Class: Container
The Container object describes an instance of a specific container. A container
is a prepackaged, portable system image that runs isolated on an existing
system using a container runtime like containerd.
URI: ocsf:Container
classDiagram
class Container
click Container href "../Container/"
Object <|-- Container
click Object href "../Object/"
Container : hash
Container --> "0..1 _recommended_" Fingerprint : hash
click Fingerprint href "../Fingerprint/"
Container : image
Container --> "0..1 _recommended_" Image : image
click Image href "../Image/"
Container : labels
Container : name
Container : network_driver
Container : orchestrator
Container : pod_uuid
Container : runtime
Container : size
Container : tag
Container : tags
Container --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
Container : uid
Inheritance
- OcsfObject
- Object
- Container
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| hash | 0..1 recommended Fingerprint |
Commit hash of image created for docker or the SHA256 hash of the container | direct |
| image | 0..1 recommended Image |
The container image used as a template to run the container | direct |
| labels | * String |
The list of labels associated to the container | direct |
| name | 0..1 recommended String |
The container name | direct |
| network_driver | 0..1 String |
The network driver used by the container | direct |
| orchestrator | 0..1 String |
The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift | direct |
| pod_uuid | 0..1 UuidT |
The unique identifier of the pod (or equivalent) that the container is | direct |
| runtime | 0..1 String |
The backend running the container, such as containerd or cri-o | direct |
| size | 0..1 recommended Integer |
The size of the container image | direct |
| tag | 0..1 String |
The tag used by the container | direct |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated to the container |
direct |
| uid | 0..1 recommended String |
The full container unique identifier for this instantiation of the container | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Request | containers | range | Container |
| Response | containers | range | Container |
| Endpoint | container | range | Container |
| Evidences | container | range | Container |
| NetworkEndpoint | container | range | Container |
| NetworkProxy | container | range | Container |
| Device | container | range | Container |
| Process | container | range | Container |
| ContainerProfile | container | range | Container |
| CloudResourcesInventoryInfo | container | range | Container |
| LinuxProcess | container | range | Container |
| MacosProcess | container | range | Container |
| WindowsEvidences | container | range | Container |
| WindowsProcess | container | range | Container |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'uid': {'required': True}}}, {'slot_conditions': {}}] |
In Subsets
Aliases
- Container
See Also
Notes
- D3FEND™ Ontology d3f:ContainerProcess. — https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["uid", "name"]} |
| observable_id | 27 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Container |
| native | ocsf:Container |
| related | uco_master:Software |
LinkML Source
Direct
name: Container
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["uid", "name"]}'
observable_id:
tag: observable_id
value: 27
description: 'The Container object describes an instance of a specific container.
A container
is a prepackaged, portable system image that runs isolated on an existing
system using a container runtime like containerd.'
notes:
- 'D3FEND™ Ontology d3f:ContainerProcess. —
https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/
aliases:
- Container
related_mappings:
- uco_master:Software
is_a: Object
slots:
- hash
- image
- labels
- name
- network_driver
- orchestrator
- pod_uuid
- runtime
- size
- tag
- tags
- uid
slot_usage:
hash:
name: hash
description: 'Commit hash of image created for docker or the SHA256 hash of the
container.
For example:
<code>13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de</code>.'
recommended: true
image:
name: image
description: The container image used as a template to run the container.
recommended: true
labels:
name: labels
description: The list of labels associated to the container.
name:
name: name
description: The container name.
recommended: true
size:
name: size
description: The size of the container image.
recommended: true
tag:
name: tag
description: The tag used by the container. It can indicate version, format, OS.
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
container.
uid:
name: uid
description: 'The full container unique identifier for this instantiation of the
container.
For example:
<code>ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf</code>.'
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
description: 'OCSF at_least_one: at least one of [''uid'', ''name''] must be set.'
Induced
name: Container
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["uid", "name"]}'
observable_id:
tag: observable_id
value: 27
description: 'The Container object describes an instance of a specific container.
A container
is a prepackaged, portable system image that runs isolated on an existing
system using a container runtime like containerd.'
notes:
- 'D3FEND™ Ontology d3f:ContainerProcess. —
https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/
aliases:
- Container
related_mappings:
- uco_master:Software
is_a: Object
slot_usage:
hash:
name: hash
description: 'Commit hash of image created for docker or the SHA256 hash of the
container.
For example:
<code>13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de</code>.'
recommended: true
image:
name: image
description: The container image used as a template to run the container.
recommended: true
labels:
name: labels
description: The list of labels associated to the container.
name:
name: name
description: The container name.
recommended: true
size:
name: size
description: The size of the container image.
recommended: true
tag:
name: tag
description: The tag used by the container. It can indicate version, format, OS.
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
container.
uid:
name: uid
description: 'The full container unique identifier for this instantiation of the
container.
For example:
<code>ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf</code>.'
recommended: true
attributes:
hash:
name: hash
description: 'Commit hash of image created for docker or the SHA256 hash of the
container.
For example:
<code>13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hash
rank: 1000
alias: hash
owner: Container
domain_of:
- Package
- SoftwareComponent
- Container
range: Fingerprint
recommended: true
image:
name: image
description: The container image used as a template to run the container.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Image
rank: 1000
alias: image
owner: Container
domain_of:
- Container
- Device
range: Image
recommended: true
labels:
name: labels
description: The list of labels associated to the container.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Labels
rank: 1000
alias: labels
owner: Container
domain_of:
- Osint
- Resource
- Account
- ApplicationObject
- Container
- Image
- LdapPerson
- Metadata
- Service
range: string
multivalued: true
name:
name: name
description: The container name.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Container
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
network_driver:
name: network_driver
description: 'The network driver used by the container. For example, bridge, overlay,
host,
none, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Driver
rank: 1000
alias: network_driver
owner: Container
domain_of:
- Container
range: string
orchestrator:
name: orchestrator
description: The orchestrator managing the container, such as ECS, EKS, K8s, or
OpenShift.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Orchestrator
rank: 1000
alias: orchestrator
owner: Container
domain_of:
- Container
range: string
pod_uuid:
name: pod_uuid
description: 'The unique identifier of the pod (or equivalent) that the container
is
executing on.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Pod UUID
rank: 1000
alias: pod_uuid
owner: Container
domain_of:
- Container
range: UuidT
runtime:
name: runtime
description: The backend running the container, such as containerd or cri-o.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Runtime
rank: 1000
alias: runtime
owner: Container
domain_of:
- Container
range: string
size:
name: size
description: The size of the container image.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Size
rank: 1000
alias: size
owner: Container
domain_of:
- Advisory
- Container
- DataClassification
- Database
- Databucket
- Email
- File
- KbArticle
- Table
- MalwareScanInfo
- MemoryActivity
range: integer
recommended: true
tag:
name: tag
description: The tag used by the container. It can indicate version, format, OS.
deprecated: Use the <code>labels or tags</code> attribute instead. (since 1.4.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Image Tag
rank: 1000
alias: tag
owner: Container
domain_of:
- Container
- Image
range: string
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
container.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: Container
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
uid:
name: uid
description: 'The full container unique identifier for this instantiation of the
container.
For example:
<code>ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Container
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
uid:
name: uid
required: true
- slot_conditions:
name:
name: name
required: true
description: 'OCSF at_least_one: at least one of [''uid'', ''name''] must be set.'