Open Cybersecurity Schema Framework (OCSF) — LinkML Schema
Open Cybersecurity Schema Framework (OCSF) — LinkML schema. Generated from upstream OCSF JSON at version 1.9.0-dev. Each top-level concern is one module: types, dictionary (slots), enums, categories, objects, profiles, events, extensions.
URI: https://w3id.org/lmodel/ocsf
Name: ocsf
Classes
| Class | Description |
|---|---|
| AiOperationProfile | AI-specific attributes for model operations, retrieval systems, and agent |
| BaseEvent | The base event is a generic and concrete event |
| ApplicationEvent | |
| ApiActivity | API events describe general CRUD (Create, Read, Update, Delete) API activitie... |
| ApplicationError | Application Error events describe issues with an applications |
| ApplicationLifecycle | Application Lifecycle events report installation, removal, start, stop of an |
| DatastoreActivity | Datastore events describe general activities (Read, Update, Query, Delete, |
| FileHosting | File Hosting Activity events report the actions taken by file management |
| ScanActivity | Scan events report the start, completion, and results of a scan job |
| WebResourceAccessActivity | Web Resource Access Activity events describe successful/failed attempts to |
| WebResourcesActivity | Web Resources Activity events describe actions executed on a set of Web |
| DiscoveryEvent | The Discovery event is a generic event that defines a set of attributes |
| CloudResourcesInventoryInfo | Cloud Resources Inventory Info events report cloud asset inventory data |
| ConfigState | Device Config State events report device configuration data, device |
| DeviceConfigStateChange | Device Config State Change events report state changes that impact the securi... |
| InventoryInfo | Device Inventory Info events report device inventory data that is either logg... |
| OsintInventoryInfo | OSINT Inventory Info events report open source intelligence or threat |
| PatchState | Operating System Patch State reports the installation of an OS patch to a |
| SoftwareInfo | Software Inventory Info events report device software inventory data that is |
| UserInventory | User Inventory Info events report user inventory data that is either logged o... |
| DiscoveryResult | Discovery Result events report the results of a discovery request |
| AdminGroupQuery | Admin Group Query events report information about administrative groups |
| EvidenceInfo | Data collected directly from devices that represents forensic information |
| FileQuery | File Query events report information about files that are present on the |
| FolderQuery | Folder Query events report information about folders that are present on the |
| JobQuery | Job Query events report information about scheduled jobs |
| KernelObjectQuery | Kernel Object Query events report information about discovered kernel |
| ModuleQuery | Module Query events report information about loaded modules |
| NetworkConnectionQuery | Network Connection Query events report information about active network |
| NetworksQuery | Networks Query events report information about network adapters |
| PeripheralDeviceQuery | Peripheral Device Query events report information about peripheral devices |
| PrefetchQuery | Prefetch Query events report information about Windows prefetch files |
| ProcessQuery | Process Query events report information about running processes |
| RegistryKeyQuery | Registry Key Query events report information about discovered Windows registr... |
| RegistryValueQuery | Registry Value Query events report information about discovered Windows |
| ServiceQuery | Service Query events report information about running services |
| SessionQuery | User Session Query events report information about existing user sessions |
| StartupItemQuery | Startup Item Query events report information about discovered items, e |
| UserQuery | User Query events report user data that have been discovered, queried, polled |
| EmailActivity | Email Activity events report SMTP protocol and email activities including tho... |
| EmailFileActivity | Email File Activity events report files within emails |
| EmailUrlActivity | Email URL Activity events report URLs within an email |
| Finding | The Finding event is a generic event that defines a set of attributes availab... |
| ApplicationSecurityPostureFinding | The Application Security Posture Finding event is a notification about any bu... |
| ComplianceFinding | Compliance Finding events describe results of evaluations performed against |
| DataSecurityFinding | A Data Security Finding describes detections or alerts generated by various |
| DetectionFinding | A Detection Finding describes detections or alerts generated by security |
| IamAnalysisFinding | This finding represents an IAM analysis result, which evaluates IAM policies, |
| VulnerabilityFinding | The Vulnerability Finding event is a notification about weakness in an |
| IamEvent | The Identity & Access Management event is a generic event that defines a set ... |
| AccountChange | Account Change events report when specific user account management tasks are |
| Authentication | Authentication events report authentication session activities, including use... |
| AuthorizeSession | Authorize Session events report privileges or groups assigned to a new user |
| EntityManagement | Entity Management events report activity by a managed client, a micro service... |
| GroupManagement | Group Management events report management updates to a group, including updat... |
| UserAccess | User Access Management events report management updates to a user's privilege... |
| IncidentFinding | An Incident Finding reports the creation, update, or closure of security |
| NetworkEvent | Network event is a generic event that defines a set of attributes available i... |
| DhcpActivity | DHCP Activity events report MAC to IP assignment via DHCP from a client or |
| DnsActivity | DNS Activity events report DNS queries and answers as seen on the network |
| FtpActivity | File Transfer Protocol (FTP) Activity events report file transfers between a |
| HttpActivity | HTTP Activity events report HTTP connection and traffic information |
| NetworkActivity | Network Activity events report network connection and traffic activity |
| NetworkFileActivity | Network File Activity events report file activities traversing the network, |
| NtpActivity | The Network Time Protocol (NTP) Activity events report instances of remote |
| RdpActivity | Remote Desktop Protocol (RDP) Activity events report post-authentication remo... |
| SmbActivity | Server Message Block (SMB) Protocol Activity events report client/server |
| SshActivity | SSH Activity events report remote client connections to a server using the |
| TunnelActivity | Tunnel Activity events report secure tunnel establishment (such as VPN), |
| RemediationActivity | Remediation Activity events report on attempts at remediating a compromised |
| FileRemediationActivity | File Remediation Activity events report on attempts at remediating files |
| NetworkRemediationActivity | Network Remediation Activity events report on attempts at remediating compute... |
| ProcessRemediationActivity | Process Remediation Activity events report on attempts at remediating |
| SecurityFinding | Security Finding events describe findings, detections, anomalies, alerts and/... |
| SystemEvent | The System Activity event is a generic event that defines a set of attributes |
| EventLogActvity | Event Log Activity events report actions pertaining to the system's event |
| FileActivity | File System Activity events report when a process performs an action on a fil... |
| KernelActivity | Kernel Activity events report when an process creates, reads, or deletes a |
| KernelExtensionActivity | Kernel Extension events report when a driver/extension is loaded or unloaded |
| MemoryActivity | Memory Activity events report when a process has memory allocated, |
| ModuleActivity | Module Activity events report when an endpoint process acts on a |
| PeripheralActivity | Peripheral Activity events log a system's interactions with external, |
| ProcessActivity | Process Activity events report when a process launches, injects, opens or |
| RegistryKeyActivity | Registry Key Activity events report when a process performs an action on a |
| RegistryValueActivity | Registry Value Activity events reports when a process performs an action on a |
| ScheduledJobActivity | Scheduled Job Activity events report activities related to scheduled jobs or |
| ScriptActivity | Script Activity events report when a process executes a script |
| WindowsResourceActivity | Windows Resource Activity events report when a process accesses a Windows |
| WindowsServiceActivity | Windows Service Activity events report when a process interacts with the |
| UnmannedSystemsEvent | The Unmanned Systems event is a generic event that defines a set of attribute... |
| AirborneBroadcastActivity | Airborne Broadcast Activity events report the activity of any aircraft or |
| DroneFlightsActivity | Drone Flights Activity events report the activity of Unmanned Aerial Systems |
| CloudProfile | The attributes that describe information specific to Cloud |
| ContainerProfile | The container context for a process |
| DataClassificationProfile | The Data Classification profile adds attributes to specific resource objects, |
| DatetimeProfile | This profile defines date/time attributes as defined in RFC-3339 |
| HostProfile | The attributes that identify host/device attributes |
| IncidentProfile | The attributes that add incident handling semantics to a Finding |
| LinuxUsersProfile | The attributes that Linux uses to identify user information |
| LoadBalancerProfile | The attributes that describe information specific to load balancers |
| MacosUsersProfile | The attributes that macOS uses to identify user information |
| NetworkProxyProfile | The attributes that identify network proxy attributes |
| OcsfObject | Abstract root for every OCSF object class |
| AnalysisTarget | The analysis target defines the scope of monitored activities, specifying wha... |
| AnomalyAnalysis | Describes the analysis of activity patterns and anomalies of target entities ... |
| Object | An unordered collection of attributes |
| AccessAnalysisResult | The Access Analysis Result object describes access relationships and pathways |
| Actor | The Actor object contains details about the user, role, application, service, |
| AdditionalRestriction | The Additional Restriction object describes supplementary access controls and |
| Advisory | The Advisory object represents publicly disclosed cybersecurity vulnerabiliti... |
| AffectedCode | The Affected Code object describes details about a code block identified as |
| Agent | An Agent (also known as a Sensor) is typically installed on an Operating Syst... |
| Anomaly | Describes an anomaly or deviation detected in a system |
| Api | The API, or Application Programming Interface, object represents information |
| ApplicationObject | An Application describes the details for an inventoried application as report... |
| Attack | The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique, |
| AuthFactor | An Authentication Factor object describes a category of methods used for |
| Authorization | The Authorization Result object provides details about the authorization |
| AutonomousSystem | An autonomous system (AS) is a collection of connected Internet Protocol (IP) |
| Baseline | Describes the baseline or expected behavior of a system, service, or componen... |
| Campaign | Campaign represent organized efforts by threat actors to achieve malicious |
| Certificate | The Digital Certificate, also known as a Public Key Certificate, object |
| Check | The check object defines a specific, testable compliance verification point |
| CisBenchmark | The CIS Benchmark object describes best practices for securely configuring IT |
| CisBenchmarkResult | The CIS Benchmark Result object contains information as defined by the Center |
| CisControl | The CIS Control (aka Critical Security Control) object describes a prioritize... |
| CisCsc | The CIS Critical Security Control (CSC) contains information as defined by th... |
| ClassifierDetails | The Classifier Details object describes details about the classifier used for |
| Cloud | The Cloud object describes the cloud computing environment where an event or |
| Compliance | The Compliance object contains information about Industry and Regulatory |
| Container | The Container object describes an instance of a specific container |
| Cve | The Common Vulnerabilities and Exposures (CVE) object represents publicly |
| Cvss | The Common Vulnerability Scoring System (<a target='_blank' |
| Cwe | The CWE object represents a weakness in a software system that can be exploit... |
| D3fend | The MITRE D3FEND™ object describes the tactic & technique associated with a |
| DataClassification | The Data Classification object includes information about data classification |
| DataSecurity | The Data Security object describes the characteristics, techniques and conten... |
| DceRpc | The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, obje... |
| DeviceHwInfo | The Device Hardware Information object contains details and specifications of |
| DigitalSignature | The Digital Signature object contains information about the cryptographic |
| DiscoveryDetails | The Discovery Details object describes results of a discovery task/job |
| Display | The Display object contains information about the physical or virtual display |
| Dns | The Domain Name System (DNS) object represents the shared information |
| DnsAnswer | The DNS Answer object represents a specific response provided by the Domain |
| DnsQuery | The DNS query object represents a specific request made to the Domain Name |
| DomainContact | The contact information related to a domain registration, e |
| The Email object describes the email metadata such as sender, recipients, and | |
| EmailAuth | The Email Authentication object describes the Sender Policy Framework (SPF), |
| EncryptionDetails | Details about the encryption methodology utilized |
| EndpointConnection | The Endpoint Connection object contains information detailing a connection |
| Enrichment | The Enrichment object provides inline enrichment data for specific attributes |
| Entity | The Entity object is an unordered collection of attributes, with a name and |
| Account | The Account object contains details about the account that initiated or |
| AiModel | The AI Model object describes the characteristics of an AI/ML model |
| Aircraft | The Aircraft object represents any aircraft or otherwise airborne asset such ... |
| UnmannedAerialSystem | The Unmanned Aerial System object describes the characteristics, Position |
| Analytic | The Analytic object contains details about the analytic technique used to |
| Assessment | The Assessment object describes a point-in-time assessment, check, or |
| D3fTactic | The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is |
| D3fTechnique | The MITRE D3FEND™ Technique object describes the leaf defensive technique ID |
| Database | The database object is used for databases which are typically datastore |
| Edge | Represents a connection or relationship between two nodes in a graph |
| Endpoint | The Endpoint object describes a physical or virtual device that connects to a... |
| Device | The Device object represents an addressable computer system or host, which is |
| NetworkEndpoint | The Network Endpoint object describes characteristics of a network endpoint |
| NetworkProxy | The network proxy endpoint object describes a proxy server, which acts as an |
| Evidences | A collection of evidence artifacts associated to the activity/activities that |
| WindowsEvidences | Extends the evidences object to add Windows specific fields |
| Extension | The OCSF Schema Extension object provides detailed information about the sche... |
| Feature | The Feature object provides information about the software product feature th... |
| File | The File object represents the metadata associated with a file stored in a |
| Graph | A graph data structure representation with nodes and edges |
| Group | The Group object represents a collection or association of entities, such as |
| Idp | The Identity Provider object contains detailed information about a provider |
| Image | The Image object provides a description of a specific Virtual Machine (VM) or |
| LoadBalancer | The load balancer object describes the load balancer entity and contains |
| Logger | The Logger object represents the device and product where events are stored |
| Malware | The Malware object describes the classification of known malicious software, |
| ManagedEntity | The Managed Entity object describes the type and version of an entity, such a... |
| MessageContext | Communication context for AI system interactions including protocols, roles, |
| Mitigation | The MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID |
| NetworkInterface | The Network Interface object describes the type and associated attributes of ... |
| Organization | The Organization object describes characteristics of an organization or compa... |
| PeripheralDevice | The peripheral device object describes the properties of external, connectabl... |
| Policy | The Policy object describes the policies that are applicable |
| ProcessEntity | The Process Entity object provides critical fields for referencing a process |
| Process | The Process object describes a running instance of a launched program |
| LinuxProcess | Extends the process object to add Linux specific fields |
| MacosProcess | Extends the process object to add macOS specific fields |
| WindowsProcess | Extends the process object to add Windows specific fields |
| Product | The Product object describes characteristics of a software product |
| QueryInfo | The query info object holds information related to data access within a |
| Reporter | The entity from which an event or finding was reported |
| Resource | The Resource object contains attributes that provide information about a |
| Databucket | The databucket object is a basic container that holds data, typically organiz... |
| ResourceDetails | The Resource Details object describes details about resources that were |
| WebResource | The Web Resource object describes characteristics of a web resource that was |
| WinResource | The Windows resource object describes a resource object managed by Windows, |
| Rule | The Rule object describes characteristics of a rule associated with a policy ... |
| FirewallRule | The Firewall Rule object represents a specific rule within a firewall policy ... |
| Scan | The Scan object describes characteristics of a proactive scan |
| MalwareScanInfo | The malware scan information object describes characteristics, metadata of a |
| Service | The Service object describes characteristics of a service, e |
| WinService | The Windows Service object describes a Windows service |
| SubTechnique | The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ... |
| Table | The table object represents a table within a structured relational database o... |
| Tactic | The MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name |
| Technique | The MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/o... |
| Trait | Describes a characteristic or feature of an entity that was observed |
| TransformationInfo | The transformation_info object represents the mapping or transformation used |
| User | The User object describes the characteristics of a user/person or a security |
| EnvironmentVariable | An environment variable |
| Epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated |
| FindingInfo | The Finding Information object describes metadata related to a security findi... |
| FindingObject | The Finding object describes metadata related to a security finding generated |
| Fingerprint | The Fingerprint object provides detailed information about a fingerprint, whi... |
| FunctionInvocation | The Function Invocation object provides details regarding the invocation of a |
| GpuInfo | The GPU information object contains attributes describing graphical processin... |
| Hassh | The HASSH object contains SSH network fingerprinting values for specific |
| HttpCookie | The HTTP Cookie object, also known as a web cookie or browser cookie, contain... |
| HttpHeader | The HTTP Header object represents the headers sent in an HTTP request or |
| HttpRequest | The HTTP Request object represents the attributes of a request made to a web |
| HttpResponse | The HTTP Response object contains detailed information about the response sen... |
| IdentityActivityMetrics | The Identity Activity Metrics object captures usage patterns, authentication |
| Ja4Fingerprint | The JA4+ fingerprint object provides detailed fingerprint information about |
| Job | The Job object provides information about a scheduled job or task, including |
| KbArticle | The KB Article object contains metadata that describes the patch or update |
| Kernel | The Kernel Resource object provides information about a specific kernel |
| KernelDriver | The Kernel Extension object describes a kernel driver that has been loaded or |
| KeyboardInfo | The Keyboard Information object contains details and attributes related to a |
| KeyValueObject | A generic object allowing to define a {key:value} pair |
| KillChainPhase | The Kill Chain Phase object represents a single phase of a cyber attack, |
| LdapPerson | The additional LDAP attributes that describe a person |
| Location | The Geo Location object describes a geographical location, usually associated |
| UnmannedSystemOperatingArea | The Unmanned System Operating Area object describes details about a precise |
| LongString | This object is a used to capture strings which may be truncated by a security |
| Metadata | The Metadata object describes the metadata associated with the event |
| Metric | The Metric object defines a simple name/value pair entity for a metric |
| Module | The Module object describes the attributes of a module |
| NetworkConnectionInfo | The Network Connection Information object describes characteristics of an OSI |
| NetworkTraffic | The Network Traffic object describes characteristics of network traffic over ... |
| Node | Represents a node or a vertex in a graph structure |
| Observable | The observable object is a pivot element that contains related information |
| Observation | A record of an observed value or event that captures the timing and frequency |
| OccurrenceDetails | Details about where in the target entity, specified information was discovere... |
| Os | The Operating System (OS) object describes characteristics of an OS, such as |
| Osint | The OSINT (Open Source Intelligence) object contains details related to an |
| Package | The Software Package object describes details about a software package |
| AffectedPackage | The Affected Package object describes details about a software package |
| Packet | The Packet object represents a single captured network packet and its |
| Parameter | The Parameter object provides details regarding a parameter of a a function |
| PermissionAnalysisResult | The Permission Analysis object describes analysis results of permissions, |
| PortInfo | The Port Information object describes a port and its associated protocol |
| PrivilegeAttackInfo | The Privilege Attack Info object groups privileges by the potential attack th... |
| PrivilegeInfo | The Privilege Info object describes information about a specific privilege, |
| ProgrammaticCredential | The Programmatic Credential object describes service-specific credentials use... |
| RegKey | The registry key object describes a Windows registry key |
| RegValue | The registry value object describes a Windows registry value |
| RelatedEvent | The Related Event object describes an event or another finding related to a |
| Remediation | The Remediation object describes the recommended remediation steps to address |
| Reputation | The Reputation object describes the reputation/risk score of an entity (e |
| Request | The Request Elements object describes characteristics of an API request |
| Response | The Response Elements object describes characteristics of an API response |
| RpcInterface | The RPC Interface represents the remote procedure call interface used in the |
| San | The Subject Alternative name (SAN) object describes a SAN secured by a digita... |
| Sbom | The Software Bill of Materials object describes characteristics of a generate... |
| Scim | The System for Cross-domain Identity Management (SCIM) Configuration object |
| Script | The Script object describes a script or command that can be executed by a |
| SecurityState | The Security State object describes the security related state of a managed |
| ServicePrivilegeAnalysis | The Service Privilege Analysis object describes privilege analysis results fo... |
| Session | The Session object describes details about an authenticated session |
| SoftwareComponent | The Software Component object describes characteristics of a software compone... |
| Span | Represents a single unit of work or operation within a distributed trace |
| Sso | The Single Sign-On (SSO) object provides a structure for normalizing SSO |
| ThreatActor | Threat actor is responsible for the observed malicious activity |
| Ticket | The Ticket object represents ticket in the customer's IT Service Management |
| Timespan | The Time Span object represents different time period durations |
| Tls | The Transport Layer Security (TLS) object describes the negotiated TLS protoc... |
| TlsExtension | The TLS Extension object describes additional attributes that extend the base |
| Token | The Token object is the base object for representing tokens, API keys, and |
| AuthenticationToken | The Authentication Token object extends the base token object an... |
| Trace | The trace object contains information about a distributed trace, which is |
| Url | The Uniform Resource Locator (URL) object describes the characteristics of a |
| VendorAttributes | The Vendor Attributes object can be used to represent values of attributes |
| Vulnerability | The vulnerability is an unintended characteristic of a computing component or |
| Whois | The resources of a WHOIS record for a given domain |
| QueryEvidence | The specific resulting evidence information that was queried or discovered |
| WindowsQueryEvidence | The resulting evidence information that was queried |
| StartupItem | The startup item object describes an application component that has associate... |
| WindowsStartupItem | The startup item object describes an application component that has associate... |
| OsintProfile | The OSINT (Open Source Intelligence) profile contains one or more indicators |
| SecurityControlProfile | The attributes including disposition that represent the outcome of a security |
| TraceProfile | The Trace Profile extends the OCSF framework to capture and standardize |
Slots
| Slot | Description |
|---|---|
| access_analysis_result | Describes access relationships and pathways between identities, resources, |
| access_level | The access level of an entity |
| access_list | The list of requested access rights |
| access_mask | The access mask in a platform-native format |
| access_result | The list of access check results |
| access_type | The type or category of access being granted to the identity |
| accessed_time | The time when the file was last accessed |
| accessor | The name of the user who last accessed the object |
| accessors | A list of users who have access to an entity |
| account | The account object describes details about the account that was the source or |
| account_switch_type | The account switch method, normalized to the caption of the |
| account_switch_type_id | The normalized identifier of the account switch method |
| ack_reason | An integer that provides a reason code or additional information about the |
| ack_result | An integer that denotes the acknowledgment result of the DCE/RPC call |
| action | The normalized caption of 'action_id' or the source specific action |
| action_id | The normalized action taken by a control or other policy-based system leading |
| activity_id | The normalized identifier of the activity that triggered the event |
| activity_name | The event activity name, as defined by the activity_id |
| actor | The actor object describes details about the user/role/process that was the |
| actual_permissions | The permissions that were granted in a platform-native format |
| additional_restrictions | The supplementary restrictions that may apply to an entity, by the virtue of ... |
| advisory | Detail about the security advisory, that is used to publicly disclose |
| aerial_height | Expressed as either height above takeoff location or height above ground leve... |
| affected_code | List of Affected Code objects that describe details about code blocks |
| affected_packages | List of software packages identified as affected by a |
| agent | An Agent (also known as a Sensor) is typically installed on an Operating Syst... |
| agent_list | A list of agent objects associated with a device, endpoint, or |
| ai_model | The AI Model object describes the characteristics of an AI/ML model |
| ai_provider | AI service provider or organization name |
| ai_role | The normalized caption of the ai_role_id |
| ai_role_id | The originator or target role of the message |
| aircraft | The Aircraft object represents any aircraft or otherwise airborne asset such ... |
| alert | The integer value of TLS alert if present |
| algorithm | The applicable algorithm, normalized to the caption of 'algorithm_id' |
| algorithm_id | The normalized identifier of the algorithm |
| all_privileges_unused | Indicates whether all privileges in a set, list, collection or group are |
| altitude_ceiling | Maximum altitude (WGS-84 HAE) for a group or an Intent-Based Network |
| altitude_floor | Minimum altitude (WGS-84 HAE) for a group or an Intent-Based Network |
| analysis_targets | The specific dimensions, components, or aspects of the system that are the |
| analytic | The analytic technique used to analyze and derive insights from the data or |
| analyzed_privileges_count | The total count of privileges that were analyzed |
| ancestry | An array of Process Entities describing the extended parentage of this proces... |
| anomalies | A list of detected anomalies or deviations from expected behavior patterns |
| anomaly_analyses | A list of anomaly analysis results that examine and characterize patterns of |
| answers | The Domain Name System (DNS) answers |
| api | Describes details about a typical API (Application Programming Interface) cal... |
| app | The application that reported the event |
| app_name | The name of the application associated with the event or object |
| app_protocol_name | The application protocol name |
| app_uid | The unique ID of the application associated with the event or object |
| application | An Application describes the details for an inventoried application as report... |
| applications | A list of application objects |
| architecture | Architecture is a shorthand name describing the type of computer hardware the |
| args | The arguments sent along with the HTTP request |
| assessment | The Assessment object describes a point-in-time assessment, check, or |
| assessments | A list of assessment objects |
| assignee | The details of the user assigned to an Incident |
| assignee_group | The details of the group assigned to an Incident |
| attack | The MITRE ATT&CK® object describing the tactic, technique, and sub-technique |
| attack_graph | An Attack Graph describes possible routes an attacker could take through an |
| attacks | An array of MITRE ATT&CK® objects describing identified tactics, techniques & |
| attempt | The delivery attempt |
| attributes | The bitmask value that represents the file attributes |
| auid | The audit user assigned at login by the audit subsystem |
| auth_factors | Describes a category of methods used for identity verification |
| auth_protocol | The authentication protocol as defined by the caption of |
| auth_protocol_id | The normalized identifier of the authentication protocol used to create the |
| auth_type | The agreed upon authentication type, normalized to the caption of |
| auth_type_id | The normalized identifier of the agreed upon authentication type |
| authentication_token | The authentication token, ticket, or assertion |
| author | The author(s) who published the software component |
| authorizations | Provides details about an authorization, such as authorization outcome, and a... |
| autonomous_system | The Autonomous System details associated with an IP address |
| autoscale_uid | The unique identifier of the cloud autoscale configuration |
| avg_timespan | The average time span of an activity |
| banner | The initial connection response that a messaging server receives after it |
| base_address | The memory address where the module was loaded |
| base_score | The base score as reported by the event source |
| baselines | A list of baseline measurements or normal behavior patterns used as reference |
| bios_date | The BIOS date |
| bios_manufacturer | The BIOS manufacturer |
| bios_ver | The BIOS version |
| body_length | The actual length of the HTTP response/request body, in number of bytes, |
| boot_time | The time when the system was booted |
| boot_uid | A unique identifier of the device that changes after every reboot |
| boundary | The boundary of the connection, normalized to the caption of 'boundary_id' |
| boundary_id | The normalized identifier of the boundary of the connection |
| build | The operating system build number |
| bulletin | The vendor bulletin identifier |
| bus_type | The attachment bus or interface standard, normalized to the caption of the |
| bus_type_id | The normalized identifier of the attachment bus or interface standard |
| bytes | The total number of bytes (in and out) |
| bytes_in | The number of bytes sent from the destination to the source |
| bytes_missed | Indicates the number of bytes missed, which is representative of packet loss |
| bytes_out | The number of bytes sent from the source to the destination |
| campaign | The campaign object describes details about the campaign that was the source ... |
| capabilities | A list of RDP capabilities |
| caption | A short description or caption of the device |
| categories | The Website categorization names, as defined by category_ids enu... |
| category | The object category, normalized to the caption of category_id |
| category_id | The normalized identifier of the object category |
| category_ids | The Website categorization identifiers |
| category_name | The event category name, as defined by category_uid value |
| category_uid | The category unique identifier of the event |
| cc | The machine-readable email header Cc values, as defined by RFC 5322 |
| cc_mailboxes | The human-readable email header Cc Mailbox values |
| cell_name | The name of the cell |
| certificate | The certificate object containing information about the digital certificate |
| certificate_chain | The Chain of Certificate Serial Numbers field provides a chain of Certificate |
| chassis | The chassis type describes the system enclosure or physical form factor |
| checks | A list of specific, individual compliance verification checks derived from |
| chunks | A unit of information within an SCTP packet, consisting of a chunk header and |
| chunks_in | A unit of information within an SCTP packet, consisting of a chunk header and |
| chunks_out | A unit of information within an SCTP packet, consisting of a chunk header and |
| cipher | The negotiated cipher suite |
| cis_benchmark | The CIS Benchmark describes best practices for securely configuring IT system... |
| cis_benchmark_result | The CIS Benchmark Result object captures results generated from benchmark |
| cis_controls | The CIS Critical Security Controls is a prioritized set of actions to protect |
| cis_csc | The CIS Critical Security Controls is a list of top 20 actions and practices ... |
| city | The name of the city |
| class_ | The class name of the object |
| class_name | The event class name, as defined by class_uid value |
| class_uid | The unique identifier of a class |
| classification | The classification as defined by the vendor |
| classification_ids | The list of normalized classification identifiers |
| classifications | The list of malware classifications, normalized to the captions of the |
| classifier_details | Describes details about the classifier used for data classification |
| client_ciphers | The client cipher suites that were exchanged during the TLS handshake |
| client_dialects | The list of SMB dialects that the client speaks |
| client_hassh | The Client HASSH fingerprinting object |
| cloud | Describes details about the Cloud environment where the event or finding was |
| cloud_partition | The logical grouping or isolated segment within a cloud provider's |
| cmd_line | The full command line used to launch an application, service, process, or job |
| code | The numeric response sent to a request |
| codes | The list of numeric responses sent to a request |
| color_depth | The numeric color depth |
| column_name | The name of the column |
| column_number | The number of the column |
| command | The command name |
| command_response | The response to the command |
| command_responses | The responses to the command |
| command_uid | The unique command identifier |
| comment | The user-provided comment |
| community_uid | The Community ID of the network connection |
| company_name | The name of the company that published the file |
| completion_tokens | Number of tokens in the model's response/completion for this message |
| compliance | The compliance object provides context to compliance findings (e |
| compliance_references | A list of reference KB articles that provide information to help organization... |
| compliance_standards | A list of established guidelines or criteria that define specific requirement... |
| component | The component of a data object |
| condition | The condition that was evaluated in a rule, policy |
| condition_keys | The list of condition keys and their values that were evaluated as part of a |
| confidence | The confidence, normalized to the caption of the confidence_id value |
| confidence_id | The normalized confidence refers to the accuracy of the rule that created the |
| confidence_score | The confidence score as reported by the event source |
| confidentiality | The file content confidentiality, normalized to the confidentiality_id value |
| confidentiality_id | The normalized identifier of the file content confidentiality indicator |
| connection_info | The network connection information |
| connection_uid | The network connection identifier |
| container | The information describing an instance of a container |
| containers | When working with containerized applications, the set of containers which wri... |
| content_type | The request header that identifies the original <a target='_blank' |
| continent | The name of the continent |
| control | A Control is prescriptive, prioritized, and simplified set of best practices |
| control_parameters | The list of control parameters evaluated in a Compliance check |
| coordinates | A two-element array, containing a longitude/latitude pair |
| cores | The number of processing cores or compute units for the component |
| correlation_uid | A unique identifier used to correlate events |
| cost_center | The cost center associated with the user |
| count | The number of times that events in the same logical group occurred during the |
| countermeasures | The MITRE D3FEND™ Matrix Countermeasures associated with a remediation |
| country | The ISO 3166-1 Alpha-2 country code |
| cpe_name | The Common Platform Enumeration (CPE) name as described by (<a target='_blank... |
| cpid | A unique process identifier that can be assigned deterministically by multipl... |
| cpu_architecture | The CPU architecture, normalized to the caption of the |
| cpu_architecture_id | The normalized identifier of the CPU architecture |
| cpu_bits | The cpu architecture, the number of bits used for addressing in memory |
| cpu_cores | The number of processor cores in all installed processors |
| cpu_count | The number of physical processors on a system |
| cpu_speed | The speed of the processor in Mhz |
| cpu_type | The processor type |
| create_mask | The original Windows mask that is required to create the object |
| created_time | The time when the object was created |
| creator | The user that created the object associated with event |
| credential_uid | The unique identifier of the user's credential |
| criticality | Criticality of a resource/object in question |
| cumulative_traffic | The cumulative network traffic |
| customer_uid | The unique customer identifier |
| cve | The Common Vulnerabilities and Exposures (<a target='_blank' |
| cves | List of Common Vulnerabilities and Exposures (<a target='_blank' |
| cvss | The CVSS object details Common Vulnerability Scoring System (<a target='_blan... |
| cwe | The CWE object represents a weakness in a software system that can be exploit... |
| cwe_uid | The <a target='_blank' href='https://cwe |
| cwe_url | Common Weakness Enumeration (CWE) definition URL |
| d3f_tactic | The D3FEND Tactic object describes the defensive tactic name associated with ... |
| d3f_technique | The D3FEND Technique object describes the defensive technique ID and/or name |
| data | The additional data that is associated with the event or object |
| data_classification | The Data Classification object includes information about data classification |
| data_classifications | A list of Data Classification objects, that include information about data |
| data_lifecycle_state | The name of the stage or state that the data was in |
| data_lifecycle_state_id | The stage or state that the data was in when it was assessed or scanned by a |
| data_security | The Data Security object describes the characteristics, techniques and conten... |
| data_sources | A list of data sources utilized in generation of the finding |
| database | The database object is used for databases which are typically datastore |
| databucket | The data bucket object is a basic container that holds data, typically |
| dce_rpc | The DCE/RPC object describes the remote procedure call system for distributed |
| debug | Debug information about non-fatal issues with this OCSF event |
| decision | Decision/outcome of the authorization mechanism (e |
| delay | The total round-trip delay to the reference clock in milliseconds |
| deleted_time | The timestamp when the user was deleted |
| delivered_to | The machine-readable Delivered-To email header field |
| delivered_to_list | The machine-readable Delivered-To email header values |
| department | The name of the department or organizational unit where the entity is assigne... |
| dependency_chain | Information about the chain of dependencies related to the issue as reported ... |
| depth | The CVSS depth represents a depth of the equation used to calculate CVSS scor... |
| desc | The description that pertains to the object or event |
| desktop_display | The desktop display affiliated with the event |
| details | Details of an entity |
| detection_pattern | Specific pattern, algorithm, fingerprint, or model used for detection |
| detection_pattern_type | The detection pattern type, normalized to the caption of the |
| detection_pattern_type_id | Specifies the type of detection pattern used to identify the associated threa... |
| detection_system | The name of the type of data security tool or system that the finding, |
| detection_system_id | The type of data security tool or system that the finding, detection, or aler... |
| detection_uid | The associated unique detection event identifier |
| developer_uid | The developer ID on the certificate that signed the file |
| device | An addressable device, computer system or host |
| devices | The object describes details related to the list of devices |
| dialect | The negotiated protocol dialect |
| digest | The message digest attribute contains the fixed length message hash |
| direction | The direction of the initiated connection, traffic, or email, normalized to t... |
| direction_id | The normalized identifier of the direction of the initiated connection, |
| discovery_details | A collection of Discovery Details objects |
| dispersion | The dispersion in the NTP protocol is the estimated time error or uncertainty |
| display_name | The display name |
| disposition | The disposition name, normalized to the caption of the disposition_id value |
| disposition_id | Describes the outcome or action taken by a security control, such as access |
| dkim | The DomainKeys Identified Mail (DKIM) status of the email |
| dkim_domain | The DomainKeys Identified Mail (DKIM) signing domain of the email |
| dkim_signature | The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving |
| dmarc | The Domain-based Message Authentication, Reporting and Conformance (DMARC) |
| dmarc_override | The Domain-based Message Authentication, Reporting and Conformance (DMARC) |
| dmarc_policy | The Domain-based Message Authentication, Reporting and Conformance (DMARC) |
| dnssec_status | The normalized value of dnssec_status_id |
| dnssec_status_id | Describes the normalized status of DNS Security Extensions (DNSSEC) for a |
| domain | The name of the domain |
| domain_contact | The contact information related to a domain registration, e |
| domain_contacts | An array of Domain Contact objects |
| drive_type | The drive type, normalized to the caption of the drive_type_id |
| drive_type_id | Identifies the type of a disk drive, i |
| driver | The driver that was loaded/unloaded into the kernel |
| dst_endpoint | The network destination endpoint |
| duration | This represents the duration of the activity in milliseconds |
| duration_days | Represents the duration of the activity in days |
| duration_hours | Represents the duration of the activity in hours |
| duration_mins | Represents the duration of the activity in minutes |
| duration_months | Represents the duration of the activity in months |
| duration_secs | Represents the duration of the activity in seconds |
| duration_weeks | Represents the duration of the activity in weeks |
| duration_years | Represents the duration of the activity in years |
| edges | The list of edge objects that are part of the graph |
| edition | The operating system edition |
| egid | The effective group under which this process is running |
| eid | An Embedded Identity Document, is a unique serial number that identifies an |
| The email object | |
| email_addr | The user's primary email address |
| email_addrs | A list of additional email addresses for the user |
| email_auth | The SPF, DKIM and DMARC attributes of an email |
| email_uid | The unique identifier of the email, used to correlate related email alert and |
| embedding_model | Model used for creating embeddings in AI retrieval systems |
| employee_uid | The employee identifier assigned to the user by the organization |
| encoding | The encoding method, normalized to the caption of the encoding_id value |
| encoding_id | The normalized identifier of the encoding method |
| encryption_details | The encryption details of a file or other content |
| end_column | The end column number |
| end_line | The line number of the last line of code block identified as vulnerable |
| end_offset | The ending offset |
| end_time | The end time of a time period |
| endpoint_connections | Contains information about network connection attempts |
| enrichments | The additional information from an external data source, which is associated |
| entity | The managed entity that is being acted upon |
| entity_result | The updated managed entity |
| environment_variables | An array of environment variables |
| epoch | The software package epoch |
| epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated |
| error | Error Code |
| error_message | Error Message |
| euid | The effective user under which this process is running |
| event_code | The Event ID, Code, or Name that the product uses to primarily |
| event_uid | The unique identifier of an event |
| evidence | The data the finding exposes to the analyst |
| evidences | A collection of evidence artifacts associated to the activity/activities that |
| execute_count | The execute count |
| exit_code | The exit code reported by a process when it terminates |
| expiration_reason | The expiration reason |
| expiration_time | The expiration time |
| exploit_last_seen_time | The time when the exploit was most recently observed |
| exploit_ref_url | The URL of the exploit code or Proof-of-Concept (PoC) |
| exploit_requirement | The requirement description related to any constraints around exploit |
| exploit_type | The categorization or type of Exploit |
| ext | The extension |
| extension | The schema extension used to create the event |
| extension_list | The list of TLS extensions |
| extensions | The schema extensions used to create the event |
| external_uid | A unique identifier assigned by an external system for cross-referencing |
| factor_type | The type of authentication factor used in an authentication attempt |
| factor_type_id | The normalized identifier for the authentication factor |
| feature | The feature that reported the event |
| file | The file that pertains to the event or object |
| file_diff | File content differences used for change detection |
| file_result | The result of the file change |
| files | The files that are part of the event or object |
| finding | The Finding object provides details about a finding/detection generated by a |
| finding_info | Describes the supporting information about a generated finding |
| finding_info_list | A list of finding_info objects associated to an incident |
| fingerprint | The digital fingerprint associated with an object |
| fingerprints | An array of digital fingerprint objects |
| firewall_rule | The firewall rule that triggered the event |
| first_seen_time | The initial detection time of the activity or object |
| fix_available | Indicates if a fix is available for the reported vulnerability |
| fix_coverage | The fix coverage, normalized to the caption of the fix_coverage_id</cod... |
| fix_coverage_id | The normalized identifier for fix coverage |
| fixed_in_version | The software package version in which a reported vulnerability was |
| flag_history | The Connection Flag History summarizes events in a network connection |
| flag_ids | The list of normalized identifiers of the communication flag IDs |
| flags | The list of communication flags, normalized to the captions of the flag_ids |
| folder | The folder that pertains to the event |
| format | The format, normalized to the caption of the format_id value |
| format_id | The normalized identifier of the format |
| forward_addr | The user's forwarding email address |
| from_ | The machine-readable email header From value, as defined by RFC 5322 |
| from_list | The machine-readable email header From values |
| from_mailbox | The human-readable email header From Mailbox value |
| from_mailboxes | The human-readable email header From Mailbox values |
| full_name | The full name |
| function_invocation | Details of a function invocation |
| function_keys | The number of function keys on client keyboard |
| function_name | The function name |
| geodetic_altitude | The aircraft distance above or below the ellipsoid as measured along a line |
| geodetic_vertical_accuracy | Provides quality/containment on geodetic altitude |
| geohash | Geohash of the geo-coordinates (latitude and longitude) |
| given_name | The given or first name of the user |
| gpu_count | The number of GPU's on a system |
| gpu_info_list | An array of objects describing describing Graphical Processing Unit hardware |
| granted_privileges | The Privileges that were granted to the user via an IAM policy or otherwise |
| graph | A graph data structure representation with nodes and edges |
| group | The group object associated with an entity such as user, policy, or rule |
| group_name | The name of the group that the resource belongs to |
| groups | The groups to which an entity belongs |
| handshake_dur | The amount of total time for the TLS handshake to complete after the TCP |
| has_mfa | The user has a multi-factor or secondary-factor device assigned |
| hash | The hash attribute is the value of a digital fingerprint including informatio... |
| hashes | An array of hash attributes |
| hire_time | The timestamp when the user was or will be hired by the organization |
| horizontal_accuracy | Provides quality/containment on horizontal position |
| hosted_services | The Windows services that this process is hosting |
| hosting_process | The process that is hosting this service |
| hostname | The hostname of an endpoint or a device |
| http_cookies | The cookies object describes details about HTTP cookies |
| http_headers | Additional HTTP headers of an HTTP request or response |
| http_method | The HTTP request method indicates the desired action to be performed for a |
| http_only | A cookie attribute to make it inaccessible via JavaScript |
| http_request | The HTTP Request Object documents attributes of a request made to a web serve... |
| http_response | The HTTP Response from a web server to a requester |
| http_status | The Hypertext Transfer Protocol (HTTP) <a target='_blank' |
| hw_info | The endpoint hardware information |
| hypervisor | The name of the hypervisor running on the device |
| iccid | The Integrated Circuit Card Identification of a mobile device |
| identifier_cookie | The client identifier cookie during client/server exchange |
| identity_activity_metrics | Describes usage activity and other metrics of an Identity i |
| idle_timeout | Duration (in minutes) of allowed inactivity before a timeout See specific |
| idp | This object describes details about the Identity Provider used |
| image | The image used as a template to run a container or virtual machine |
| ime | The Input Method Editor (IME) file name |
| imei | The International Mobile Equipment Identity that is associated with the devic... |
| imei_list | The International Mobile Equipment Identity values that are associated with t... |
| impact | The impact , normalized to the caption of the impact_id value |
| impact_id | The normalized impact of the incident or finding |
| impact_score | The impact as an integer value of the finding, valid range 0-100 |
| imported_symbols | A list of symbols imported by the executable file |
| initiator | The initiator of an activity or operation |
| initiator_id | The normalized identifier of the initiator |
| injection_type | The process injection method, normalized to the caption of the |
| injection_type_id | The normalized identifier of the process injection method |
| install_state | The install state, normalized to the caption of install_state_id |
| install_state_id | The normalized state of the install |
| instance_uid | The unique identifier of a VM instance |
| integrity | The process integrity level, normalized to the caption of the integrity_id |
| integrity_id | The normalized identifier of the process integrity level (Windows only) |
| interface_name | The name of the network interface (e |
| interface_uid | The unique identifier of the network interface |
| intermediate_ips | The intermediate IP Addresses |
| internal_name | The name by which a resource identifies itself internally |
| intrusion_sets | A grouping of adversarial behaviors and resources believed to be associated |
| invoked_by | The name of the service that invoked the activity as described in the event |
| ip | The IP address, in either IPv4 or IPv6 format |
| is_alert | Indicates that the event is considered to be an alertable signal |
| is_applied | A determination if a policy, rule, or enforcement action was applied |
| is_backed_up | Indicates whether the device or resource has a backup enabled, such as an |
| is_cleartext | Indicates whether the credentials were passed in clear text |
| is_compliant | The event occurred on a compliant device |
| is_default | The indication of whether the value is from a default value name |
| is_deleted | Indicates if the entity was deleted |
| is_directed | Indicates if the entity has directionality |
| is_disabled | Indicates if the entity is disabled |
| is_encrypted | Indicates if the entity was encrypted |
| is_exploit_available | Indicates if an exploit or a PoC (proof-of-concept) is available for the |
| is_fix_available | Indicates if a fix is available for the reported vulnerability |
| is_group_provisioning_enabled | Indicates whether group provisioning is automated (e |
| is_hotp | Whether the authentication factor is an HMAC-based One-time Password (HOTP) |
| is_http_only | This attribute prevents the cookie from being accessed via JavaScript |
| is_locked | Indicates if the entity is locked |
| is_managed | The event occurred on a managed device |
| is_mfa | Indicates whether Multi Factor Authentication was used during authentication |
| is_mobile_account_active | Indicates whether the device has an active mobile account |
| is_new_logon | Indicates logon is from a device not seen before or a first time account logo... |
| is_on_premises | Indicates whether the location is on-premises |
| is_on_premises_sync_enabled | Indicates whether synchronization with an on-premises directory service is |
| is_personal | The event occurred on a personal device |
| is_public | Determination of the public accessibility |
| is_read | The indication of whether the email has been read |
| is_readonly | Indicates that an object cannot be modified |
| is_remote | The indication of whether the session is remote |
| is_renewable | The indication of whether something is renewable |
| is_renewal | The indication of whether the event or object represents a renewal |
| is_secure | The cookie attribute indicates that cookies are sent to the server only when |
| is_self_signed | Denotes whether a digital certificate is self-signed or signed by a known |
| is_shared | The event occurred on a shared device |
| is_src_dst_assignment_known | true denotes that src_endpoint and |
| is_superseded | The vendor patch has been replaced by another |
| is_supervised | The event occurred on a supervised device |
| is_suspected_breach | A determination based on analytics as to whether a potential breach was found |
| is_system | The indication of whether the object is part of the operating system |
| is_totp | Whether the authentication factor is a Time-based One-time Password (TOTP) |
| is_truncated | Indicates that an attribute has been truncated |
| is_trusted | The event occurred on a trusted device |
| is_unused | Indicates whether an item is unused |
| is_user_provisioning_enabled | Indicates whether user provisioning is automated (e |
| is_vpn | The indication of whether the session is a VPN session |
| isp | The name of the Internet Service Provider (ISP) |
| isp_org | The organization name of the Internet Service Provider (ISP) |
| issuer | The identifier of the issuer |
| ja3_hash | The MD5 hash of a JA3 string |
| ja3s_hash | The MD5 hash of a JA3S string |
| ja4_fingerprint_list | A list of the JA4+ network fingerprints |
| job | The job object that pertains to the event |
| job_title | The user's job title |
| json_path | The JSON path of the attribute |
| kb_article_list | A list of KB articles or patches related to an endpoint |
| kb_articles | The KB article/s related to the entity |
| kerberos_flags | A bitmask, either in hexadecimal or decimal form, which encodes various |
| kernel | The kernel resource object that pertains to the event |
| kernel_release | The kernel release of the operating system |
| key_length | The length of the encryption key |
| key_uid | The unique identifier of the key |
| keyboard_info | The keyboard detailed information |
| keyboard_layout | The keyboard locale identifier name (e |
| keyboard_subtype | The keyboard numeric code |
| keyboard_type | The keyboard type (e |
| kill_chain | The <a target='_blank' |
| labels | The list of labels attached to an entity |
| lang | The two letter lower case language codes, as defined by <a target='_blank' |
| last_authentication_time | The timestamp when this identity last successfully authenticated to any syste... |
| last_login_time | The last time when the user logged in |
| last_run_time | The last run time of application or service |
| last_seen_time | The most recent detection time of the activity or object |
| last_used_time | The most recent usage time of an entity |
| lat | The geographical Latitude coordinate represented in Decimal Degrees (DD) |
| latency | The HTTP response latency measured in milliseconds |
| launch_type | The specific type of Launch activity, normalized to the caption ... |
| launch_type_id | The normalized identifier for the specific type of Launch |
| ldap_cn | The LDAP and X |
| ldap_dn | The X |
| ldap_person | The additional LDAP attributes that describe a person |
| lease_dur | This represents the length of the DHCP lease in seconds |
| leave_time | The timestamp when the user left or will be leaving the organization |
| length | The HTTP response length, in number of bytes |
| license | The name or identifier of the license applied on package or software |
| license_url | The URL pointing to the license applied on package or software |
| lineage | The lineage of the process, represented by a list of paths for each ancestor |
| load_balancer | The Load Balancer object contains information related to the device that is |
| load_order_group | The name of the load ordering group of which this service is a member |
| load_type | The load type, normalized to the caption of the load_type_id value |
| load_type_id | The normalized identifier of the load type |
| loaded_modules | The list of loaded module names |
| location | The detailed geographical location usually associated with an IP address |
| locations | A list of detailed geographical locations |
| log_format | The format of data in the log |
| log_level | The log specific level at which an event was generated |
| log_name | The log name |
| log_provider | The logging provider or logging service that logged the event |
| log_source | The log where the data originated |
| log_type | The log type, normalized to the caption of the log_type_id value |
| log_type_id | The normalized log type identifier |
| log_version | The log version |
| logged_time | The time when the logging system collected and logged the event |
| loggers | An array of Logger objects that describe the pipeline of devices and logging |
| login_endpoint | URL for initiating a login request |
| logon_process | The trusted process that validated the authentication credentials |
| logon_type | The logon type, normalized to the caption of the logon_type_id value |
| logon_type_id | The normalized logon type identifier |
| logout_endpoint | URL for initiating a logout request |
| long | The geographical Longitude coordinate represented in Decimal Degrees (DD) |
| mac | The Media Access Control (MAC) address that is associated with the network |
| mac_vendor | The vendor or manufacturer of the network interface controller (NIC) identifi... |
| malware | A list of Malware objects, describing details about the identified malware |
| malware_scan_info | Describes details about the scan job that identified malware on the target |
| manager | The user's manager |
| match_details | The data in a request that rule matched |
| match_location | The location of the matched data in the source which resulted in the triggere... |
| meets_criteria | Determines if an assessment, control, policy, or otherwise meets its assessme... |
| meid | The Mobile Equipment Identifier |
| message | The description of the event/finding, as defined by the source |
| message_context | Communication context for AI system interactions including protocols, roles, |
| message_trace_uid | The identifier that tracks a message that travels through multiple points of ... |
| message_uid | The email header Message-ID value, as defined by RFC 5322 |
| metadata | The metadata associated with the event or a finding |
| metadata_endpoint | URL where metadata about a configuration or resource is available (e |
| metrics | The general purpose metrics associated with the event |
| mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if |
| mitigation | The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID |
| model | The model name of an entity |
| modified_time | The time when the object was last modified |
| modifier | The user that last modified the object associated with the event |
| module | The module that pertains to the event |
| name | The name of the entity |
| name_servers | A collection of name servers related to a domain registration or other record |
| namespace | The namespace is useful in merger or acquisition situations |
| namespace_pid | If running under a process namespace (such as in a container), the process |
| network_driver | The network driver used by the container |
| network_endpoint | The Network Endpoint object describes characteristics of a network endpoint |
| network_interfaces | The physical or virtual network interfaces that are associated with the devic... |
| network_observation_point | The network endpoint that observes or inspects network traffic as a third-par... |
| network_scope | Indicates whether the endpoint resides inside the customer’s network, outside |
| network_scope_id | The normalized identifier of the endpoint’s network scope |
| next_run_time | The next run time |
| nist | The NIST Cybersecurity Framework recommendations for managing the cybersecuri... |
| nodes | The list of node objects that are part of the graph |
| num_detections | The number of detections |
| num_files | The number of files scanned |
| num_folders | The number of folders scanned |
| num_infected | The number of infected entities |
| num_network_items | The number of network items scanned |
| num_processes | The number of processes scanned |
| num_registry_items | The number of registry items scanned |
| num_resolutions | The number of items that were resolved |
| num_skipped_items | The number of skipped items |
| num_trusted_items | The number of trusted items |
| num_violations | The number of times the policy or rule was violated |
| num_volumes | The number of volumes in the storage device |
| number | The number of the entity |
| observables | The observables associated with the event or a finding |
| observation_parameter | The name of the parameter being analyzed or monitored |
| observation_point | The normalized observation point value |
| observation_point_id | The normalized identifier of the observation point |
| observation_type | The classification or category of the observation, indicating what kind of |
| observations | A list of individual observations or measurements collected during analysis |
| observed_pattern | A detected pattern or trend identified in the analyzed data, describing |
| occurrence_details | Details about where in the target entity the specified information was |
| occurrences | A list of occurrence_details objects, each describing where in t... |
| office_location | The primary office location associated with the user |
| opcode | The DNS opcode specifies the type of the query message |
| opcode_id | The DNS opcode ID specifies the normalized query message type as defined in <... |
| open_mask | The Windows options needed to open a registry key |
| open_ports | The list of open ports on a network interface, including port numbers and |
| open_type | The file open type |
| operation | Verb/Operation associated with the request |
| opnum | An operation number used to identify a specific remote procedure call (RPC) |
| orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift |
| org | Organization and org unit relevant to the event or object |
| original_event_uid | The unique identifier assigned to the event in its original logging system |
| original_time | The original event time as reported by the event source |
| os | The endpoint operating system |
| os_machine_uuid | The operating system assigned Machine ID |
| osint | The OSINT (Open Source Intelligence) object contains details related to an |
| ou_name | The name of the organizational unit, within an organization |
| ou_uid | The alternate identifier for an entity's unique identifier |
| overall_score | The overall score as reported by the event source |
| owner | The user that owns the file/object |
| package | The Software Package object describes details about a software package |
| package_manager | The software packager manager utilized to manage a package on a system, e |
| package_manager_url | The URL of the package or library at the package manager, or the specific URL |
| packages | List of vulnerable packages as identified by the security product |
| packet | The packet object describes a single captured network packet and its associat... |
| packet_list | The list of packet objects describing captured network packets |
| packet_uid | The packet identifier assigned by the protocol |
| packets | The total number of packets (in and out) |
| packets_in | The number of packets sent from the destination to the source |
| packets_out | The number of packets sent from the source to the destination |
| page_number | The page number of the document |
| parameters | The parameters passed into a function invocation |
| parent_folder | The parent folder in which the file resides |
| parent_process | The parent process of this process object |
| parent_uid | The unique identifier of an object's parent object |
| password_last_used_time | The time when a user's password was last used |
| path | The path that pertains to the event or object |
| pattern_match | A text, binary, file name, or datastore that matched against a detection rule |
| percentile | The EPSS score's percentile representing relative importance and ranking of t... |
| peripheral_device | The peripheral device that triggered the event |
| permission | The IAM permission related to an event |
| permission_analysis_results | Describes analysis results of permissions, policies directly associated with ... |
| phase | The cyber kill chain phase |
| phase_id | The cyber kill chain phase identifier |
| phone_number | The number associated with the phone |
| phones | The phone numbers associated with the user |
| physical_height | The numeric physical height of display |
| physical_orientation | The numeric physical orientation of display |
| physical_width | The numeric physical width of display |
| pid | The process identifier, as reported by the operating system |
| pod_uuid | The unique identifier of the pod (or equivalent) that the container is |
| policies | An array of Policy objects |
| policy | Describes details of a policy |
| pool | An unordered collection of resources |
| port | The TCP/UDP port number associated with a connection |
| post_value | The value after |
| postal_code | The postal code of the location |
| pre_value | The value before |
| precision | The numeric precision |
| pressure_altitude | The uncorrected barometric pressure altitude (based on reference standard 29 |
| prev_reg_key | The registry key before the mutation |
| prev_reg_value | The registry value before the mutation |
| prev_security_level | The previous security level of the entity |
| prev_security_level_id | The previous security level of the entity |
| prev_security_states | The previous security states |
| priority | The priority, normalized to the caption of the priority_id value |
| priority_id | The normalized priority |
| privilege_attack_info | Information about privileges grouped by the potential attack they could enabl... |
| privilege_attack_info_list | A list of privilege-to-attack mappings |
| privilege_info | Information about a specific privilege, action, or permission |
| privilege_info_list | A list of privilege information objects, where each element describes a |
| privileges | The user or group privileges |
| process | The process object |
| processed_time | The event processed time, such as an ETL operation |
| product | The product that reported the event |
| product_uid | Unique Identifier of a product |
| profiles | The list of profiles used to create the event |
| programmatic_credentials | Details about the programmatic credential (API key, service account key, acce... |
| project_uid | The unique identifier of a Cloud project |
| prompt_tokens | Number of tokens in the input prompt for this message |
| protocol_name | The protocol name |
| protocol_num | The IP protocol number, as defined by the Internet Assigned Numbers Authority |
| protocol_ver | The Protocol version, normalized to the caption of the protocol_ver_id value |
| protocol_ver_id | The normalized identifier of the Protocol version |
| provider | The origin of information associated with the event |
| proxy | The proxy (server) in a network connection |
| proxy_connection_info | The connection information from the proxy server to the remote server |
| proxy_endpoint | The proxy (server) in a network connection |
| proxy_http_request | The HTTP Request from the proxy server to the remote server |
| proxy_http_response | The HTTP Response from the remote server to the proxy server |
| proxy_tls | The TLS protocol negotiated between the proxy server and the remote server |
| proxy_traffic | The network traffic refers to the amount of data moving across a network, fro... |
| ptid | The identifier of the process thread associated with the event, as returned b... |
| purl | A purl is a URL string used to identify and locate a software package in a |
| query | The Domain Name System (DNS) query |
| query_evidence | The resulting evidence discovered from the evidence search request |
| query_info | The query info object holds information related to data access within a |
| query_language | The query language, normalized to the caption of the |
| query_language_id | The normalized identifier of the query language |
| query_result | The result of the query |
| query_result_id | The normalized identifier of the query result |
| query_string | The query portion of the URL |
| query_time | The Domain Name System (DNS) query time |
| query_type | The normalized caption of query_type_id or the source-specific query type |
| query_type_id | The normalized type of system query performed against a device or system |
| radius | Farthest horizontal distance from the reported location at which any UA in a |
| ram_size | The total amount of installed RAM, in Megabytes |
| rate_limit | The rate limit for a rate-based rule |
| raw_data | The raw event/finding data as received from the source |
| raw_data_hash | The hash, which describes the content of the raw_data field |
| raw_data_size | The size of the raw data which was transformed into an OCSF event, in bytes |
| raw_header | The email authentication header |
| rcode | The server response code, normalized to the caption of the rcode_id value |
| rcode_id | The normalized identifier of the server response code |
| rdata | The data describing the DNS resource |
| read_count | The read count |
| record_index_in_array | The index of the record in the array of records |
| references | A list of reference URLs supporting the finding/detection |
| referrer | The request header that identifies the address of the previous web page, whic... |
| reg_binary_data | The data of the registry value when type_id is |
| reg_integer_data | The data of the registry value when type_id is |
| reg_key | The registry key |
| reg_string_data | The data of the registry value when type_id is |
| reg_string_list_data | The data of the registry value when type_id is |
| reg_value | The registry value |
| region | The name or the code of a region |
| registrar | The domain registrar |
| related_analytics | Describes analytics related to the analytic of a finding or detection as |
| related_component | The package URL (PURL) of the component that this software component has a |
| related_cves | Describes Common Vulnerabilities and Exposures <a target='_blank' |
| related_cwes | Describes Common Weakness Enumeration <a target='_blank' |
| related_events | Describes events and/or other findings related to the finding as identified b... |
| related_events_count | Number of related events or findings |
| related_vulnerabilities | List of vulnerability IDs (e |
| relation | The relationship between two entities |
| relationship | The relationship between two software components, normalized to the caption o... |
| relationship_id | The normalized identifier of the relationship between two software components |
| relay | The network relay that is associated with the event |
| release | Release is the number of times a version of the software has been packaged |
| remediation | Describes the recommended remediation steps to address identified issue(s) |
| remote_display | The remote display affiliated with the event |
| reply_to | The machine-readable email header Reply-To value, as defined by RFC 5322 |
| reply_to_list | The machine-readable email header Reply-To values, as defined by RFC 5322 |
| reply_to_mailboxes | The human-readable email header Reply To Mailbox values |
| reporter | The entity from which an event or finding was first reported |
| reputation | Contains the original and normalized reputation scores |
| request | General Purpose API Request Object |
| requested_permissions | The permissions mask |
| requirements | A list of requirements associated to a specific control in an industry or |
| resource | The target resource |
| resource_relationship | Describes entities related to the resource, using a graph structure |
| resource_type | The resource type as defined by the event source |
| resources | Describes details about resources that were affected by the activity/event |
| resources_result | Updated resources after an activity/event |
| response | General Purpose API Response Object |
| response_time | The Domain Name System (DNS) response time |
| return_path | The address found in the 'Return-Path' header, which indicates where bounce |
| return_value | The value returned from a function |
| risk_details | Describes the risk associated with the finding |
| risk_level | The risk level, normalized to the caption of the risk_level_id value |
| risk_level_id | The normalized risk level id |
| risk_score | The risk score as reported by the event source |
| role | The role of an entity in the context of the event or finding, normalized to t... |
| role_id | The normalized identifier of an entity's role in the context of the event or |
| row_number | The row number |
| rpc_interface | The RPC Interface object describes the details pertaining to the remote |
| rssi | Received Signal Strength Indicator (RSSI) is a measurement of the power of a |
| rule | The rules that reported the events |
| run_count | The prefetch file run count |
| run_mode_ids | The list of normalized identifiers that describe application attributes when ... |
| run_modes | The list of run_modes, normalized to the captions of the run_mode_ids values |
| run_state | The state of the job or service, normalized to the caption of the run_state_i... |
| run_state_id | The normalized identifier of the state of the job or service |
| runtime | The backend running the container, such as containerd or cri-o |
| samesite | The cookie attribute that lets servers specify whether/when cookies are sent |
| sandbox | The name of the containment jail (i |
| sans | The list of subject alternative names that are secured by a specific |
| sbom | The Software Bill of Materials (SBOM) object describes the characteristics of... |
| scale_factor | The numeric scale factor of display |
| scan | The Scan object describes characteristics of a scan |
| schedule_uid | The unique identifier of the schedule associated with a scan job |
| scheme | The scheme portion of the URL |
| scim | The System for Cross-domain Identity Management (SCIM) resource object provid... |
| scim_group_schema | SCIM provides a schema for representing groups, identified using the followin... |
| scim_user_schema | SCIM provides a resource type for user resources |
| scopes | Scopes define the specific permissions or actions that the client is allowed ... |
| score | The reputation score, normalized to the caption of the score_id value |
| score_id | The normalized reputation score identifier |
| script | The script object |
| script_content | The script content, normalized to UTF-8 encoding irrespective of its original |
| section_a | The 'a' section of the JA4 fingerprint |
| section_b | The 'b' section of the JA4 fingerprint |
| section_c | The 'c' section of the JA4 fingerprint |
| section_d | The 'd' section of the JA4 fingerprint |
| secure | The cookie attribute to only send cookies to the server with an encrypted |
| security_descriptor | The object security descriptor |
| security_level | The current security level of the entity |
| security_level_id | The current security level of the entity |
| security_questions | The question(s) provided to user for a question-based authentication factor |
| security_states | The current security states |
| sender | The machine readable email address of the system or server that actually |
| sender_mailbox | The human readable email address of the system or server that actually |
| sensitivity | The sensitivity of the firewall rule in the matched event |
| sequence | Sequence number of the event |
| sequence_number | The sequence number |
| serial_number | The serial number that pertains to the object |
| server_ciphers | The server cipher suites that were exchanged during the TLS handshake |
| server_hassh | The Server HASSH fingerprinting object |
| service | The service that pertains to the event |
| service_category | The service category, normalized to the caption of the service_category_id |
| service_category_id | The normalized identifier of the service category |
| service_dependencies | The names of other services upon which this service has a dependency |
| service_dll_file | For a shared user mode service (service_type_id is 4) this is th... |
| service_error_control | The service error control, normalized to the caption of the |
| service_error_control_id | The normalized identifier of the service error control |
| service_file | For a user mode service (service_type_id 3 or 4) this is the |
| service_privilege_analysis | Privilege analysis results for a single cloud service or resource namespace |
| service_privilege_analysis_list | A list of privilege analysis results grouped by cloud service or namespace |
| service_start_name | For a user mode service, this attribute represents the name of the account |
| service_start_type | The service start type, normalized to the caption of the |
| service_start_type_id | The normalized identifier of the service start type |
| service_type | The service type, normalized to the caption of the service_type_id value |
| service_type_id | The normalized identifier of the service type |
| session | The authenticated user or service session |
| severity | The event/finding severity, normalized to the caption of the |
| severity_id | The normalized identifier of the event/finding severity |
| share | The share name |
| share_type | The share type, normalized to the caption of the share_type_id value |
| share_type_id | The normalized identifier of the share type |
| short_desc | The short description that pertains to the object or event |
| signature | The digital signature of the file |
| signatures | A collection of Digital Signature objects |
| size | The size of data, in bytes |
| smtp_from | The value of the SMTP MAIL FROM command |
| smtp_hello | The value of the SMTP HELO or EHLO command |
| smtp_to | The value of the SMTP envelope RCPT TO command |
| sni | The Server Name Indication (SNI) extension sent by the client |
| software_components | The list of software components used in the software package |
| source | The source, when used with source_id, is normalized to the caption of the |
| source_id | The normalized identifier of the source |
| sp_name | The name of the latest Service Pack |
| sp_ver | The version number of the latest Service Pack |
| span | The information about the span |
| speed | Ground speed of flight |
| speed_accuracy | Provides quality/containment on horizontal ground speed |
| spf | The Sender Policy Framework (SPF) status of the email |
| src_endpoint | The network source endpoint |
| src_url | The URL pointing towards the source of an entity |
| sso | The Single Sign-On (SSO) object provides a structure for normalizing SSO |
| standards | Compliance standards are a set of criteria organizations can follow to protec... |
| start_address | The start address of the execution |
| start_column | The start column number |
| start_line | The line number of the first line of code block identified as vulnerable |
| start_offset | The starting offset |
| start_time | The start time of a time period |
| start_type | The start type of a service, driver, or application |
| start_type_id | The start type ID of a service or application |
| startup_item | The startup item object describes an application component that has associate... |
| state | The state of the event or object, normalized to the caption of the state_id |
| state_id | The normalized state ID of the event or object |
| status | The event status, normalized to the caption of the status_id value |
| status_code | The event status code, as reported by the event source |
| status_detail | The status detail contains additional information about the event/finding |
| status_details | A list of descriptions, containing additional information about the |
| status_id | The normalized identifier of the event status |
| storage_class | The storage class of the entity |
| stratum | The stratum level of the NTP server's time source, normalized to the caption ... |
| stratum_id | The normalized identifier of the stratum level, as defined in <a |
| sub_technique | The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ... |
| subdomain | The subdomain portion of the URL |
| subdomains | An array of subdomain strings |
| subgroup | A subgroup that was added to or removed from the group |
| subject | The identifier of the subject |
| subnet | The subnet mask |
| subnet_prefix | The subnet prefix length determines the number of bits used to represent the |
| subnet_uid | The unique identifier of a virtual subnet |
| supporting_data | Additional data supporting a finding as provided by security tool |
| surname | The last or family name for the user |
| svc_name | The service name in service-to-service connections |
| system_call | The system call that was invoked |
| table | The table object represents a table within a structured relational database o... |
| tactic | The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name |
| tactics | The Tactic object describes the tactic ID and/or tactic name that are |
| tag | The image tag |
| tags | The list of tags; {key:value} pairs attached to an entity |
| target | The target of the event or object |
| tcp_flags | The network connection TCP header flags (i |
| tcp_state_id | The state of the TCP socket for the network connection |
| technique | The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/o... |
| tenant_uid | The unique tenant identifier |
| terminal | The Pseudo Terminal |
| terminated_time | The time when the entity was terminated |
| threat_actor | A threat actor is an individual or group that conducts malicious cyber |
| ticket | The linked ticket in the ticketing system |
| tickets | The associated ticket(s) in the ticketing system |
| tid | The identifier of the thread associated with the event, as returned by the |
| time | The normalized event occurrence time or the finding creation time |
| timespan | The Time Span object represents different time period durations |
| timezone_offset | The number of minutes that the reported event time is ahead or |
| title | The title of an entity |
| tlp | The <a target='_blank' href='https://www |
| tls | The Transport Layer Security (TLS) attributes |
| tls_extension_list | The list of TLS extensions |
| to | The machine-readable email header To values, as defined by RFC 5322 |
| to_mailboxes | The human-readable email header To Mailbox values |
| token | The Token object is the base object for representing tokens, API keys, and |
| total | The total number of items |
| total_potential_attacks_count | The total count of privilege-to-attack technique mappings identified across a... |
| total_queued_duration | The amount of time an event spent in a queue awaiting processing |
| total_tokens | Total number of tokens used for this message (prompt + completion) |
| trace | The information about the trace |
| track_direction | Direction of flight expressed as a “True North-based” ground track angle |
| traffic | The network traffic refers to the amount of data moving across a network at a |
| traits | The traits that describe characteristics, features of an entity |
| transaction_uid | The unique identifier of the transaction |
| transformation_info_list | An array of transformation info that describes the mappings or transforms |
| transmit_time | The event transmission time from one device to another |
| tree_uid | The tree id is a unique SMB identifier which represents an open connection to... |
| ttl | The time interval that the resource record may be cached |
| tunnel_interface | The information about the tunnel interface |
| tunnel_type | The type of tunnel configuration, normalized to the caption of the |
| tunnel_type_id | The normalized identifier for the type of tunnel configuration, indicating th... |
| type | The type of an object or value, normalized to the caption of the type_id valu... |
| type_id | The normalized type identifier of an object |
| type_name | The event/finding type name, as defined by the type_uid |
| type_uid | The event/finding type ID |
| types | The type/s of an entity |
| udid | The Apple assigned Unique Device Identifier (UDID) |
| uid | The unique identifier |
| uid_alt | The alternate unique identifier |
| unique_malware_count | The number of unique malware detected during a scan |
| unmanned_aerial_system | The Unmanned Aerial System object describes the characteristics, Position |
| unmanned_system_operating_area | The UAS Operating Area object describes details about a precise area of |
| unmanned_system_operator | The human or machine operator of an Unmanned System |
| unmapped | The attributes that are not mapped to the event schema |
| untruncated_size | The size in bytes of an attribute before truncation |
| unused_privileges_count | The number of unused Privileges |
| unused_services_count | The number of unused services |
| uploaded_time | The timestamp at which an entity was uploaded |
| uri | A Uniform Resource Identifier (URI) is a string of characters that identifies... |
| url | The URL object that pertains to the event or object |
| url_string | The URL string |
| urls | The URLs that pertain to the event or object |
| user | The user that pertains to the event or object |
| user_agent | The request header that identifies the operating system and web browser |
| user_result | The result of the user account change |
| users | The users that pertain to the event or object |
| uuid | The universally unique identifier |
| value | The value associated to an attribute |
| values | An array of values associated to an attribute |
| vector_string | The CVSS vector string is a text representation of a set of CVSS metrics |
| vendor_attributes | The Vendor Attributes object can be used to represent values of attributes |
| vendor_id_list | The list of vendor IDs |
| vendor_name | The name of the vendor |
| verdict | The verdict assigned to an Incident finding |
| verdict_id | The normalized verdict of an Incident |
| version | The version that pertains to the event or object |
| vertical_speed | Vertical speed upward relative to the WGS-84 datum, measured in meters per |
| vlan_uid | The Virtual LAN identifier |
| volume | The volume on the storage device where the file is located |
| vpc_uid | The unique identifier of the Virtual Private Cloud (VPC) |
| vram_mode | The video memory attachment mode, indicating how the VRAM hardware is |
| vram_mode_id | The normalized identifier of the video memory attachment mode |
| vram_size | The total amount of installed video RAM |
| vulnerabilities | This object describes vulnerabilities reported in a security finding |
| vulnerability | The vulnerability object describes details related to the observed |
| web_resources | Describes details about web resources that were affected by an activity/event |
| web_resources_result | The results of the activity on web resources |
| whois | The resources of a WHOIS record for a given domain |
| win_resource | The Windows resource object that was accessed, such as a mutant or timer |
| win_service | The Windows service |
| working_directory | The working directory of a process |
| write_count | The write count |
| x_forwarded_for | The X-Forwarded-For header identifying the originating IP address(es) of a |
| x_originating_ip | The X-Originating-IP header identifying the emails originating IP address(es) |
| xattributes | An unordered collection of zero or more name/value pairs where each pair |
| zone | The network zone or LAN segment |
Enumerations
| Enumeration | Description |
|---|---|
| AccountChangeActivityIdEnum | AccountChange activity_id values |
| AccountSwitchTypeIdEnum | The normalized identifier of the account switch method |
| AccountTypeIdEnum | The normalized account type identifier |
| ActionIdEnum | The normalized action taken by a control or other policy-based system leading |
| ActivityIdEnum | The normalized identifier of the activity that triggered the event |
| AdditionalRestrictionStatusIdEnum | The normalized status identifier indicating the applicability of this policy |
| AgentTypeIdEnum | The normalized representation of an agent or sensor |
| AirborneBroadcastActivityActivityIdEnum | AirborneBroadcastActivity activity_id values |
| AlgorithmIdEnum | The normalized identifier of the algorithm |
| AnalyticStateIdEnum | The Analytic state identifier |
| AnalyticTypeIdEnum | The analytic type ID |
| ApiActivityActivityIdEnum | ApiActivity activity_id values |
| ApplicationErrorActivityIdEnum | ApplicationError activity_id values |
| ApplicationLifecycleActivityIdEnum | ApplicationLifecycle activity_id values |
| AuthenticationActivityIdEnum | Authentication activity_id values |
| AuthenticationTokenTypeIdEnum | The normalized authentication token type identifier |
| AuthorizeSessionActivityIdEnum | AuthorizeSession activity_id values |
| AuthProtocolIdEnum | The normalized identifier of the authentication protocol used to create the |
| AuthTypeIdEnum | The normalized identifier of the agreed upon authentication type |
| BaseEventActivityIdEnum | BaseEvent activity_id values |
| BaseEventCategoryUidEnum | BaseEvent category_uid values |
| BaseEventClassUidEnum | BaseEvent class_uid values |
| BoundaryIdEnum | The normalized identifier of the boundary of the connection |
| BusTypeIdEnum | The normalized identifier of the attachment bus or interface standard |
| CategoryIdsEnum | The Website categorization identifiers |
| CategoryUidEnum | The normalized OCSF event category (see categories |
| CheckSeverityIdEnum | The normalized severity identifier that maps severity levels to standard |
| CheckStatusIdEnum | The normalized status identifier of the compliance check |
| ClassificationIdsEnum | The list of normalized classification identifiers |
| ComplianceStatusIdEnum | The normalized status identifier of the compliance check |
| ConfidenceIdEnum | The normalized confidence refers to the accuracy of the rule that created the |
| ConfidentialityIdEnum | The normalized identifier of the file content confidentiality indicator |
| CpuArchitectureIdEnum | The normalized identifier of the CPU architecture |
| DatabaseTypeIdEnum | The normalized identifier of the database type |
| DatabucketTypeIdEnum | The normalized identifier of the databucket type |
| DataClassificationCategoryIdEnum | The normalized identifier of the data classification category |
| DataClassificationStatusIdEnum | The normalized status identifier of the classification job |
| DataLifecycleStateIdEnum | The stage or state that the data was in when it was assessed or scanned by a |
| DataSecurityFindingActivityIdEnum | The normalized identifier of the Data Security Finding activity |
| DatastoreActivityActivityIdEnum | DatastoreActivity activity_id values |
| DatastoreActivityTypeIdEnum | The normalized datastore resource type identifier |
| DepthEnum | The CVSS depth represents a depth of the equation used to calculate CVSS scor... |
| DetectionPatternTypeIdEnum | Specifies the type of detection pattern used to identify the associated threa... |
| DetectionSystemIdEnum | The type of data security tool or system that the finding, detection, or aler... |
| DeviceConfigStateChangeStateIdEnum | The Config Change State of the managed entity |
| DhcpActivityActivityIdEnum | DhcpActivity activity_id values |
| DigitalSignatureAlgorithmIdEnum | The identifier of the normalized digital signature algorithm |
| DigitalSignatureStateIdEnum | The normalized identifier of the signature state |
| DirectionIdEnum | The normalized identifier of the direction of the initiated connection, |
| DiscoveryEventActivityIdEnum | DiscoveryEvent activity_id values |
| DiscoveryResultActivityIdEnum | DiscoveryResult activity_id values |
| DispositionIdEnum | Describes the outcome or action taken by a security control, such as access |
| DnsActivityActivityIdEnum | DnsActivity activity_id values |
| DnsActivityRcodeIdEnum | The normalized identifier of the DNS server response code |
| DnsAnswerFlagIdsEnum | The list of DNS answer header flag IDs |
| DnssecStatusIdEnum | Describes the normalized status of DNS Security Extensions (DNSSEC) for a |
| DomainContactTypeIdEnum | The normalized domain contact type ID |
| DriveTypeIdEnum | Identifies the type of a disk drive, i |
| DroneFlightsActivityActivityIdEnum | DroneFlightsActivity activity_id values |
| DroneFlightsActivityAuthProtocolIdEnum | The normalized identifier of the authentication type used to authorize a flig... |
| DroneFlightsActivityStatusIdEnum | The normalized Operational status identifier for the Unmanned Aerial System |
| EmailActivityActivityIdEnum | EmailActivity activity_id values |
| EmailActivityDirectionIdEnum | The direction of the email relative to the scanning host or |
| EmailFileActivityActivityIdEnum | EmailFileActivity activity_id values |
| EmailUrlActivityActivityIdEnum | EmailUrlActivity activity_id values |
| EncodingIdEnum | The normalized identifier of the encoding method |
| EncryptionDetailsAlgorithmIdEnum | The encryption algorithm used |
| EndpointTypeIdEnum | The endpoint type ID |
| EntityManagementActivityIdEnum | EntityManagement activity_id values |
| EventLogActvityActivityIdEnum | EventLogActvity activity_id values |
| EvidencesVerdictIdEnum | The normalized verdict (or status) ID of the evidence associated with the |
| FactorTypeIdEnum | The normalized identifier for the authentication factor |
| FileActivityActivityIdEnum | FileActivity activity_id values |
| FileHostingActivityIdEnum | FileHosting activity_id values |
| FileTypeIdEnum | The file type ID |
| FindingActivityIdEnum | The normalized identifier of the finding activity |
| FindingStatusIdEnum | The normalized status identifier of the Finding, set by the consumer |
| FingerprintAlgorithmIdEnum | The identifier of the normalized algorithm or scheme, which was used to creat... |
| FixCoverageIdEnum | The normalized identifier for fix coverage |
| FlagIdsEnum | The list of normalized identifiers of the communication flag IDs |
| FormatIdEnum | The normalized identifier of the format |
| FtpActivityActivityIdEnum | FtpActivity activity_id values |
| GpuInfoBusTypeIdEnum | The normalized identifier of the attachment bus or interface standard |
| GpuInfoVramModeIdEnum | GpuInfo vram_mode_id values |
| GraphQueryLanguageIdEnum | The normalized identifier of a graph query language that can be used to |
| GroupManagementActivityIdEnum | GroupManagement activity_id values |
| HttpActivityActivityIdEnum | HttpActivity activity_id values |
| HttpRequestHttpMethodEnum | The <a target='_blank' |
| IdpStateIdEnum | The normalized state ID of the Identity Provider to reflect its configuration |
| ImpactIdEnum | The normalized impact of the incident or finding |
| IncidentFindingActivityIdEnum | The normalized identifier of the Incident activity |
| IncidentFindingStatusIdEnum | The normalized status identifier of the Incident |
| InitiatorIdEnum | The normalized identifier of the initiator |
| InjectionTypeIdEnum | The normalized identifier of the process injection method |
| InstallStateIdEnum | The normalized state of the install |
| IntegrityIdEnum | The normalized identifier of the process integrity level (Windows only) |
| Ja4FingerprintTypeIdEnum | The identifier of the JA4+ fingerprint type |
| JobRunStateIdEnum | The run state ID of the job |
| KernelActivityActivityIdEnum | KernelActivity activity_id values |
| KernelExtensionActivityActivityIdEnum | KernelExtensionActivity activity_id values |
| KernelTypeIdEnum | The type of the kernel resource |
| LaunchTypeIdEnum | The normalized identifier for the specific type of Launch |
| LoadTypeIdEnum | The normalized identifier of the load type |
| LogonTypeIdEnum | The normalized logon type identifier |
| LogTypeIdEnum | The normalized log type identifier |
| MalwareClassificationIdsEnum | The list of normalized identifiers of the malware classifications |
| ManagedEntityTypeIdEnum | The type of the Managed Entity |
| MemoryActivityActivityIdEnum | MemoryActivity activity_id values |
| MessageContextAiRoleIdEnum | Specifies the functional role of the AI within the context of this message, |
| ModuleActivityActivityIdEnum | ModuleActivity activity_id values |
| ModuleLoadTypeIdEnum | The normalized identifier for how the module was loaded in memory |
| NetworkActivityActivityIdEnum | NetworkActivity activity_id values |
| NetworkActivityInitiatorIdEnum | The normalized identifier of the endpoint that initiated the network |
| NetworkConnectionInfoProtocolVerIdEnum | The Internet Protocol version identifier |
| NetworkConnectionQueryStateIdEnum | The state of the socket |
| NetworkEventObservationPointIdEnum | The normalized identifier of the observation point |
| NetworkFileActivityActivityIdEnum | NetworkFileActivity activity_id values |
| NetworkInterfaceTypeIdEnum | The network interface type identifier |
| NetworkScopeIdEnum | The normalized identifier of the endpoint’s network scope |
| NtpActivityActivityIdEnum | NtpActivity activity_id values |
| ObservableTypeIdEnum | The observable value type identifier |
| ObservationPointIdEnum | The normalized identifier of the observation point |
| OpcodeIdEnum | The DNS opcode ID specifies the normalized query message type as defined in <... |
| OsintTlpEnum | The <a target='_blank' href='https://www |
| OsintTypeIdEnum | The OSINT indicator type ID |
| OsTypeIdEnum | The type identifier of the operating system |
| PackageTypeIdEnum | The type of software package |
| PacketEncodingIdEnum | The normalized identifier of the encoding method used to represent the packet |
| PacketFormatIdEnum | The normalized identifier of the packet capture format |
| PacketSourceIdEnum | A normalized numeric identifier that specifies how the packet was obtained or |
| PeripheralActivityActivityIdEnum | PeripheralActivity activity_id values |
| PeripheralDeviceTypeIdEnum | The normalized peripheral device type ID |
| PhaseIdEnum | The cyber kill chain phase identifier |
| PrevSecurityLevelIdEnum | The previous security level of the entity |
| PriorityIdEnum | The normalized priority |
| PrivilegeInfoTypeIdEnum | The normalized type of the privilege |
| ProcessActivityActivityIdEnum | ProcessActivity activity_id values |
| ProtocolVerIdEnum | The normalized identifier of the Protocol version |
| QueryEvidenceQueryTypeIdEnum | The normalized type of system query performed against a device or system |
| QueryLanguageIdEnum | The normalized identifier of the query language |
| QueryResultIdEnum | The normalized identifier of the query result |
| QueryTypeIdEnum | The normalized type of system query performed against a device or system |
| RcodeIdEnum | The normalized identifier of the server response code |
| RdpActivityActivityIdEnum | RdpActivity activity_id values |
| RegistryKeyActivityActivityIdEnum | RegistryKeyActivity activity_id values |
| RegistryValueActivityActivityIdEnum | RegistryValueActivity activity_id values |
| RegValueTypeIdEnum | The value type ID |
| RelationshipIdEnum | The normalized identifier of the relationship between two software components |
| RemediationActivityActivityIdEnum | Matches the MITRE D3FEND™ Tactic |
| RemediationActivityStatusIdEnum | RemediationActivity status_id values |
| ResourceDetailsRoleIdEnum | The normalized identifier of the resource's role in the context of the event ... |
| RiskLevelIdEnum | The normalized risk level id |
| RoleIdEnum | The normalized identifier of an entity's role in the context of the event or |
| RunModeIdsEnum | The list of normalized identifiers that describe application attributes when ... |
| RunStateIdEnum | The normalized identifier of the state of the job or service |
| SbomTypeIdEnum | The type of SBOM |
| ScanActivityActivityIdEnum | ScanActivity activity_id values |
| ScanTypeIdEnum | The type id of the scan |
| ScheduledJobActivityActivityIdEnum | ScheduledJobActivity activity_id values |
| ScimStateIdEnum | The normalized state ID of the SCIM resource to reflect its activation status |
| ScoreIdEnum | The normalized reputation score identifier |
| ScriptActivityActivityIdEnum | ScriptActivity activity_id values |
| ScriptTypeIdEnum | The normalized script type ID |
| SecurityFindingActivityIdEnum | SecurityFinding activity_id values |
| SecurityFindingStateIdEnum | The normalized state identifier of a security finding |
| SecurityLevelIdEnum | The current security level of the entity |
| SecurityStateStateIdEnum | The security state of the managed entity |
| SeverityIdEnum | The normalized identifier of the event/finding severity |
| ShareTypeIdEnum | The normalized identifier of the share type |
| SmbActivityActivityIdEnum | SmbActivity activity_id values |
| SoftwareComponentTypeIdEnum | The type of software component |
| SourceIdEnum | The normalized identifier of the source |
| SshActivityActivityIdEnum | SshActivity activity_id values |
| SshActivityAuthTypeIdEnum | The normalized identifier of the SSH authentication type |
| StartTypeIdEnum | The start type ID of a service or application |
| StartupItemRunModeIdsEnum | The list of normalized identifiers that describe the startup items' propertie... |
| StartupItemRunStateIdEnum | The run state ID of the startup item |
| StartupItemTypeIdEnum | The startup item type identifier |
| StateIdEnum | The normalized state ID of the event or object |
| StatusIdEnum | The normalized identifier of the event status |
| StratumIdEnum | The normalized identifier of the stratum level, as defined in <a |
| TcpStateIdEnum | The state of the TCP socket for the network connection |
| ThreatActorTypeIdEnum | The normalized datastore resource type identifier |
| TicketStatusIdEnum | The normalized identifier for the ticket status |
| TicketTypeIdEnum | The normalized identifier for the ticket type |
| TimespanTypeIdEnum | The normalized identifier for the time span duration type |
| TlsExtensionTypeIdEnum | The TLS extension type identifier |
| TokenTypeIdEnum | The normalized token type identifier |
| TunnelActivityActivityIdEnum | TunnelActivity activity_id values |
| TunnelActivityTunnelTypeIdEnum | The normalized identifier for the type of tunnel configuration, indicating th... |
| TunnelTypeIdEnum | The normalized identifier for the type of tunnel configuration, indicating th... |
| TypeIdEnum | The normalized type identifier of an object |
| UnmannedAerialSystemTypeIdEnum | The UAS type identifier |
| UnmannedSystemOperatingAreaTypeIdEnum | The operating area type identifier |
| UserAccessActivityIdEnum | UserAccess activity_id values |
| UserTypeIdEnum | The account type identifier |
| VerdictIdEnum | The normalized verdict of an Incident |
| VramModeIdEnum | The normalized identifier of the video memory attachment mode |
| VulnerabilityFixCoverageIdEnum | The normalized identifier for fix coverage, applicable to this vulnerability |
| WebResourceAccessActivityActivityIdEnum | WebResourceAccessActivity activity_id values |
| WebResourcesActivityActivityIdEnum | WebResourcesActivity activity_id values |
| WindowsResourceActivityActivityIdEnum | WindowsResourceActivity activity_id values |
| WindowsServiceActivityActivityIdEnum | WindowsServiceActivity activity_id values |
| WindowsServiceCategoryIdEnum | The normalized identifier of the service category |
| WindowsServiceErrorControlIdEnum | The normalized identifier of the service error control |
| WindowsServiceStartTypeIdEnum | The normalized identifier of the service start type |
| WindowsServiceTypeIdEnum | The normalized identifier of the service type |
| WinResourceTypeIdEnum | The normalized type identifier of the Windows resource object accessed |
Types
| Type | Description |
|---|---|
| Boolean | A binary (true or false) value |
| Curie | a compact URI |
| Date | a date (year, month and day) in an idealized calendar |
| DateOrDatetime | Either a date or a datetime |
| Datetime | The combination of a date and time |
| Decimal | A real number with arbitrary precision that conforms to the xsd:decimal speci... |
| Double | A real number that conforms to the xsd:double specification |
| EmailT | An email address |
| FileNameT | A file name |
| FilePathT | A file path |
| Float | A real number that conforms to the xsd:float specification |
| HostnameT | A fully qualified domain name (FQDN) |
| Integer | An integer |
| IpT | An IP address, in either IPv4 or IPv6 format |
| Jsonpath | A string encoding a JSON Path |
| Jsonpointer | A string encoding a JSON Pointer |
| MacT | A MAC (Media Access Control) address |
| Ncname | Prefix part of CURIE |
| Nodeidentifier | A URI, CURIE or BNODE that represents a node in a model |
| Objectidentifier | A URI or CURIE that represents an object in the model |
| PortT | A TCP/UDP port number (0-65535) |
| Sparqlpath | A string encoding a SPARQL Property Path |
| String | A character string |
| SubnetT | An IP subnet in CIDR notation |
| Time | A time object represents a (local) time of day, independent of any particular... |
| TimestampT | A UNIX timestamp, in milliseconds since the Unix Epoch (1 Jan 1970 00:00:00 |
| Uri | a complete URI |
| Uriorcurie | a URI or a CURIE |
| UrlT | A Uniform Resource Locator (URL) |
| UsernameT | A user name |
| UuidT | A Universally Unique Identifier (UUID) |
Subsets
| Subset | Description |
|---|---|
| ai_operation_profile_subset | AI-specific attributes for model operations, retrieval systems, and agent |
| application_subset | Application Activity events report detailed information about the behavior of |
| cloud_profile_subset | The attributes that describe information specific to Cloud |
| container_profile_subset | The container context for a process |
| data_classification_profile_subset | The Data Classification profile adds attributes to specific resource objects, |
| datetime_profile_subset | This profile defines date/time attributes as defined in RFC-3339 |
| discovery_subset | Discovery events report the existence and state of devices, files, |
| findings_subset | Findings events report findings, detections, and possible resolutions of |
| host_profile_subset | The attributes that identify host/device attributes |
| iam_subset | Identity & Access Management (IAM) events relate to the supervision of the |
| incident_profile_subset | The attributes that add incident handling semantics to a Finding |
| linux_extension_subset | The Linux extension defines Linux specific attributes, profiles, objects, and |
| load_balancer_profile_subset | The attributes that describe information specific to load balancers |
| macos_extension_subset | The macOS extension defines macOS specific attributes, profiles, objects, and |
| network_proxy_profile_subset | The attributes that identify network proxy attributes |
| network_subset | Network Activity events |
| objects_subset | Reusable OCSF object definitions (mirrors upstream objects/ directory) |
| osint_profile_subset | The OSINT (Open Source Intelligence) profile contains one or more indicators |
| remediation_subset | Remediation events report the results of remediation commands targeting files... |
| security_control_profile_subset | The attributes including disposition that represent the outcome of a security |
| system_subset | System Activity events |
| trace_profile_subset | The Trace Profile extends the OCSF framework to capture and standardize |
| unmanned_systems_subset | Unmanned Systems events report the activity, existence, and/or state of |
| windows_extension_subset | The Windows extension defines Windows specific attributes, objects, and |