Activity","@deprecated":{"message":"Use theEmail Activity class with the email.urls[] array instead.","since":"1.3.0"},"category_uid":4},"network_connection_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"state_id":{"type":"integer_t","enum":{"3":{"description":"The socket has passively received a connection request from a remote peer.","caption":"SYN_RECV"},"6":{"description":"The socket connection has been closed by the local application, the remote peer has closed its half of the connection, and the system is waiting to be sure that the remote peer received the last acknowledgement.","caption":"TIME_WAIT"},"0":{"description":"The socket state is unknown.","caption":"Unknown"},"1":{"description":"The socket has an established connection between a local application and a remote peer.","caption":"ESTABLISHED"},"2":{"description":"The socket is actively trying to establish a connection to a remote peer.","caption":"SYN_SENT"},"99":{"description":"The state is not mapped. See the state attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The socket connection has been closed by the local application, the remote peer has not yet acknowledged the close, and the system is waiting for it to close its half of the connection.","caption":"FIN_WAIT1"},"5":{"description":"The socket connection has been closed by the local application, the remote peer has acknowledged the close, and the system is waiting for it to close its half of the connection.","caption":"FIN_WAIT2"},"7":{"description":"The socket is not in use.","caption":"CLOSED"},"8":{"description":"The socket connection has been closed by the remote peer, and the system is waiting for the local application to close its half of the connection.","caption":"CLOSE_WAIT"},"9":{"description":"The socket connection has been closed by the remote peer, the local application has closed its half of the connection, and the system is waiting for the remote peer to acknowledge the close.","caption":"LAST_ACK"},"10":{"description":"The socket is listening for incoming connections.","caption":"LISTEN"},"11":{"description":"The socket connection has been closed by the local application and the remote peer simultaneously, and the remote peer has not yet acknowledged the close attempt of the local application.","caption":"CLOSING"}},"description":"The state of the socket.","group":"primary","requirement":"required","caption":"State ID","sibling":"state","type_name":"Integer"},"state":{"type":"string_t","description":"The state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"State","type_name":"String"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5012":{"description":"Network Connection Query events report information about active network connections.","caption":"Network Connection Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501200":{"caption":"Network Connection Query: Unknown"},"501299":{"caption":"Network Connection Query: Other"},"501201":{"description":"The discovered results are via a query request.","caption":"Network Connection Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"process":{"type":"object_t","description":"The process that owns the socket.","group":"primary","requirement":"required","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"required","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Network Connection Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"network_connection_query","description":"Network Connection Query events report information about active network connections.","uid":5012,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Network Connection Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"iam_analysis_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like severity_id.type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2008":{"description":"This finding represents an IAM analysis result, which evaluates IAM policies, access patterns, and IAM configurations for potential security risks. The analysis can focus on either an identity (user, role, service account) or a resource to assess permissions, access patterns, and security posture within the IAM domain. permission_analysis_results for identity-centric analysis (evaluating what an identity can do) and access_analysis_result for resource-centric analysis (evaluating who can access a resource). These complement each other for comprehensive IAM security assessment.incident profile or aggregate this finding into an Incident Finding.","caption":"IAM Analysis Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"Details about the identity (user, role, service account, or other principal) that is the subject of the IAM analysis. This provides context about the identity being evaluated for security risks and access patterns.","group":"primary","requirement":"recommended","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"A finding was closed.","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A finding was created.","caption":"Create"},"2":{"description":"A finding was updated.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the finding activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Verdict","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","profiles":["incident"],"caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"permission_analysis_results":{"type":"object_t","description":"Describes analysis results of permissions, policies directly associated with an identity (user, role, or service account). This evaluates what permissions an identity has been granted through attached policies, which privileges are actively used versus unused, and identifies potential over-privileged access. Use this for identity-centric security assessments such as privilege audits, dormant permission discovery, and least-privilege compliance analysis.","group":"primary","is_array":true,"requirement":"recommended","object_type":"permission_analysis_result","caption":"Permission Analysis Results","object_name":"Permission Analysis Result"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"Describes the affected device/host. If applicable, it can be used in conjunction with Resource(s). e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.
","group":"context","requirement":"optional","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200800":{"caption":"IAM Analysis Finding: Unknown"},"200899":{"caption":"IAM Analysis Finding: Other"},"200801":{"description":"A finding was created.","caption":"IAM Analysis Finding: Create"},"200802":{"description":"A finding was updated.","caption":"IAM Analysis Finding: Update"},"200803":{"description":"A finding was closed.","caption":"IAM Analysis Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as:class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"access_analysis_result":{"type":"object_t","description":"Describes access relationships and pathways between identities, resources, focusing on who can access what and through which mechanisms. This evaluates access levels (read/write/admin), access types (direct, cross-account, public, federated), and the conditions under which access is granted. Use this for resource-centric security assessments such as external access discovery, public exposure analysis, etc.","group":"context","requirement":"optional","object_type":"access_analysis_result","caption":"Access Analysis Result","object_name":"Access Analysis Result"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"applications":{"type":"object_t","description":"Details about applications, services, or systems that are accessible based on the IAM analysis. For identity-centric analysis, this represents applications the identity can access. For resource-centric analysis, this represents applications that can access the resource.","group":"primary","is_array":true,"requirement":"recommended","object_type":"application","caption":"Applications","object_name":"Application"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"group","caption":"Assignee Group","object_name":"Group"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The finding activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"finding_info":{"type":"object_t","description":"Describes the supporting information about a generated finding.","group":"primary","requirement":"required","object_type":"finding_info","caption":"Finding Information","object_name":"Finding Information"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"primary","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"recommended","profiles":["incident"],"caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"A user provided comment about the finding.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the finding.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: IAM Analysis Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Finding was reviewed, remediated and is now considered resolved.","caption":"Resolved"},"5":{"description":"The Finding was archived.","caption":"Archived"}},"description":"The normalized status identifier of the Finding, set by the consumer.","group":"context","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","profiles":["incident"],"object_type":"user","caption":"Assignee","object_name":"User"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"primary","requirement":"recommended","profiles":["incident"],"caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the finding.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"iam_analysis_finding","description":"This finding represents an IAM analysis result, which evaluates IAM policies, access patterns, and IAM configurations for potential security risks. The analysis can focus on either an identity (user, role, service account) or a resource to assess permissions, access patterns, and security posture within the IAM domain.permission_analysis_results for identity-centric analysis (evaluating what an identity can do) and access_analysis_result for resource-centric analysis (evaluating who can access a resource). These complement each other for comprehensive IAM security assessment.incident profile or aggregate this finding into an Incident Finding.","uid":2008,"extends":"finding","category":"findings","constraints":{"at_least_one":["access_analysis_result","applications","identity_activity_metrics","permission_analysis_results"]},"profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"IAM Analysis Finding","category_uid":2},"ntp_activity":{"attributes":{"dispersion":{"type":"integer_t","description":"The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.","group":"primary","requirement":"recommended","caption":"Root Dispersion","type_name":"Integer"},"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g., https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4013":{"description":"The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.","caption":"NTP Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"NTP client, syncs with servers.","caption":"Client Synchronization"},"6":{"description":"Monitoring and control messaging.","caption":"Control"},"0":{"description":"Not used in standard NTP implementations.","caption":"Unknown"},"1":{"description":"Bidirectional time exchange between devices.","caption":"Symmetric Active Exchange"},"2":{"description":"Device responds as a server to peers in symmetric active mode.","caption":"Symmetric Passive Response"},"99":{"description":"The event activity is not mapped.","caption":"Other"},"4":{"description":"Dedicated NTP time server, responds to clients.","caption":"Server Response"},"5":{"description":"Broadcast time info to network devices.","caption":"Broadcast"},"7":{"description":"Reserved - Not defined in standard NTP specifications.","caption":"Private Use Case"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"stratum_id":{"type":"integer_t","enum":{"0":{"description":"Unspecified or invalid.","caption":"Unknown"},"1":{"description":"The highest precision primary server (e.g atomic clock or GPS).","caption":"Primary Server"},"2":{"description":"A secondary level server (possible values: 2-15).","caption":"Secondary Server"},"99":{"description":"The stratum level is not mapped. See the stratum attribute, which contains a data source specific value.","caption":"Other"},"16":{"caption":"Unsynchronized"},"17":{"description":"Reserved stratum (possible values: 17-255).","caption":"Reserved"}},"description":"The normalized identifier of the stratum level, as defined in RFC-5905.","group":"primary","requirement":"recommended","caption":"Stratum ID","sibling":"stratum","type_name":"Integer"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"401300":{"caption":"NTP Activity: Unknown"},"401399":{"description":"The event activity is not mapped.","caption":"NTP Activity: Other"},"401301":{"description":"Bidirectional time exchange between devices.","caption":"NTP Activity: Symmetric Active Exchange"},"401302":{"description":"Device responds as a server to peers in symmetric active mode.","caption":"NTP Activity: Symmetric Passive Response"},"401303":{"description":"NTP client, syncs with servers.","caption":"NTP Activity: Client Synchronization"},"401304":{"description":"Dedicated NTP time server, responds to clients.","caption":"NTP Activity: Server Response"},"401305":{"description":"Broadcast time info to network devices.","caption":"NTP Activity: Broadcast"},"401306":{"description":"Monitoring and control messaging.","caption":"NTP Activity: Control"},"401307":{"description":"Reserved - Not defined in standard NTP specifications.","caption":"NTP Activity: Private Use Case"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"version":{"type":"string_t","description":"The version number of the NTP protocol.","group":"context","requirement":"required","caption":"Version","type_name":"String"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"precision":{"type":"integer_t","description":"The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905.","group":"primary","requirement":"recommended","caption":"Precision","type_name":"Integer"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"delay":{"type":"integer_t","description":"The total round-trip delay to the reference clock in milliseconds.","group":"primary","requirement":"recommended","caption":"Root Delay","type_name":"Integer"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"stratum":{"type":"string_t","description":"The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.","group":"primary","requirement":"recommended","caption":"Stratum","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: NTP Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"ntp_activity","description":"The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.","uid":4013,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:NTPEvent","url":"https://d3fend.mitre.org/event/d3f:NTPEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"NTP Activity","category_uid":4},"file_hosting":{"attributes":{"expiration_time":{"type":"timestamp_t","description":"The share expiration time.","group":"context","requirement":"optional","caption":"Expiration Time","type_name":"Timestamp"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"http_response":{"type":"object_t","description":"Details about the HTTP response, if available.","group":"context","requirement":"optional","object_type":"http_response","caption":"HTTP Response","object_name":"HTTP Response"},"class_uid":{"type":"integer_t","enum":{"6006":{"description":"File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, Google Drive, or network file share services.","caption":"File Hosting Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Update a file.","caption":"Update"},"6":{"description":"Copy a file.","caption":"Copy"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Upload a file.","caption":"Upload"},"2":{"description":"Download a file.","caption":"Download"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Delete a file.","caption":"Delete"},"5":{"description":"Rename a file.","caption":"Rename"},"7":{"description":"Move a file.","caption":"Move"},"8":{"description":"Restore a file.","caption":"Restore"},"9":{"description":"Preview a file.","caption":"Preview"},"10":{"description":"Lock a file.","caption":"Lock"},"11":{"description":"Unlock a file.","caption":"Unlock"},"12":{"description":"Share a file.","caption":"Share"},"14":{"description":"Open a file.","caption":"Open"},"15":{"description":"Mark a file or folder to sync with a computer.","caption":"Sync"},"16":{"description":"Mark a file or folder to not sync with a computer.","caption":"Unsync"},"17":{"description":"Access check for a file. The security_control profile can be used to add the access check results.","caption":"Access Check"},"13":{"description":"Unshare a file.","caption":"Unshare"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"share":{"type":"string_t","description":"The share name.","group":"context","requirement":"optional","caption":"Share","type_name":"String"},"access_list":{"type":"string_t","description":"The list of requested access rights.","group":"context","is_array":true,"requirement":"optional","caption":"Access List","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"6":{"description":"Application Activity events report detailed information about the behavior of applications and services.","uid":6,"caption":"Application Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"access_result":{"type":"json_t","description":"The list of access check results.","group":"context","requirement":"optional","caption":"Access Check Result","type_name":"JSON"},"share_type":{"type":"string_t","description":"The share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","caption":"Share Type","type_name":"String"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the target file.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"600600":{"caption":"File Hosting Activity: Unknown"},"600699":{"caption":"File Hosting Activity: Other"},"600601":{"description":"Upload a file.","caption":"File Hosting Activity: Upload"},"600602":{"description":"Download a file.","caption":"File Hosting Activity: Download"},"600603":{"description":"Update a file.","caption":"File Hosting Activity: Update"},"600604":{"description":"Delete a file.","caption":"File Hosting Activity: Delete"},"600605":{"description":"Rename a file.","caption":"File Hosting Activity: Rename"},"600606":{"description":"Copy a file.","caption":"File Hosting Activity: Copy"},"600607":{"description":"Move a file.","caption":"File Hosting Activity: Move"},"600608":{"description":"Restore a file.","caption":"File Hosting Activity: Restore"},"600609":{"description":"Preview a file.","caption":"File Hosting Activity: Preview"},"600610":{"description":"Lock a file.","caption":"File Hosting Activity: Lock"},"600611":{"description":"Unlock a file.","caption":"File Hosting Activity: Unlock"},"600612":{"description":"Share a file.","caption":"File Hosting Activity: Share"},"600613":{"description":"Unshare a file.","caption":"File Hosting Activity: Unshare"},"600614":{"description":"Open a file.","caption":"File Hosting Activity: Open"},"600615":{"description":"Mark a file or folder to sync with a computer.","caption":"File Hosting Activity: Sync"},"600616":{"description":"Mark a file or folder to not sync with a computer.","caption":"File Hosting Activity: Unsync"},"600617":{"description":"Access check for a file. The security_control profile can be used to add the access check results.","caption":"File Hosting Activity: Access Check"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"access_mask":{"type":"integer_t","description":"The sum of hexadecimal values of requested access rights.","group":"context","requirement":"optional","caption":"Access Mask","type_name":"Integer"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The endpoint that performed the activity on the target file.","group":"primary","requirement":"required","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Application Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"share_type_id":{"type":"integer_t","enum":{"3":{"caption":"Print"},"0":{"description":"The share type is unknown.","caption":"Unknown"},"1":{"caption":"File"},"2":{"caption":"Pipe"},"99":{"description":"The share type is not mapped. See the share_type attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the share type.","group":"context","requirement":"optional","caption":"Share Type ID","sibling":"share_type","type_name":"Integer"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"http_request":{"type":"object_t","description":"Details about the underlying HTTP request.","group":"context","requirement":"recommended","object_type":"http_request","caption":"HTTP Request","object_name":"HTTP Request"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"context","requirement":"optional","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: File Hosting Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The endpoint that received the activity on the target file.","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file_result":{"type":"object_t","description":"The resulting file object when the activity was allowed and successful.","group":"context","requirement":"optional","object_type":"file","caption":"File Result","object_name":"File"},"file":{"type":"object_t","description":"The file that is the target of the activity.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"file_hosting","description":"File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, Google Drive, or network file share services.","uid":6006,"extends":"application","category":"application","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Application Activity","caption":"File Hosting Activity","category_uid":6},"osint_inventory_info":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5021":{"description":"OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.","caption":"OSINT Inventory Info"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT that is being discovered by an inventory process.","group":"primary","is_array":true,"requirement":"required","profiles":null,"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"502100":{"caption":"OSINT Inventory Info: Unknown"},"502199":{"caption":"OSINT Inventory Info: Other"},"502101":{"description":"The discovered information is via a log.","caption":"OSINT Inventory Info: Log"},"502102":{"description":"The discovered information is via a collection process.","caption":"OSINT Inventory Info: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: OSINT Inventory Info.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"osint_inventory_info","description":"OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.","uid":5021,"extends":"discovery","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"OSINT Inventory Info","category_uid":5},"incident_finding":{"attributes":{"vendor_attributes":{"type":"object_t","description":"The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes likeseverity_id.type attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The incident is suspicious.","caption":"Suspicious"},"5":{"description":"The incident is benign.","caption":"Benign"},"7":{"description":"The incident has insufficient data to make a verdict.","caption":"Insufficient Data"},"8":{"description":"The incident is a security risk.","caption":"Security Risk"},"9":{"description":"The incident remediation or required actions are managed externally.","caption":"Managed Externally"},"10":{"description":"The incident is a duplicate.","caption":"Duplicate"}},"description":"The normalized verdict of an Incident.","group":"primary","requirement":"recommended","caption":"Verdict ID","sibling":"verdict","type_name":"Integer"},"class_uid":{"type":"integer_t","enum":{"2005":{"description":"An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics. Incident Finding implicitly includes the incident profile and it should be added to the metadata.profiles[] array.","caption":"Incident Finding"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Reports closure of an Incident .","caption":"Close"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Reports the creation of an Incident.","caption":"Create"},"2":{"description":"Reports updates to an Incident.","caption":"Update"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the Incident activity.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"verdict":{"type":"string_t","description":"The verdict assigned to an Incident finding.","group":"primary","requirement":"recommended","caption":"Verdict","type_name":"String"},"finding_info_list":{"type":"object_t","description":"A list of finding_info objects associated to an incident.","group":"primary","is_array":true,"requirement":"required","object_type":"finding_info","caption":"Finding Information List","object_name":"Finding Information"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"2":{"description":"Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.","uid":2,"caption":"Findings"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"is_suspected_breach":{"type":"boolean_t","description":"A determination based on analytics as to whether a potential breach was found.","group":"context","requirement":"optional","caption":"Suspected Breach","type_name":"Boolean"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":null,"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The time of the least recent event included in the incident.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques associated to the Incident.","group":"context","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":null,"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"desc":{"type":"string_t","description":"The short description of the Incident.","group":"primary","requirement":"recommended","caption":"Description","type_name":"String"},"src_url":{"type":"url_t","description":"A Url link used to access the original incident.","group":"primary","requirement":"recommended","caption":"Source URL","type_name":"URL String"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"200500":{"caption":"Incident Finding: Unknown"},"200599":{"caption":"Incident Finding: Other"},"200501":{"description":"Reports the creation of an Incident.","caption":"Incident Finding: Create"},"200502":{"description":"Reports updates to an Incident.","caption":"Incident Finding: Update"},"200503":{"description":"Reports closure of an Incident .","caption":"Incident Finding: Close"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"tickets":{"type":"object_t","description":"The associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.","group":"context","is_array":true,"requirement":"optional","object_type":"ticket","caption":"Tickets","object_name":"Ticket"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The time of the most recent event included in the incident.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"assignee_group":{"type":"object_t","description":"The details of the group assigned to an Incident.","group":"context","requirement":"optional","object_type":"group","caption":"Assignee Group","object_name":"Group"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The Incident activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"ticket":{"type":"object_t","description":"The linked ticket in the ticketing system.","group":"context","requirement":"optional","object_type":"ticket","caption":"Ticket","@deprecated":{"message":"Use tickets instead.","since":"1.5.0"},"object_name":"Ticket"},"impact_id":{"type":"integer_t","enum":{"3":{"description":"The magnitude of harm is high.","caption":"High"},"0":{"description":"The normalized impact is unknown.","caption":"Unknown"},"1":{"description":"The magnitude of harm is low.","caption":"Low"},"2":{"description":"The magnitude of harm is moderate.","caption":"Medium"},"99":{"description":"The impact is not mapped. See the impact attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The magnitude of harm is high and the scope is widespread.","caption":"Critical"}},"description":"The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.","group":"primary","source":"impact value; impact level","references":[{"description":"NIST SP 800-172 from FIPS 199","url":"https://doi.org/10.6028/NIST.FIPS.199"},{"description":"NIST Computer Security Resource Center","url":"https://doi.org/10.6028/NIST.FIPS.199"}],"requirement":"recommended","caption":"Impact ID","sibling":"impact","type_name":"Integer"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Findings.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":null,"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"Additional user supplied details for updating or closing the incident.","group":"context","requirement":"optional","caption":"Comment","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The time of the most recent event included in the incident.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Incident Finding.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"impact":{"type":"string_t","description":"The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Impact","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The service desk has confirmed that the incident is resolved.","caption":"Resolved"},"5":{"description":"The incident is resolved and no further action is necessary.","caption":"Closed"}},"description":"The normalized status identifier of the Incident.","group":"primary","requirement":"required","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"assignee":{"type":"object_t","description":"The details of the user assigned to an Incident.","group":"context","requirement":"optional","object_type":"user","caption":"Assignee","object_name":"User"},"impact_score":{"type":"integer_t","description":"The impact as an integer value of the finding, valid range 0-100.","group":"primary","requirement":"recommended","caption":"Impact Score","type_name":"Integer"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The time of the least recent event included in the incident.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"incident_finding","description":"An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.Incident Finding implicitly includes the incident profile and it should be added to the metadata.profiles[] array.","uid":2005,"extends":"base_event","category":"findings","constraints":{"at_least_one":["assignee","assignee_group"]},"profiles":["cloud","container","data_classification","datetime","host","incident","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Findings","caption":"Incident Finding","category_uid":2},"device_config_state_change":{"attributes":{"state_id":{"type":"integer_t","enum":{"0":{"description":"The Config Change state is unknown.","caption":"Unknown"},"1":{"description":"Config State Changed to Disabled.","caption":"Disabled"},"2":{"description":"Config State Changed to Enabled.","caption":"Enabled"},"99":{"description":"The Config Change is not mapped. See the state attribute, which contains data source specific values.","caption":"Other"}},"description":"The Config Change State of the managed entity.","requirement":"recommended","caption":"Config Change State ID","sibling":"state","type_name":"Integer"},"security_level_id":{"type":"integer_t","enum":{"3":{"caption":"Compromised"},"0":{"caption":"Unknown"},"1":{"caption":"Secure"},"2":{"caption":"At Risk"},"99":{"description":"The security level is not mapped. See the security_level attribute, which contains data source specific values.","caption":"Other"}},"description":"The current security level of the entity","group":"primary","requirement":"recommended","caption":"Security Level ID","sibling":"security_level","type_name":"Integer"},"state":{"type":"string_t","description":"The Config Change Stat, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.","requirement":"optional","caption":"Config Change State","type_name":"String"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"prev_security_level":{"type":"string_t","description":"The previous security level of the entity","group":"primary","requirement":"recommended","caption":"Previous Security Level","type_name":"String"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5019":{"description":"Device Config State Change events report state changes that impact the security of the device.","caption":"Device Config State Change"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"prev_security_level_id":{"type":"integer_t","enum":{"3":{"caption":"Compromised"},"0":{"caption":"Unknown"},"1":{"caption":"Secure"},"2":{"caption":"At Risk"},"99":{"description":"The security level is not mapped. See the prev_security_level attribute, which contains data source specific values.","caption":"Other"}},"description":"The previous security level of the entity","group":"primary","requirement":"recommended","caption":"Previous Security Level ID","sibling":"prev_security_level","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"security_states":{"type":"object_t","description":"The current security states of the device.","group":"primary","is_array":true,"requirement":"recommended","object_type":"security_state","caption":"Security States","object_name":"Security State"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"prev_security_states":{"type":"object_t","description":"The previous security states of the device.","group":"primary","is_array":true,"requirement":"recommended","object_type":"security_state","caption":"Previous Security States","object_name":"Security State"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"security_level":{"type":"string_t","description":"The current security level of the entity","group":"primary","requirement":"recommended","caption":"Security Level","type_name":"String"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"The device that is impacted by the state change.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501900":{"caption":"Device Config State Change: Unknown"},"501999":{"caption":"Device Config State Change: Other"},"501901":{"description":"The discovered information is via a log.","caption":"Device Config State Change: Log"},"501902":{"description":"The discovered information is via a collection process.","caption":"Device Config State Change: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Device Config State Change.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"device_config_state_change","description":"Device Config State Change events report state changes that impact the security of the device.","uid":5019,"extends":"discovery","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Device Config State Change","category_uid":5},"software_info":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5020":{"description":"Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.","caption":"Software Inventory Info"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"sbom":{"type":"object_t","description":"The Software Bill of Materials (SBOM) of the device software that is being discovered by an inventory process.","group":"primary","requirement":"recommended","object_type":"sbom","caption":"Software Bill Of Materials","object_name":"Software Bill of Materials"},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"product":{"type":"object_t","description":"Additional product attributes that have been discovered or enriched from a catalog or other external source.","group":"context","requirement":"optional","object_type":"product","caption":"Product","object_name":"Product"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"The device that is being discovered by an inventory process.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"502000":{"caption":"Software Inventory Info: Unknown"},"502099":{"caption":"Software Inventory Info: Other"},"502001":{"description":"The discovered information is via a log.","caption":"Software Inventory Info: Log"},"502002":{"description":"The discovered information is via a collection process.","caption":"Software Inventory Info: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"package":{"type":"object_t","description":"The device software that is being discovered by an inventory process.","group":"primary","references":[{"description":"D3FEND™ Ontology d3f:SoftwarePackage.","url":"https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/"}],"requirement":"recommended","object_type":"package","caption":"Software Package","@deprecated":{"message":"Use the sbom attribute instead.","since":"1.4.0"},"object_name":"Software Package"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Software Inventory Info.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"software_info","description":"Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.","uid":5020,"extends":"discovery","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Software Inventory Info","category_uid":5},"file_remediation_activity":{"attributes":{"scan":{"type":"object_t","description":"The remediation scan that pertains to this event.","group":"context","requirement":"optional","object_type":"scan","caption":"Scan","object_name":"Scan"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"7002":{"description":"File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.","caption":"File Remediation Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Restore"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Isolate"},"2":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Evict"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Harden"},"5":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Detect"}},"description":"Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"7":{"description":"Remediation events report the results of remediation commands targeting files, processes, and other objects.","uid":7,"caption":"Remediation"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"700200":{"caption":"File Remediation Activity: Unknown"},"700299":{"caption":"File Remediation Activity: Other"},"700201":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"File Remediation Activity: Isolate"},"700202":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"File Remediation Activity: Evict"},"700203":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"File Remediation Activity: Restore"},"700204":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"File Remediation Activity: Harden"},"700205":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"File Remediation Activity: Detect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"command_uid":{"type":"string_t","description":"The unique identifier of the remediation command that pertains to this event.","group":"primary","requirement":"required","caption":"Command UID","type_name":"String"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Remediation.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"countermeasures":{"type":"object_t","description":"The MITRE D3FEND™ Matrix Countermeasures associated with a remediation.","group":"primary","is_array":true,"requirement":"recommended","object_type":"d3fend","caption":"Countermeasures","object_name":"MITRE D3FEND™"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: File Remediation Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The remediation was partially completed.","caption":"Partial"},"5":{"description":"The remediation was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"file":{"type":"object_t","description":"The file that pertains to the remediation event.","group":"primary","requirement":"required","object_type":"file","caption":"File","object_name":"File"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"file_remediation_activity","description":"File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.","uid":7002,"extends":"remediation_activity","category":"remediation","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Remediation","caption":"File Remediation Activity","category_uid":7},"kernel_extension_activity":{"attributes":{"driver":{"type":"object_t","description":"The driver that was loaded/unloaded into the kernel","group":"primary","requirement":"required","object_type":"kernel_driver","caption":"Kernel Driver","object_name":"Kernel Extension"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"1002":{"description":"Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel","caption":"Kernel Extension Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A driver/extension was loaded into the kernel","caption":"Load"},"2":{"description":"A driver/extension was unloaded (removed) from the kernel","caption":"Unload"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor process that loaded or unloaded the driver/extension.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"100200":{"caption":"Kernel Extension Activity: Unknown"},"100299":{"caption":"Kernel Extension Activity: Other"},"100201":{"description":"A driver/extension was loaded into the kernel","caption":"Kernel Extension Activity: Load"},"100202":{"description":"A driver/extension was unloaded (removed) from the kernel","caption":"Kernel Extension Activity: Unload"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Kernel Extension Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"kernel_extension_activity","description":"Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel","uid":1002,"extends":"system","category":"system","references":[{"description":"D3FEND™ Ontology d3f:KernelModuleEvent","url":"https://d3fend.mitre.org/event/d3f:KernelModuleEvent/"}],"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Kernel Extension Activity","category_uid":1},"network_activity":{"attributes":{"is_src_dst_assignment_known":{"type":"boolean_t","description":"true denotes that src_endpoint and dst_endpoint correctly identify the initiator and responder respectively. false denotes that the event source has arbitrarily assigned one peer to src_endpoint and the other to dst_endpoint, in other words that initiator and responder are not being asserted. This can occur, for example, when the event source is a network appliance that has not observed the initiation of a given connection. In the absence of this attribute, interpretation of the initiator and responder is implementation-specific.","group":"primary","requirement":"recommended","caption":"Source/Destination Assignment Known","type_name":"Boolean"},"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g., https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4001":{"description":"Network Activity events report network connection and traffic activity.","caption":"Network Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"The network connection was abnormally terminated or closed by a middle device like firewalls.","caption":"Reset"},"6":{"description":"Network traffic report.","caption":"Traffic"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"A new network connection was opened.","caption":"Open"},"2":{"description":"The network connection was closed.","caption":"Close"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The network connection failed. For example a connection timeout or no route to host.","caption":"Fail"},"5":{"description":"The network connection was refused. For example an attempt to connect to a server port which is not open.","caption":"Refuse"},"7":{"description":"A network endpoint began listening for new network connections.","caption":"Listen"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"url":{"type":"object_t","description":"The URL details relevant to the network traffic.","group":"primary","requirement":"recommended","object_type":"url","caption":"URL","object_name":"Uniform Resource Locator"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"400100":{"caption":"Network Activity: Unknown"},"400199":{"caption":"Network Activity: Other"},"400101":{"description":"A new network connection was opened.","caption":"Network Activity: Open"},"400102":{"description":"The network connection was closed.","caption":"Network Activity: Close"},"400103":{"description":"The network connection was abnormally terminated or closed by a middle device like firewalls.","caption":"Network Activity: Reset"},"400104":{"description":"The network connection failed. For example a connection timeout or no route to host.","caption":"Network Activity: Fail"},"400105":{"description":"The network connection was refused. For example an attempt to connect to a server port which is not open.","caption":"Network Activity: Refuse"},"400106":{"description":"Network traffic report.","caption":"Network Activity: Traffic"},"400107":{"description":"A network endpoint began listening for new network connections.","caption":"Network Activity: Listen"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":" The initiator of the network connection. In some contexts an event source cannot correctly identify the initiator. Refer to is_src_dst_assignment_known for certainty.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"primary","requirement":"recommended","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"primary","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder of the network connection. In some contexts an event source cannot correctly identify the responder. Refer to is_src_dst_assignment_known for certainty.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"network_activity","description":"Network Activity events report network connection and traffic activity.","uid":4001,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:NetworkConnectionEvent","url":"https://d3fend.mitre.org/event/d3f:NetworkConnectionEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"Network Activity","category_uid":4},"user_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5018":{"description":"User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.","caption":"User Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"user":{"type":"object_t","description":"The user that pertains to the event or object.","group":"primary","requirement":"required","object_type":"user","caption":"User","object_name":"User"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501800":{"caption":"User Query: Unknown"},"501899":{"caption":"User Query: Other"},"501801":{"description":"The discovered results are via a query request.","caption":"User Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: User Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"user_query","description":"User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.","uid":5018,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"User Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"dns_activity":{"attributes":{"app_protocol_name":{"type":"string_t","description":"The application-layer (Layer 7) protocol name identified by deep packet inspection or packet parsing (e.g., https, quic, ssh, dns), expressed as an IANA-registered service name from the IANA Service Name and Transport Protocol Port Number Registry.\n\nNote: Port numbers alone are not always a reliable indicator of the actual application protocol in use.
","group":"context","references":[{"description":"IANA Service Name and Transport Protocol Port Number Registry","url":"https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml"}],"requirement":"optional","caption":"Application Protocol Name","type_name":"String"},"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"observation_point_id":{"type":"integer_t","enum":{"3":{"description":"Neither the source nor destination network endpoint is the observation point. Refer to thenetwork_observation_point attribute for details.","caption":"Neither"},"0":{"description":"The observation point is unknown.","caption":"Unknown"},"1":{"description":"The source network endpoint is the observation point.","caption":"Source"},"2":{"description":"The destination network endpoint is the observation point.","caption":"Destination"},"99":{"description":"The observation point is not mapped. See the observation_point attribute for a data source specific value.","caption":"Other"},"4":{"description":"Both the source and destination network endpoint are the observation point. This typically occurs in localhost or internal communications where the source and destination are the same endpoint, often resulting in a connection_info.direction of Local.","caption":"Both"}},"description":"The normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.","requirement":"optional","caption":"Observation Point ID","sibling":"observation_point","type_name":"Integer"},"response_time_dt":{"type":"datetime_t","description":"The Domain Name System (DNS) response time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Response Time","type_name":"Datetime"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"proxy_http_request":{"type":"object_t","description":"The HTTP Request from the proxy server to the remote server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_request","caption":"Proxy HTTP Request","object_name":"HTTP Request"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"4003":{"description":"DNS Activity events report DNS queries and answers as seen on the network.","caption":"DNS Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"query_time_dt":{"type":"datetime_t","description":"The Domain Name System (DNS) query time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Query Time","type_name":"Datetime"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"query_time":{"type":"timestamp_t","description":"The Domain Name System (DNS) query time.","group":"occurrence","requirement":"recommended","caption":"Query Time","type_name":"Timestamp"},"activity_id":{"type":"integer_t","enum":{"6":{"description":"Bidirectional DNS request and response traffic.","caption":"Traffic"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The DNS query request.","caption":"Query"},"2":{"description":"The DNS query response.","caption":"Response"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"rcode_id":{"type":"integer_t","enum":{"3":{"description":"Non-Existent Domain.","caption":"NXDomain"},"6":{"description":"Name Exists when it should not.","caption":"YXDomain"},"0":{"description":"No Error.","caption":"NoError"},"1":{"description":"Format Error.","caption":"FormError"},"2":{"description":"Server Failure.","caption":"ServError"},"99":{"description":"The dns response code is not defined by the RFC.","caption":"Other"},"4":{"description":"Not Implemented.","caption":"NotImp"},"5":{"description":"Query Refused.","caption":"Refused"},"7":{"description":"RR Set Exists when it should not.","caption":"YXRRSet"},"8":{"description":"RR Set that should exist does not.","caption":"NXRRSet"},"9":{"description":"Not Authorized or Server Not Authoritative for zone.","caption":"NotAuth"},"10":{"description":"Name not contained in zone.","caption":"NotZone"},"11":{"description":"DSO-TYPE Not Implemented.","caption":"DSOTYPENI"},"16":{"description":"TSIG Signature Failure or Bad OPT Version.","caption":"BADSIG_VERS"},"17":{"description":"Key not recognized.","caption":"BADKEY"},"18":{"description":"Signature out of time window.","caption":"BADTIME"},"20":{"description":"Duplicate key name.","caption":"BADNAME"},"21":{"description":"Algorithm not supported.","caption":"BADALG"},"22":{"description":"Bad Truncation.","caption":"BADTRUNC"},"23":{"description":"Bad/missing Server Cookie.","caption":"BADCOOKIE"},"24":{"description":"The codes deemed to be unassigned by the RFC (unassigned codes: 12-15, 24-3840, 4096-65534).","caption":"Unassigned"},"25":{"description":"The codes deemed to be reserved by the RFC (codes: 3841-4095, 65535).","caption":"Reserved"},"19":{"description":"Bad TKEY Mode.","caption":"BADMODE"}},"description":"The normalized identifier of the DNS server response code. See RFC-6895.","group":"primary","requirement":"recommended","caption":"Response Code ID","sibling":"rcode","type_name":"Integer"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"4":{"description":"Network Activity events.","uid":4,"caption":"Network Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"load_balancer":{"type":"object_t","description":"The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.","group":"primary","requirement":"recommended","profiles":["load_balancer"],"object_type":"load_balancer","caption":"Load Balancer","object_name":"Load Balancer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"observation_point":{"type":"string_t","description":"Indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the observation_point_id.","requirement":"optional","caption":"Observation Point","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"answers":{"type":"object_t","description":"The Domain Name System (DNS) answers.","group":"primary","is_array":true,"requirement":"recommended","object_type":"dns_answer","caption":"DNS Answer","object_name":"DNS Answer"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"rcode":{"type":"string_t","description":"The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"recommended","caption":"Response Code","type_name":"String"},"network_observation_point":{"type":"object_t","description":"The network endpoint that observes or inspects network traffic as a third-party system, used when the observer is neither the source nor the destination of the communication (when observation_point_id = 3). Examples include network taps, span ports, inline security devices, or packet capture systems that monitor traffic between other endpoints.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Network Observation Point","object_name":"Network Endpoint"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"query":{"type":"object_t","description":"The Domain Name System (DNS) query.","group":"primary","requirement":"recommended","object_type":"dns_query","caption":"DNS Query","object_name":"DNS Query"},"type_uid":{"type":"long_t","enum":{"400300":{"caption":"DNS Activity: Unknown"},"400399":{"caption":"DNS Activity: Other"},"400301":{"description":"The DNS query request.","caption":"DNS Activity: Query"},"400302":{"description":"The DNS query response.","caption":"DNS Activity: Response"},"400306":{"description":"Bidirectional DNS request and response traffic.","caption":"DNS Activity: Traffic"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"proxy_traffic":{"type":"object_t","description":"The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_traffic","caption":"Proxy Traffic","object_name":"Network Traffic"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"ja4_fingerprint_list":{"type":"object_t","description":"A list of the JA4+ network fingerprints.","group":"context","is_array":true,"requirement":"optional","object_type":"ja4_fingerprint","caption":"JA4+ Fingerprints","object_name":"JA4+ Fingerprint"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The initiator (client) of the network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"proxy_connection_info":{"type":"object_t","description":"The connection information from the proxy server to the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"network_connection_info","caption":"Proxy Connection Info","object_name":"Network Connection Information"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"packet_list":{"type":"object_t","description":"The list of packet objects describing captured network packets.","group":"context","is_array":true,"requirement":"optional","object_type":"packet","caption":"Packets","object_name":"Packet"},"proxy_tls":{"type":"object_t","description":"The TLS protocol negotiated between the proxy server and the remote server.","group":"context","requirement":"recommended","profiles":["network_proxy"],"object_type":"tls","caption":"Proxy TLS","object_name":"Transport Layer Security (TLS)"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Network Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"response_time":{"type":"timestamp_t","description":"The Domain Name System (DNS) response time.","group":"occurrence","requirement":"recommended","caption":"Response Time","type_name":"Timestamp"},"traffic":{"type":"object_t","description":"The network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use cumulative_traffic instead.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"context","requirement":"optional","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"proxy_http_response":{"type":"object_t","description":"The HTTP Response from the remote server to the proxy server.","group":"context","requirement":"optional","profiles":["network_proxy"],"object_type":"http_response","caption":"Proxy HTTP Response","object_name":"HTTP Response"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: DNS Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The responder (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"cumulative_traffic":{"type":"object_t","description":"The cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both traffic for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Cumulative Traffic","object_name":"Network Traffic"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"proxy":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"primary","requirement":"recommended","object_type":"network_proxy","caption":"Proxy","@deprecated":{"message":"Use the proxy_endpoint attribute instead.","since":"1.1.0"},"object_name":"Network Proxy Endpoint"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"dns_activity","description":"DNS Activity events report DNS queries and answers as seen on the network.","uid":4003,"extends":"network","category":"network","constraints":{"at_least_one":["dst_endpoint","src_endpoint"]},"references":[{"description":"D3FEND™ Ontology d3f:DNSEvent","url":"https://d3fend.mitre.org/event/d3f:DNSEvent/"}],"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","load_balancer","macos/macos_users","network_proxy","osint","security_control"],"category_name":"Network Activity","caption":"DNS Activity","category_uid":4},"remediation_activity":{"attributes":{"scan":{"type":"object_t","description":"The remediation scan that pertains to this event.","group":"context","requirement":"optional","object_type":"scan","caption":"Scan","object_name":"Scan"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"7001":{"description":"Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.","caption":"Remediation Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Restore"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Isolate"},"2":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Evict"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Harden"},"5":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Detect"}},"description":"Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"7":{"description":"Remediation events report the results of remediation commands targeting files, processes, and other objects.","uid":7,"caption":"Remediation"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"700100":{"caption":"Remediation Activity: Unknown"},"700199":{"caption":"Remediation Activity: Other"},"700101":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Remediation Activity: Isolate"},"700102":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Remediation Activity: Evict"},"700103":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Remediation Activity: Restore"},"700104":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Remediation Activity: Harden"},"700105":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Remediation Activity: Detect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"command_uid":{"type":"string_t","description":"The unique identifier of the remediation command that pertains to this event.","group":"primary","requirement":"required","caption":"Command UID","type_name":"String"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Remediation.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"countermeasures":{"type":"object_t","description":"The MITRE D3FEND™ Matrix Countermeasures associated with a remediation.","group":"primary","is_array":true,"requirement":"recommended","object_type":"d3fend","caption":"Countermeasures","object_name":"MITRE D3FEND™"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Remediation Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The remediation was partially completed.","caption":"Partial"},"5":{"description":"The remediation was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"remediation_activity","description":"Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.","uid":7001,"extends":"base_event","category":"remediation","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Remediation","caption":"Remediation Activity","category_uid":7},"service_query":{"attributes":{"query_info":{"type":"object_t","description":"The search details associated with the query request.","group":"primary","requirement":"recommended","object_type":"query_info","caption":"Query Info","object_name":"Query Information"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"query_result":{"type":"string_t","description":"The result of the query.","group":"primary","requirement":"recommended","caption":"Query Result","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"5016":{"description":"Service Query events report information about running services.","caption":"Service Query"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered results are via a query request.","caption":"Query"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"query_result_id":{"type":"integer_t","enum":{"3":{"description":"The target was not found.","caption":"Does not exist"},"0":{"description":"The query result is unknown.","caption":"Unknown"},"1":{"description":"The target was found.","caption":"Exists"},"2":{"description":"The target was partially found.","caption":"Partial"},"99":{"description":"The query result is not mapped. See the query_result attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The discovery attempt failed.","caption":"Error"},"5":{"description":"Discovery of the target was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the query result.","group":"primary","requirement":"required","caption":"Query Result ID","sibling":"query_result","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"service":{"type":"object_t","description":"The service that pertains to the event.","group":"primary","requirement":"required","object_type":"service","caption":"Service","object_name":"Service"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"501600":{"caption":"Service Query: Unknown"},"501699":{"caption":"Service Query: Other"},"501601":{"description":"The discovered results are via a query request.","caption":"Service Query: Query"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Service Query.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"service_query","description":"Service Query events report information about running services.","uid":5016,"extends":"discovery_result","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Service Query","@deprecated":{"message":"Use theLive Evidence Info class.","since":"1.5.0"},"category_uid":5},"win/registry_value_activity":{"attributes":{"prev_reg_value":{"type":"object_t","description":"The registry value before the mutation","extension":"win","requirement":"optional","extension_id":2,"object_type":"win/reg_value","caption":"Previous Registry Value","object_name":"Registry Value"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"201002":{"description":"Registry Value Activity events reports when a process performs an action on a Windows registry value.","caption":"Registry Value Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"caption":"Modify"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"caption":"Get"},"2":{"caption":"Set"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Delete"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"reg_value":{"type":"object_t","description":"The registry value.","extension":"win","requirement":"required","extension_id":2,"object_type":"win/reg_value","caption":"Registry Value","object_name":"Registry Value"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"1":{"description":"System Activity events.","uid":1,"caption":"System Activity"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor that performed the activity on the reg_value object.","group":"primary","requirement":"required","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"20100200":{"caption":"Registry Value Activity: Unknown"},"20100299":{"caption":"Registry Value Activity: Other"},"20100201":{"caption":"Registry Value Activity: Get"},"20100202":{"caption":"Registry Value Activity: Set"},"20100203":{"caption":"Registry Value Activity: Modify"},"20100204":{"caption":"Registry Value Activity: Delete"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: System Activity.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Registry Value Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"registry_value_activity","description":"Registry Value Activity events reports when a process performs an action on a Windows registry value.","extension":"win","uid":201002,"extends":"system","category":"system","extension_id":2,"associations":{"device":["actor.user"],"actor.user":["device"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"System Activity","caption":"Registry Value Activity","category_uid":1},"process_remediation_activity":{"attributes":{"scan":{"type":"object_t","description":"The remediation scan that pertains to this event.","group":"context","requirement":"optional","object_type":"scan","caption":"Scan","object_name":"Scan"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"7003":{"description":"Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.","caption":"Process Remediation Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"3":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Restore"},"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Isolate"},"2":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Evict"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Harden"},"5":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Detect"}},"description":"Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"7":{"description":"Remediation events report the results of remediation commands targeting files, processes, and other objects.","uid":7,"caption":"Remediation"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"700300":{"caption":"Process Remediation Activity: Unknown"},"700399":{"caption":"Process Remediation Activity: Other"},"700301":{"description":"Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate.","caption":"Process Remediation Activity: Isolate"},"700302":{"description":"Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict.","caption":"Process Remediation Activity: Evict"},"700303":{"description":"Returns the system to a better state. Defined by D3FEND™ d3f:Restore.","caption":"Process Remediation Activity: Restore"},"700304":{"description":"Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden.","caption":"Process Remediation Activity: Harden"},"700305":{"description":"Further identify adversary access to or unauthorized activity on computer networks. Defined by D3FEND™ d3f:Detect.","caption":"Process Remediation Activity: Detect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"command_uid":{"type":"string_t","description":"The unique identifier of the remediation command that pertains to this event.","group":"primary","requirement":"required","caption":"Command UID","type_name":"String"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Remediation.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"process":{"type":"object_t","description":"The process that pertains to the remediation event.","group":"primary","requirement":"required","object_type":"process","caption":"Process","object_name":"Process"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"countermeasures":{"type":"object_t","description":"The MITRE D3FEND™ Matrix Countermeasures associated with a remediation.","group":"primary","is_array":true,"requirement":"recommended","object_type":"d3fend","caption":"Countermeasures","object_name":"MITRE D3FEND™"},"remediation":{"type":"object_t","description":"Describes the recommended remediation steps to address identified issue(s).","group":"context","requirement":"optional","object_type":"remediation","caption":"Remediation Guidance","object_name":"Remediation"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Process Remediation Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The remediation was partially completed.","caption":"Partial"},"5":{"description":"The remediation was not supported.","caption":"Unsupported"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"process_remediation_activity","description":"Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.","uid":7003,"extends":"remediation_activity","category":"remediation","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Remediation","caption":"Process Remediation Activity","category_uid":7},"config_state":{"attributes":{"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"assessments":{"type":"object_t","description":"A list of assessments associated with the device.","group":"context","is_array":true,"requirement":"optional","object_type":"assessment","caption":"Related Assessments","object_name":"Assessment"},"class_uid":{"type":"integer_t","enum":{"5002":{"description":"Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.","caption":"Device Config State"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"The discovered information is via a log.","caption":"Log"},"2":{"description":"The discovered information is via a collection process.","caption":"Collect"},"99":{"description":"The event activity is not mapped. See theactivity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"classification","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"5":{"description":"Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.","uid":5,"caption":"Discovery"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"The device that is being discovered by an inventory process.","group":"primary","requirement":"required","profiles":null,"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"context","requirement":"optional","profiles":null,"object_type":"actor","caption":"Actor","object_name":"Actor"},"cis_benchmark_result":{"type":"object_t","description":"The CIS Benchmark Result object captures results generated from benchmark evaluations as defined by the Center for Internet Security (CIS).","group":"primary","requirement":"recommended","object_type":"cis_benchmark_result","caption":"CIS Benchmark Result","@deprecated":{"message":"Use Compliance object with Check object instead.","since":"1.5.0"},"object_name":"CIS Benchmark Result"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"500200":{"caption":"Device Config State: Unknown"},"500299":{"caption":"Device Config State: Other"},"500201":{"description":"The discovered information is via a log.","caption":"Device Config State: Log"},"500202":{"description":"The discovered information is via a collection process.","caption":"Device Config State: Collect"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Discovery.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Device Config State.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the event status.","group":"primary","requirement":"recommended","caption":"Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"config_state","description":"Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.","uid":5002,"extends":"discovery","category":"discovery","profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Discovery","caption":"Device Config State","@deprecated":{"message":"UseCompliance Finding class.","since":"1.5.0"},"category_uid":5},"drone_flights_activity":{"attributes":{"proxy_endpoint":{"type":"object_t","description":"The proxy (server) in a network connection.","group":"context","requirement":"recommended","object_type":"network_proxy","caption":"Proxy Endpoint","object_name":"Network Proxy Endpoint"},"time":{"type":"timestamp_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"required","caption":"Event Time","type_name":"Timestamp"},"firewall_rule":{"type":"object_t","description":"The firewall rule that pertains to the control that triggered the event, if applicable.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"firewall_rule","caption":"Firewall Rule","object_name":"Firewall Rule"},"malware":{"type":"object_t","description":"A list of Malware objects, describing details about the identified malware.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"malware","caption":"Malware","object_name":"Malware"},"type_name":{"type":"string_t","description":"The event/finding type name, as defined by the type_uid.","group":"classification","requirement":"optional","caption":"Type Name","type_name":"String"},"class_uid":{"type":"integer_t","enum":{"8001":{"description":"Drone Flights Activity events report the activity of Unmanned Aerial Systems (UAS), their Operators, and mission-planning and authorization metadata as reported by the UAS platforms themselves, by Counter-UAS (CUAS) systems, or other remote monitoring or sensing infrastructure. Based on the Remote ID defined in Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a","caption":"Drone Flights Activity"}},"description":"The unique identifier of a class. A class describes the attributes available in an event.","group":"classification","requirement":"required","caption":"Class ID","sibling":"class_name","type_name":"Integer"},"cloud":{"type":"object_t","description":"Describes details about the Cloud environment where the event or finding was created.","group":"primary","requirement":"required","profiles":["cloud"],"object_type":"cloud","caption":"Cloud","object_name":"Cloud"},"activity_id":{"type":"integer_t","enum":{"0":{"description":"The event activity is unknown.","caption":"Unknown"},"1":{"description":"Remote ID information from an Unmanned System is being captured (collected).","caption":"Capture"},"2":{"description":"Unmanned System activity is being recorded.","caption":"Record"},"99":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized identifier of the activity that triggered the event.","group":"primary","requirement":"required","caption":"Activity ID","sibling":"activity_name","type_name":"Integer","suppress_checks":["sibling_convention"]},"raw_data_hash":{"type":"object_t","description":"The hash, which describes the content of the raw_data field.","group":"context","requirement":"optional","object_type":"fingerprint","caption":"Raw Data Hash","object_name":"Fingerprint"},"risk_details":{"type":"string_t","description":"Describes the risk associated with the finding.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Details","type_name":"String"},"malware_scan_info":{"type":"object_t","description":"Describes details about the scan job that identified malware on the target system.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"malware_scan_info","caption":"Malware Scan Info","object_name":"Malware Scan Info"},"auth_protocol":{"type":"string_t","description":"The authentication type as defined by the caption of auth_protocol_id. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","caption":"Authentication Type","type_name":"String"},"timezone_offset":{"type":"integer_t","description":"The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.","group":"occurrence","requirement":"recommended","caption":"Timezone Offset","type_name":"Integer"},"disposition_id":{"type":"integer_t","enum":{"3":{"description":"A suspicious file or other content was moved to a benign location.","caption":"Quarantined"},"6":{"description":"The request was detected as a threat and resulted in the connection being dropped.","caption":"Dropped"},"0":{"description":"The disposition is unknown.","caption":"Unknown"},"1":{"description":"Granted access or allowed the action to the protected resource.","caption":"Allowed"},"2":{"description":"Denied access or blocked the action to the protected resource.","caption":"Blocked"},"99":{"description":"The disposition is not mapped. See the disposition attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"A session was isolated on the network or within a browser.","caption":"Isolated"},"5":{"description":"A file or other content was deleted.","caption":"Deleted"},"7":{"description":"A custom action was executed such as running of a command script. Use the message attribute of the base class for details.","caption":"Custom Action"},"8":{"description":"A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'.","caption":"Approved"},"9":{"description":"A quarantined file or other content was restored to its original location.","caption":"Restored"},"10":{"description":"A suspicious or risky entity was deemed to no longer be suspicious (re-scored).","caption":"Exonerated"},"11":{"description":"A corrupt file or configuration was corrected.","caption":"Corrected"},"12":{"description":"A corrupt file or configuration was partially corrected.","caption":"Partially Corrected"},"14":{"description":"An operation was delayed, for example if a restart was required to finish the operation.","caption":"Delayed"},"15":{"description":"Suspicious activity or a policy violation was detected without further action.","caption":"Detected"},"16":{"description":"The outcome of an operation had no action taken.","caption":"No Action"},"17":{"description":"The operation or action was logged without further action.","caption":"Logged"},"18":{"description":"A file or other entity was marked with extended attributes.","caption":"Tagged"},"20":{"description":"Counted the request or activity but did not determine whether to allow it or block it.","caption":"Count"},"21":{"description":"The request was detected as a threat and resulted in the connection being reset.","caption":"Reset"},"22":{"description":"Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.","caption":"Captcha"},"23":{"description":"Ran a silent challenge that required the client session to verify that it's a browser, and not a bot.","caption":"Challenge"},"24":{"description":"The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class.","caption":"Access Revoked"},"25":{"description":"A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'.","caption":"Rejected"},"26":{"description":"An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail.","caption":"Unauthorized"},"27":{"description":"An error occurred during the processing of the activity or request. Use the message attribute of the base class for details.","caption":"Error"},"13":{"description":"A corrupt file or configuration was not corrected.","caption":"Uncorrected"},"19":{"description":"The request or activity was detected as a threat and resulted in a notification but request was not blocked.","caption":"Alert"}},"description":"Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Disposition ID","sibling":"disposition","type_name":"Integer"},"category_uid":{"type":"integer_t","enum":{"8":{"description":"Unmanned Systems events report the activity, existence, and/or state of unmanned systems for tracking, mission planning, and other related activities.","uid":8,"caption":"Unmanned Systems"}},"description":"The category unique identifier of the event.","group":"classification","requirement":"required","caption":"Category ID","sibling":"category_name","type_name":"Integer"},"metadata":{"type":"object_t","description":"The metadata associated with the event or a finding.","group":"context","requirement":"required","object_type":"metadata","caption":"Metadata","object_name":"Metadata"},"action_id":{"type":"integer_t","enum":{"3":{"description":"The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc.","caption":"Observed"},"0":{"description":"The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'.","caption":"Unknown"},"1":{"description":"The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc.","caption":"Allowed"},"2":{"description":"The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc.","caption":"Denied"},"99":{"description":"The action is not mapped. See the action attribute which contains a data source specific value.","caption":"Other"},"4":{"description":"The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'.","caption":"Modified"}},"description":"The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Action ID","sibling":"action","type_name":"Integer"},"confidence_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"description":"The normalized confidence is unknown.","caption":"Unknown"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.","caption":"Other"}},"description":"The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.","group":"context","requirement":"recommended","profiles":["security_control"],"caption":"Confidence ID","sibling":"confidence","type_name":"Integer"},"start_time":{"type":"timestamp_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"Start Time","type_name":"Timestamp"},"auth_protocol_id":{"type":"integer_t","enum":{"3":{"caption":"Operator ID Signature"},"6":{"caption":"Specific Authentication Method"},"0":{"description":"The authentication type is unknown.","caption":"Unknown"},"1":{"caption":"None"},"2":{"caption":"UAS ID Signature"},"99":{"description":"The authentication type is not mapped. See the auth_protocol attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Message Set Signature"},"5":{"caption":"Authentication Provided by Network Remote ID"},"7":{"caption":"Reserved"},"8":{"caption":"Private User"},"9":{"caption":"EAP"},"10":{"caption":"RADIUS"},"11":{"caption":"Basic Authentication"},"12":{"caption":"LDAP"}},"description":"The normalized identifier of the authentication type used to authorize a flight plan or mission.","group":"context","requirement":"optional","caption":"Authentication Type ID","sibling":"auth_protocol","type_name":"Integer"},"attacks":{"type":"object_t","description":"An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.","group":"primary","is_array":true,"references":[{"description":"MITRE ATT&CK®","url":"https://attack.mitre.org"},{"description":"MITRE ATLAS","url":"https://atlas.mitre.org/matrices/ATLAS"}],"requirement":"optional","profiles":["security_control"],"object_type":"attack","caption":"MITRE ATT&CK® and ATLAS™ Details","object_name":"MITRE ATT&CK® & ATLAS™"},"unmanned_system_operator":{"type":"object_t","description":"The human or machine operator of an Unmanned System.","group":"primary","requirement":"required","object_type":"user","caption":"Unmanned Systems Operator","object_name":"User"},"risk_level":{"type":"string_t","description":"The risk level, normalized to the caption of the risk_level_id value.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level","type_name":"String"},"device":{"type":"object_t","description":"An addressable device, computer system or host.","group":"primary","requirement":"recommended","profiles":["host"],"object_type":"device","caption":"Device","object_name":"Device"},"osint":{"type":"object_t","description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.","group":"primary","is_array":true,"requirement":"required","profiles":["osint"],"object_type":"osint","caption":"OSINT","object_name":"OSINT"},"tls":{"type":"object_t","description":"The Transport Layer Security (TLS) attributes.","group":"context","requirement":"optional","object_type":"tls","caption":"TLS","object_name":"Transport Layer Security (TLS)"},"actor":{"type":"object_t","description":"The actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.","group":"primary","requirement":"optional","profiles":["host"],"object_type":"actor","caption":"Actor","object_name":"Actor"},"disposition":{"type":"string_t","description":"The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Disposition","type_name":"String"},"type_uid":{"type":"long_t","enum":{"800100":{"caption":"Drone Flights Activity: Unknown"},"800199":{"description":"The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.","caption":"Drone Flights Activity: Other"},"800101":{"description":"Remote ID information from an Unmanned System is being captured (collected).","caption":"Drone Flights Activity: Capture"},"800102":{"description":"Unmanned System activity is being recorded.","caption":"Drone Flights Activity: Record"}},"description":"The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.","group":"classification","requirement":"required","caption":"Type ID","sibling":"type_name","type_name":"Long"},"risk_score":{"type":"integer_t","description":"The risk score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Score","type_name":"Integer"},"action":{"type":"string_t","description":"The normalized caption of action_id.","group":"primary","requirement":"optional","profiles":["security_control"],"caption":"Action","type_name":"String"},"unmapped":{"type":"object_t","description":"The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.","group":"context","requirement":"optional","object_type":"object","caption":"Unmapped Data","object_name":"Object"},"authorizations":{"type":"object_t","description":"Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.","group":"primary","is_array":true,"requirement":"optional","profiles":["security_control"],"object_type":"authorization","caption":"Authorization Information","object_name":"Authorization Result"},"confidence_score":{"type":"integer_t","description":"The confidence score as reported by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence Score","type_name":"Integer"},"unmanned_aerial_system":{"type":"object_t","description":"The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.","group":"primary","requirement":"required","object_type":"unmanned_aerial_system","caption":"Unmanned Aerial System","object_name":"Unmanned Aerial System"},"end_time_dt":{"type":"datetime_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"End Time","type_name":"Datetime"},"observables":{"type":"object_t","description":"The observables associated with the event or a finding.","group":"primary","is_array":true,"references":[{"description":"OCSF Observables FAQ","url":"https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md"}],"requirement":"recommended","object_type":"observable","caption":"Observables","object_name":"Observable"},"src_endpoint":{"type":"object_t","description":"The source network endpoint of the Unmanned Aerial System (UAS), Counter Unmanned Aerial System (CUAS) platform, or other unmanned systems monitoring and/or sensing infrastructure.","group":"context","requirement":"optional","object_type":"network_endpoint","caption":"Source Endpoint","object_name":"Network Endpoint"},"message":{"type":"string_t","description":"The description of the event/finding, as defined by the source.","group":"primary","requirement":"recommended","caption":"Message","type_name":"String"},"activity_name":{"type":"string_t","description":"The event activity name, as defined by the activity_id.","group":"classification","requirement":"optional","caption":"Activity","type_name":"String"},"is_alert":{"type":"boolean_t","description":"Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.","group":"primary","requirement":"recommended","profiles":["security_control"],"caption":"Alert","type_name":"Boolean"},"api":{"type":"object_t","description":"Describes details about a typical API (Application Programming Interface) call.","group":"context","requirement":"optional","profiles":["cloud"],"object_type":"api","caption":"API Details","object_name":"API"},"category_name":{"type":"string_t","description":"The event category name, as defined by category_uid value: Unmanned Systems.","group":"classification","requirement":"optional","caption":"Category","type_name":"String"},"policy":{"type":"object_t","description":"The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.","group":"primary","requirement":"optional","profiles":["security_control"],"object_type":"policy","caption":"Policy","object_name":"Policy"},"confidence":{"type":"string_t","description":"The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Confidence","type_name":"String"},"count":{"type":"integer_t","description":"The number of times that events in the same logical group occurred during the event Start Time to End Time period.","group":"occurrence","requirement":"optional","caption":"Count","type_name":"Integer"},"unmanned_system_operating_area":{"type":"object_t","description":"The UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.","group":"primary","requirement":"recommended","object_type":"unmanned_system_operating_area","caption":"UAS Operating Area","object_name":"Unmanned System Operating Area"},"traffic":{"type":"object_t","description":"Traffic refers to the amount of data transmitted from a Unmanned Aerial System (UAS) or Counter Unmanned Aerial System (UAS) (CUAS) system at a given point of time. Ex: bytes_in and bytes_out.","group":"context","requirement":"optional","object_type":"network_traffic","caption":"Traffic","object_name":"Network Traffic"},"risk_level_id":{"type":"integer_t","enum":{"3":{"caption":"High"},"0":{"caption":"Info"},"1":{"caption":"Low"},"2":{"caption":"Medium"},"99":{"description":"The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.","caption":"Other"},"4":{"caption":"Critical"}},"description":"The normalized risk level id.","group":"context","requirement":"optional","profiles":["security_control"],"caption":"Risk Level ID","sibling":"risk_level","type_name":"Integer","suppress_checks":["enum_convention"]},"comment":{"type":"string_t","description":"This optional, free-text field enables the operator to describe the purpose of a flight, if so desired.","group":"context","requirement":"optional","caption":"Operation Description","type_name":"String"},"end_time":{"type":"timestamp_t","description":"The end time of a time period, or the time of the most recent event included in the aggregate event.","group":"occurrence","requirement":"optional","caption":"End Time","type_name":"Timestamp"},"protocol_name":{"type":"string_t","description":"The networking protocol associated with the Remote ID device or beacon. E.g. BLE, LTE, 802.11.","group":"context","requirement":"optional","caption":"Remote ID Protocol","type_name":"String"},"connection_info":{"type":"object_t","description":"The network connection information.","group":"context","requirement":"recommended","object_type":"network_connection_info","caption":"Connection Info","object_name":"Network Connection Information"},"enrichments":{"type":"object_t","description":"The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]","group":"context","is_array":true,"requirement":"optional","object_type":"enrichment","caption":"Enrichments","object_name":"Enrichment"},"class_name":{"type":"string_t","description":"The event class name, as defined by class_uid value: Drone Flights Activity.","group":"classification","requirement":"optional","caption":"Class","type_name":"String"},"dst_endpoint":{"type":"object_t","description":"The destination network endpoint of the Unmanned Aerial System (UAS), Counter Unmanned Aerial System (CUAS) platform, or other unmanned systems monitoring and/or sensing infrastructure.","group":"context","requirement":"required","object_type":"network_endpoint","caption":"Destination Endpoint","object_name":"Network Endpoint"},"status_code":{"type":"string_t","description":"The event status code, as reported by the event source.status_id value. In the case of 'Other', it is defined by the source.","group":"context","requirement":"optional","caption":"Operational Status","type_name":"String"},"raw_data":{"type":"string_t","description":"The raw event/finding data as received from the source.","group":"context","requirement":"optional","caption":"Raw Data","type_name":"String"},"status_id":{"type":"integer_t","enum":{"3":{"description":"The Unmanned Aerial System (UAS) is airborne.","caption":"Airborne"},"6":{"description":"An ASTM Reserved status is reported.","caption":"Reserved"},"0":{"description":"The status is unknown.","caption":"Unknown"},"1":{"description":"The operational status is not reported.","caption":"Undeclared"},"2":{"description":"The Unmanned Aerial System (UAS) is grounded.","caption":"Ground"},"99":{"description":"The status is not mapped. See the status attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"The Unmanned Aerial System (UAS) is reporting an emergency status.","caption":"Emergency"},"5":{"description":"The Unmanned Aerial System (UAS) is reporting the Remote ID beacon or device is malfunctioning or has failed.","caption":"Remote ID System Failure"}},"description":"The normalized Operational status identifier for the Unmanned Aerial System (UAS).","group":"primary","requirement":"recommended","caption":"Operational Status ID","sibling":"status","type_name":"Integer"},"time_dt":{"type":"datetime_t","description":"The normalized event occurrence time or the finding creation time.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Event Time","type_name":"Datetime"},"status_detail":{"type":"string_t","description":"The status detail contains additional information about the event/finding outcome.","group":"primary","requirement":"recommended","caption":"Status Detail","type_name":"String"},"duration":{"type":"long_t","description":"The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.","group":"occurrence","requirement":"optional","caption":"Duration Milliseconds","type_name":"Long"},"classification":{"type":"string_t","description":"UA Classification - Allows a region to classify UAS in a regional specific manner. The format may differ from region to region.","group":"context","requirement":"optional","caption":"Classification Type","type_name":"String"},"severity":{"type":"string_t","description":"The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.","group":"classification","requirement":"optional","caption":"Severity","type_name":"String"},"start_time_dt":{"type":"datetime_t","description":"The start time of a time period, or the time of the least recent event included in the aggregate event.","group":"occurrence","requirement":"optional","profiles":["datetime"],"caption":"Start Time","type_name":"Datetime"},"severity_id":{"type":"integer_t","enum":{"3":{"description":"Action is required but the situation is not serious at this time.","caption":"Medium"},"6":{"description":"An error occurred but it is too late to take remedial action.","caption":"Fatal"},"0":{"description":"The event/finding severity is unknown.","caption":"Unknown"},"1":{"description":"Informational message. No action required.","caption":"Informational"},"2":{"description":"The user decides if action is needed.","caption":"Low"},"99":{"description":"The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.","caption":"Other"},"4":{"description":"Action is required immediately.","caption":"High"},"5":{"description":"Action is required immediately and the scope is broad.","caption":"Critical"}},"description":"The normalized identifier of the event/finding severity.
The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.","group":"classification","requirement":"required","caption":"Severity ID","sibling":"severity","type_name":"Integer"}},"name":"drone_flights_activity","description":"Drone Flights Activity events report the activity of Unmanned Aerial Systems (UAS), their Operators, and mission-planning and authorization metadata as reported by the UAS platforms themselves, by Counter-UAS (CUAS) systems, or other remote monitoring or sensing infrastructure. Based on the Remote ID defined in Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a","uid":8001,"extends":"unmanned_systems","category":"unmanned_systems","constraints":{"at_least_one":["src_endpoint","unmanned_aerial_system","unmanned_system_operator","unmanned_system_operating_area"]},"profiles":["cloud","container","data_classification","datetime","host","linux/linux_users","macos/macos_users","osint","security_control"],"category_name":"Unmanned Systems","caption":"Drone Flights Activity","category_uid":8}},"profiles":{"trace":{"meta":"profile","name":"trace","description":"The Trace Profile extends the OCSF framework to capture and standardize observability events, specifically targeting trace-level data. This profile enables integration and normalization of distributed tracing information, allowing OCSF events to retain essential trace context such as trace IDs, span relationships, and service dependencies.","caption":"Trace","annotations":{"group":"primary"}},"host":{"meta":"profile","name":"host","description":"The attributes that identify host/device attributes.","caption":"Host","annotations":{"group":"primary"}},"datetime":{"meta":"profile","name":"datetime","description":"This profile defines date/time attributes as defined in RFC-3339. For example 1985-04-12T23:20:50.52Z.","caption":"Date/Time"},"cloud":{"meta":"profile","name":"cloud","description":"The attributes that describe information specific to Cloud services/applications.","caption":"Cloud"},"container":{"meta":"profile","name":"container","description":"The container context for a process.","caption":"Container"},"data_classification":{"meta":"profile","name":"data_classification","description":"The Data Classification profile adds attributes to specific resource objects, allowing users to describe information about classifiers & data classification results.","caption":"Data Classification"},"load_balancer":{"meta":"profile","name":"load_balancer","description":"The attributes that describe information specific to load balancers.","caption":"Load Balancer","annotations":{"group":"primary"}},"osint":{"meta":"profile","name":"osint","description":"The OSINT (Open Source Intelligence) profile contains one or more indicators and associated analysis and details, such as registrar (WHOIS) information and commentary about a hostname, or information about a digital certificate and its usage within a campaign. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers within the profile itself.","caption":"OSINT"},"network_proxy":{"meta":"profile","name":"network_proxy","description":"The attributes that identify network proxy attributes.","caption":"Network Proxy","annotations":{"group":"context"}},"security_control":{"meta":"profile","name":"security_control","description":"The attributes including disposition that represent the outcome of a security control including but not limited to access control, malware or policy violation, network proxy, intrusion detection, firewall, or data control. The profile is intended to augment activities or findings with an outcome when a security control has observed or intervened. If the control detected a security violation, and thedisposition_id or action_id is an alertable outcome or action, the is_alert flag may be set to true.","caption":"Security Control","annotations":{"group":"primary"}},"incident":{"meta":"profile","name":"incident","description":"The attributes that add incident handling semantics to a Finding.","caption":"Incident","annotations":{"group":"primary"}},"ai_operation":{"meta":"profile","name":"ai_operation","description":"AI-specific attributes for model operations, retrieval systems, and agent activities. e.g. model_name, total_token_counts etc.","caption":"AI Operation"},"linux/linux_users":{"meta":"profile","name":"linux_users","description":"The attributes that Linux uses to identify user information.","extension":"linux","extension_id":1,"caption":"Linux Users"},"macos/macos_users":{"meta":"profile","name":"macos_users","description":"The attributes that macOS uses to identify user information.","extension":"macos","extension_id":3,"caption":"macOS Users"}},"compile_version":1}
\ No newline at end of file
From ab9788d273edb06fd4f76b087d6b4361e47c4e43 Mon Sep 17 00:00:00 2001
From: santiago