Class: Check
The check object defines a specific, testable compliance verification point
that evaluates a target device against a standard, framework, or custom
requirement. While checks are typically associated with formal standards (like
CIS, NIST, or ISO), they can also represent custom or organizational
requirements. When mapped to controls, checks can evaluate specific
control_parameters to determine compliance status, but neither the control
mapping nor control_parameters are required for a valid check.
URI: ocsf:Check
classDiagram
class Check
click Check href "../Check/"
Object <|-- Check
click Object href "../Object/"
Check : desc
Check : name
Check : resource
Check --> "0..1" ResourceDetails : resource
click ResourceDetails href "../ResourceDetails/"
Check : severity
Check : severity_id
Check --> "0..1" CheckSeverityIdEnum : severity_id
click CheckSeverityIdEnum href "../CheckSeverityIdEnum/"
Check : standards
Check : status
Check : status_id
Check --> "0..1 _recommended_" CheckStatusIdEnum : status_id
click CheckStatusIdEnum href "../CheckStatusIdEnum/"
Check : uid
Check : version
Inheritance
- OcsfObject
- Object
- Check
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| desc | 0..1 String |
The detailed description of the compliance check, explaining the security | direct |
| name | 0..1 recommended String |
The name or title of the compliance check | direct |
| resource | 0..1 ResourceDetails |
Describes details about the resource that this check evaluated | direct |
| severity | 0..1 String |
The severity level as defined in the source document | direct |
| severity_id | 0..1 CheckSeverityIdEnum |
The normalized severity identifier that maps severity levels to standard | direct |
| standards | * recommended String |
The regulatory or industry standard this check is associated with | direct |
| status | 0..1 recommended String |
The resultant status of the compliance check normalized to the caption of the | direct |
| status_id | 0..1 recommended CheckStatusIdEnum |
The normalized status identifier of the compliance check | direct |
| uid | 0..1 recommended String |
The unique identifier of the compliance check within its standard or framewor... | direct |
| version | 0..1 String |
The check version | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Compliance | checks | range | Check |
In Subsets
Aliases
- Check
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Check |
| native | ocsf:Check |
LinkML Source
Direct
name: Check
description: 'The check object defines a specific, testable compliance verification
point
that evaluates a target device against a standard, framework, or custom
requirement. While checks are typically associated with formal standards (like
CIS, NIST, or ISO), they can also represent custom or organizational
requirements. When mapped to controls, checks can evaluate specific
control_parameters to determine compliance status, but neither the control
mapping nor control_parameters are required for a valid check.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Check
is_a: Object
slots:
- desc
- name
- resource
- severity
- severity_id
- standards
- status
- status_id
- uid
- version
slot_usage:
desc:
name: desc
description: 'The detailed description of the compliance check, explaining the
security
requirement, vulnerability, or configuration being assessed. For example, CIS:
<code>The cramfs filesystem type is a compressed read-only Linux filesystem.
Removing support for unneeded filesystem types reduces the local attack
surface.</code> or DISA STIG: <code>Unauthorized access to the information
system by foreign entities may result in loss or compromise of data.</code>'
name:
name: name
description: 'The name or title of the compliance check. For example, CIS: <code>Ensure
mounting of cramfs filesystems is disabled</code> or DISA STIG: <code>The
Ubuntu operating system must implement DoD-approved encryption to protect the
confidentiality of remote access sessions</code>.'
recommended: true
resource:
name: resource
description: Describes details about the resource that this check evaluated.
severity:
name: severity
description: 'The severity level as defined in the source document. For example
CIS
Benchmarks, valid values are: <code>Level 1</code> (security-forward, essential
settings), <code>Level 2</code> (security-focused environment, more
restrictive), or <code>Scored/Not Scored</code> (whether compliance can be
automatically checked). For DISA STIG, valid values are: <code>CAT I</code>
(maps to severity_id 5/Critical), <code>CAT II</code> (maps to severity_id
4/High), or <code>CAT III</code> (maps to severity_id 3/Medium).'
severity_id:
name: severity_id
description: 'The normalized severity identifier that maps severity levels to
standard
severity levels. For example CIS Benchmark: <code>Level 2</code> maps to
<code>4</code> (High), <code>Level 1</code> maps to <code>3</code> (Medium).
For DISA STIG: <code>CAT I</code> maps to <code>5</code> (Critical), <code>CAT
II</code> maps to <code>4</code> (High), and <code>CAT III</code> maps to
<code>3</code> (Medium).'
range: CheckSeverityIdEnum
standards:
name: standards
description: 'The regulatory or industry standard this check is associated with.
E.g.,
<code>PCI DSS 3.2.1</code>, <code>HIPAA Security Rule</code>, <code>NIST SP
800-53 Rev. 5</code>, or <code>ISO/IEC 27001:2013</code>.'
recommended: true
status:
name: status
description: 'The resultant status of the compliance check normalized to the caption
of the
<code>status_id</code> value. For example, CIS Benchmark: <code>Pass</code>
when all requirements are met, <code>Fail</code> when requirements are not met,
or DISA STIG: <code>NotAFinding</code> (maps to status_id 1/Pass),
<code>Open</code> (maps to status_id 3/Fail).'
recommended: true
status_id:
name: status_id
description: The normalized status identifier of the compliance check.
range: CheckStatusIdEnum
recommended: true
uid:
name: uid
description: 'The unique identifier of the compliance check within its standard
or framework.
For example, CIS Benchmark identifier <code>1.1.1.1</code>, DISA STIG
identifier <code>V-230234</code>, or NIST control identifier
<code>AC-17(2)</code>.'
recommended: true
version:
name: version
description: 'The check version. For example, CIS Benchmark: <code>1.1.0</code>
for Amazon
Linux 2 or DISA STIG: <code>V2R1</code> for Windows 10.'
Induced
name: Check
description: 'The check object defines a specific, testable compliance verification
point
that evaluates a target device against a standard, framework, or custom
requirement. While checks are typically associated with formal standards (like
CIS, NIST, or ISO), they can also represent custom or organizational
requirements. When mapped to controls, checks can evaluate specific
control_parameters to determine compliance status, but neither the control
mapping nor control_parameters are required for a valid check.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Check
is_a: Object
slot_usage:
desc:
name: desc
description: 'The detailed description of the compliance check, explaining the
security
requirement, vulnerability, or configuration being assessed. For example, CIS:
<code>The cramfs filesystem type is a compressed read-only Linux filesystem.
Removing support for unneeded filesystem types reduces the local attack
surface.</code> or DISA STIG: <code>Unauthorized access to the information
system by foreign entities may result in loss or compromise of data.</code>'
name:
name: name
description: 'The name or title of the compliance check. For example, CIS: <code>Ensure
mounting of cramfs filesystems is disabled</code> or DISA STIG: <code>The
Ubuntu operating system must implement DoD-approved encryption to protect the
confidentiality of remote access sessions</code>.'
recommended: true
resource:
name: resource
description: Describes details about the resource that this check evaluated.
severity:
name: severity
description: 'The severity level as defined in the source document. For example
CIS
Benchmarks, valid values are: <code>Level 1</code> (security-forward, essential
settings), <code>Level 2</code> (security-focused environment, more
restrictive), or <code>Scored/Not Scored</code> (whether compliance can be
automatically checked). For DISA STIG, valid values are: <code>CAT I</code>
(maps to severity_id 5/Critical), <code>CAT II</code> (maps to severity_id
4/High), or <code>CAT III</code> (maps to severity_id 3/Medium).'
severity_id:
name: severity_id
description: 'The normalized severity identifier that maps severity levels to
standard
severity levels. For example CIS Benchmark: <code>Level 2</code> maps to
<code>4</code> (High), <code>Level 1</code> maps to <code>3</code> (Medium).
For DISA STIG: <code>CAT I</code> maps to <code>5</code> (Critical), <code>CAT
II</code> maps to <code>4</code> (High), and <code>CAT III</code> maps to
<code>3</code> (Medium).'
range: CheckSeverityIdEnum
standards:
name: standards
description: 'The regulatory or industry standard this check is associated with.
E.g.,
<code>PCI DSS 3.2.1</code>, <code>HIPAA Security Rule</code>, <code>NIST SP
800-53 Rev. 5</code>, or <code>ISO/IEC 27001:2013</code>.'
recommended: true
status:
name: status
description: 'The resultant status of the compliance check normalized to the caption
of the
<code>status_id</code> value. For example, CIS Benchmark: <code>Pass</code>
when all requirements are met, <code>Fail</code> when requirements are not met,
or DISA STIG: <code>NotAFinding</code> (maps to status_id 1/Pass),
<code>Open</code> (maps to status_id 3/Fail).'
recommended: true
status_id:
name: status_id
description: The normalized status identifier of the compliance check.
range: CheckStatusIdEnum
recommended: true
uid:
name: uid
description: 'The unique identifier of the compliance check within its standard
or framework.
For example, CIS Benchmark identifier <code>1.1.1.1</code>, DISA STIG
identifier <code>V-230234</code>, or NIST control identifier
<code>AC-17(2)</code>.'
recommended: true
version:
name: version
description: 'The check version. For example, CIS Benchmark: <code>1.1.0</code>
for Amazon
Linux 2 or DISA STIG: <code>V2R1</code> for Windows 10.'
attributes:
desc:
name: desc
description: 'The detailed description of the compliance check, explaining the
security
requirement, vulnerability, or configuration being assessed. For example, CIS:
<code>The cramfs filesystem type is a compressed read-only Linux filesystem.
Removing support for unneeded filesystem types reduces the local attack
surface.</code> or DISA STIG: <code>Unauthorized access to the information
system by foreign entities may result in loss or compromise of data.</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: Check
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
name:
name: name
description: 'The name or title of the compliance check. For example, CIS: <code>Ensure
mounting of cramfs filesystems is disabled</code> or DISA STIG: <code>The
Ubuntu operating system must implement DoD-approved encryption to protect the
confidentiality of remote access sessions</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Check
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
resource:
name: resource
description: Describes details about the resource that this check evaluated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Resource
rank: 1000
alias: resource
owner: Check
domain_of:
- Check
- ComplianceFinding
- VulnerabilityFinding
- GroupManagement
- UserAccess
range: ResourceDetails
severity:
name: severity
description: 'The severity level as defined in the source document. For example
CIS
Benchmarks, valid values are: <code>Level 1</code> (security-forward, essential
settings), <code>Level 2</code> (security-focused environment, more
restrictive), or <code>Scored/Not Scored</code> (whether compliance can be
automatically checked). For DISA STIG, valid values are: <code>CAT I</code>
(maps to severity_id 5/Critical), <code>CAT II</code> (maps to severity_id
4/High), or <code>CAT III</code> (maps to severity_id 3/Medium).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: Check
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
sibling:
tag: sibling
value: severity
description: 'The normalized severity identifier that maps severity levels to
standard
severity levels. For example CIS Benchmark: <code>Level 2</code> maps to
<code>4</code> (High), <code>Level 1</code> maps to <code>3</code> (Medium).
For DISA STIG: <code>CAT I</code> maps to <code>5</code> (Critical), <code>CAT
II</code> maps to <code>4</code> (High), and <code>CAT III</code> maps to
<code>3</code> (Medium).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: Check
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: CheckSeverityIdEnum
standards:
name: standards
description: 'The regulatory or industry standard this check is associated with.
E.g.,
<code>PCI DSS 3.2.1</code>, <code>HIPAA Security Rule</code>, <code>NIST SP
800-53 Rev. 5</code>, or <code>ISO/IEC 27001:2013</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- 'Compliance Standards: List'
rank: 1000
alias: standards
owner: Check
domain_of:
- Check
- Compliance
range: string
recommended: true
multivalued: true
status:
name: status
description: 'The resultant status of the compliance check normalized to the caption
of the
<code>status_id</code> value. For example, CIS Benchmark: <code>Pass</code>
when all requirements are met, <code>Fail</code> when requirements are not met,
or DISA STIG: <code>NotAFinding</code> (maps to status_id 1/Pass),
<code>Open</code> (maps to status_id 3/Fail).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status
rank: 1000
alias: status
owner: Check
domain_of:
- RelatedEvent
- Ticket
- Whois
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- HttpResponse
- BaseEvent
- Finding
- IncidentFinding
- DroneFlightsActivity
range: string
recommended: true
status_id:
name: status_id
annotations:
sibling:
tag: sibling
value: status
description: The normalized status identifier of the compliance check.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status ID
rank: 1000
alias: status_id
owner: Check
domain_of:
- Ticket
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- BaseEvent
- Finding
- IncidentFinding
- RemediationActivity
- DroneFlightsActivity
range: CheckStatusIdEnum
recommended: true
uid:
name: uid
description: 'The unique identifier of the compliance check within its standard
or framework.
For example, CIS Benchmark identifier <code>1.1.1.1</code>, DISA STIG
identifier <code>V-230234</code>, or NIST control identifier
<code>AC-17(2)</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Check
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
version:
name: version
description: 'The check version. For example, CIS Benchmark: <code>1.1.0</code>
for Amazon
Linux 2 or DISA STIG: <code>V2R1</code> for Windows 10.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: Check
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string