Skip to content

Class: Api

The API, or Application Programming Interface, object represents information

pertaining to an API request and response.

URI: ocsf:Api

 classDiagram
    class Api
    click Api href "../Api/"
      Object <|-- Api
        click Object href "../Object/"

      Api : group





        Api --> "0..1" Group : group
        click Group href "../Group/"



      Api : operation

      Api : request





        Api --> "0..1 _recommended_" Request : request
        click Request href "../Request/"



      Api : response





        Api --> "0..1 _recommended_" Response : response
        click Response href "../Response/"



      Api : service





        Api --> "0..1" Service : service
        click Service href "../Service/"



      Api : token





        Api --> "0..1" Token : token
        click Token href "../Token/"



      Api : version

Inheritance

Slots

Name Cardinality and Range Description Inheritance
group 0..1
Group		 The information pertaining to the API group direct
operation 1
String		 Verb/Operation associated with the request direct
request 0..1 recommended
Request		 Details pertaining to the API request direct
response 0..1 recommended
Response		 Details pertaining to the API response direct
service 0..1
Service		 The information pertaining to the API service direct
token 0..1
Token		 The API or client token used to authenticate or authorize the API request direct
version 0..1
String		 The version of the API service direct

Usages

used by used in type used
Databucket api range Api
Evidences api range Api
ResourceDetails api range Api
CloudProfile api range Api
BaseEvent api range Api
ApplicationEvent api range Api
ApiActivity api range Api
ApplicationError api range Api
ApplicationLifecycle api range Api
DatastoreActivity api range Api
FileHosting api range Api
ScanActivity api range Api
WebResourceAccessActivity api range Api
WebResourcesActivity api range Api
DiscoveryEvent api range Api
AdminGroupQuery api range Api
CloudResourcesInventoryInfo api range Api
ConfigState api range Api
DeviceConfigStateChange api range Api
DiscoveryResult api range Api
EvidenceInfo api range Api
FileQuery api range Api
FolderQuery api range Api
InventoryInfo api range Api
JobQuery api range Api
KernelObjectQuery api range Api
ModuleQuery api range Api
NetworkConnectionQuery api range Api
NetworksQuery api range Api
OsintInventoryInfo api range Api
PatchState api range Api
PeripheralDeviceQuery api range Api
ProcessQuery api range Api
ServiceQuery api range Api
SessionQuery api range Api
SoftwareInfo api range Api
StartupItemQuery api range Api
UserInventory api range Api
UserQuery api range Api
ApplicationSecurityPostureFinding api range Api
ComplianceFinding api range Api
DataSecurityFinding api range Api
DetectionFinding api range Api
Finding api range Api
IamAnalysisFinding api range Api
IncidentFinding api range Api
SecurityFinding api range Api
VulnerabilityFinding api range Api
IamEvent api range Api
AccountChange api range Api
Authentication api range Api
AuthorizeSession api range Api
EntityManagement api range Api
GroupManagement api range Api
UserAccess api range Api
NetworkEvent api range Api
DhcpActivity api range Api
DnsActivity api range Api
EmailActivity api range Api
EmailFileActivity api range Api
EmailUrlActivity api range Api
FtpActivity api range Api
HttpActivity api range Api
NetworkActivity api range Api
NetworkFileActivity api range Api
NtpActivity api range Api
RdpActivity api range Api
SmbActivity api range Api
SshActivity api range Api
TunnelActivity api range Api
FileRemediationActivity api range Api
NetworkRemediationActivity api range Api
ProcessRemediationActivity api range Api
RemediationActivity api range Api
SystemEvent api range Api
EventLogActvity api range Api
FileActivity api range Api
KernelActivity api range Api
KernelExtensionActivity api range Api
MemoryActivity api range Api
ModuleActivity api range Api
PeripheralActivity api range Api
ProcessActivity api range Api
ScheduledJobActivity api range Api
ScriptActivity api range Api
UnmannedSystemsEvent api range Api
AirborneBroadcastActivity api range Api
DroneFlightsActivity api range Api
WindowsEvidences api range Api
PrefetchQuery api range Api
RegistryKeyActivity api range Api
RegistryKeyQuery api range Api
RegistryValueActivity api range Api
RegistryValueQuery api range Api
WindowsResourceActivity api range Api
WindowsServiceActivity api range Api

In Subsets

Aliases

  • API

Identifier and Mapping Information

Schema Source

Mappings

Mapping Type Mapped Value
self ocsf:Api
native ocsf:Api

LinkML Source

Direct

name: Api
description: 'The API, or Application Programming Interface, object represents  information

  pertaining to an API request and response.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- API
is_a: Object
slots:
- group
- operation
- request
- response
- service
- token
- version
slot_usage:
  group:
    name: group
    description: The information pertaining to the API group.
  operation:
    name: operation
    required: true
  request:
    name: request
    description: Details pertaining to the API request.
    recommended: true
  response:
    name: response
    description: Details pertaining to the API response.
    recommended: true
  service:
    name: service
    description: The information pertaining to the API service.
  token:
    name: token
    description: 'The API or client token used to authenticate or authorize the API
      request. This

      attribute contains the base <code>token</code> object that represents: (1)

      IdP-issued client tokens (type_id: 6) such as Okta API tokens or Microsoft

      Entra ID Application Registration client secrets, or (2) generic API

      tokens/keys (type_id: 7) used for SaaS application authentication. Use this

      attribute when the API request was authenticated using a token that should be

      tracked as part of the API activity event. Note: Protocol-specific

      authentication tokens (Kerberos, OIDC, SAML) should be represented using

      <code>authentication_token</code> in authentication events, not in API activity

      events.'
  version:
    name: version
    description: The version of the API service.

Induced

name: Api
description: 'The API, or Application Programming Interface, object represents  information

  pertaining to an API request and response.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- API
is_a: Object
slot_usage:
  group:
    name: group
    description: The information pertaining to the API group.
  operation:
    name: operation
    required: true
  request:
    name: request
    description: Details pertaining to the API request.
    recommended: true
  response:
    name: response
    description: Details pertaining to the API response.
    recommended: true
  service:
    name: service
    description: The information pertaining to the API service.
  token:
    name: token
    description: 'The API or client token used to authenticate or authorize the API
      request. This

      attribute contains the base <code>token</code> object that represents: (1)

      IdP-issued client tokens (type_id: 6) such as Okta API tokens or Microsoft

      Entra ID Application Registration client secrets, or (2) generic API

      tokens/keys (type_id: 7) used for SaaS application authentication. Use this

      attribute when the API request was authenticated using a token that should be

      tracked as part of the API activity event. Note: Protocol-specific

      authentication tokens (Kerberos, OIDC, SAML) should be represented using

      <code>authentication_token</code> in authentication events, not in API activity

      events.'
  version:
    name: version
    description: The version of the API service.
attributes:
  group:
    name: group
    description: The information pertaining to the API group.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Group
    rank: 1000
    alias: group
    owner: Api
    domain_of:
    - QueryEvidence
    - Api
    - ApplicationObject
    - Databucket
    - ManagedEntity
    - Policy
    - ResourceDetails
    - AdminGroupQuery
    - AuthorizeSession
    - GroupManagement
    - LinuxUsersProfile
    range: Group
  operation:
    name: operation
    description: Verb/Operation associated with the request
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Operation
    rank: 1000
    alias: operation
    owner: Api
    domain_of:
    - Span
    - Api
    range: string
    required: true
  request:
    name: request
    description: Details pertaining to the API request.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - API Request Details
    rank: 1000
    alias: request
    owner: Api
    domain_of:
    - Api
    - RdpActivity
    range: Request
    recommended: true
  response:
    name: response
    description: Details pertaining to the API response.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - API Response Details
    rank: 1000
    alias: response
    owner: Api
    domain_of:
    - Api
    - RdpActivity
    - SmbActivity
    range: Response
    recommended: true
  service:
    name: service
    description: The information pertaining to the API service.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Service
    rank: 1000
    alias: service
    owner: Api
    domain_of:
    - QueryEvidence
    - Span
    - Trace
    - Api
    - MessageContext
    - ServiceQuery
    - Authentication
    range: Service
  token:
    name: token
    description: 'The API or client token used to authenticate or authorize the API
      request. This

      attribute contains the base <code>token</code> object that represents: (1)

      IdP-issued client tokens (type_id: 6) such as Okta API tokens or Microsoft

      Entra ID Application Registration client secrets, or (2) generic API

      tokens/keys (type_id: 7) used for SaaS application authentication. Use this

      attribute when the API request was authenticated using a token that should be

      tracked as part of the API activity event. Note: Protocol-specific

      authentication tokens (Kerberos, OIDC, SAML) should be represented using

      <code>authentication_token</code> in authentication events, not in API activity

      events.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Token
    rank: 1000
    alias: token
    owner: Api
    domain_of:
    - Api
    range: Token
  version:
    name: version
    description: The version of the API service.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Version
    rank: 1000
    alias: version
    owner: Api
    domain_of:
    - Os
    - Package
    - RpcInterface
    - Sbom
    - Scim
    - SoftwareComponent
    - Tls
    - Agent
    - AiModel
    - Analytic
    - Api
    - ApplicationObject
    - Attack
    - Certificate
    - Check
    - CisControl
    - CisCsc
    - Cvss
    - D3fend
    - Databucket
    - Epss
    - Extension
    - Feature
    - File
    - HttpRequest
    - Logger
    - ManagedEntity
    - Metadata
    - Policy
    - Product
    - ResourceDetails
    - Rule
    - Service
    - NtpActivity
    range: string