Class: Evidences
A collection of evidence artifacts associated to the activity/activities that
triggered a security detection.
URI: ocsf:Evidences
classDiagram
class Evidences
click Evidences href "../Evidences/"
Entity <|-- Evidences
click Entity href "../Entity/"
Evidences <|-- WindowsEvidences
click WindowsEvidences href "../WindowsEvidences/"
Evidences : actor
Evidences --> "0..1 _recommended_" Actor : actor
click Actor href "../Actor/"
Evidences : api
Evidences --> "0..1 _recommended_" Api : api
click Api href "../Api/"
Evidences : connection_info
Evidences --> "0..1 _recommended_" NetworkConnectionInfo : connection_info
click NetworkConnectionInfo href "../NetworkConnectionInfo/"
Evidences : container
Evidences --> "0..1 _recommended_" Container : container
click Container href "../Container/"
Evidences : data
Evidences : database
Evidences --> "0..1 _recommended_" Database : database
click Database href "../Database/"
Evidences : databucket
Evidences --> "0..1 _recommended_" Databucket : databucket
click Databucket href "../Databucket/"
Evidences : device
Evidences --> "0..1 _recommended_" Device : device
click Device href "../Device/"
Evidences : dst_endpoint
Evidences --> "0..1 _recommended_" NetworkEndpoint : dst_endpoint
click NetworkEndpoint href "../NetworkEndpoint/"
Evidences : email
Evidences --> "0..1 _recommended_" Email : email
click Email href "../Email/"
Evidences : file
Evidences --> "0..1 _recommended_" File : file
click File href "../File/"
Evidences : http_request
Evidences --> "0..1 _recommended_" HttpRequest : http_request
click HttpRequest href "../HttpRequest/"
Evidences : http_response
Evidences --> "0..1 _recommended_" HttpResponse : http_response
click HttpResponse href "../HttpResponse/"
Evidences : ja4_fingerprint_list
Evidences --> "* _recommended_" Ja4Fingerprint : ja4_fingerprint_list
click Ja4Fingerprint href "../Ja4Fingerprint/"
Evidences : job
Evidences --> "0..1 _recommended_" Job : job
click Job href "../Job/"
Evidences : name
Evidences : process
Evidences --> "0..1 _recommended_" Process : process
click Process href "../Process/"
Evidences : query
Evidences --> "0..1 _recommended_" DnsQuery : query
click DnsQuery href "../DnsQuery/"
Evidences : resources
Evidences --> "* _recommended_" ResourceDetails : resources
click ResourceDetails href "../ResourceDetails/"
Evidences : script
Evidences --> "0..1 _recommended_" Script : script
click Script href "../Script/"
Evidences : src_endpoint
Evidences --> "0..1 _recommended_" NetworkEndpoint : src_endpoint
click NetworkEndpoint href "../NetworkEndpoint/"
Evidences : tls
Evidences --> "0..1 _recommended_" Tls : tls
click Tls href "../Tls/"
Evidences : uid
Evidences : url
Evidences --> "0..1 _recommended_" Url : url
click Url href "../Url/"
Evidences : user
Evidences --> "0..1 _recommended_" User : user
click User href "../User/"
Evidences : verdict
Evidences : verdict_id
Evidences --> "0..1" EvidencesVerdictIdEnum : verdict_id
click EvidencesVerdictIdEnum href "../EvidencesVerdictIdEnum/"
Inheritance
- OcsfObject
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| actor | 0..1 recommended Actor |
Describes details about the user/role/process that was the source of the | direct |
| api | 0..1 recommended Api |
Describes details about the API call associated to the activity that triggere... | direct |
| connection_info | 0..1 recommended NetworkConnectionInfo |
Describes details about the network connection associated to the activity tha... | direct |
| container | 0..1 recommended Container |
Describes details about the container associated to the activity that trigger... | direct |
| data | 0..1 String |
Additional evidence data that is not accounted for in the specific evidence | direct |
| database | 0..1 recommended Database |
Describes details about the database associated to the activity that triggere... | direct |
| databucket | 0..1 recommended Databucket |
Describes details about the databucket associated to the activity that | direct |
| device | 0..1 recommended Device |
An addressable device, computer system or host associated to the activity tha... | direct |
| dst_endpoint | 0..1 recommended NetworkEndpoint |
Describes details about the destination of the network activity that triggere... | direct |
| 0..1 recommended |
The email object associated to the activity that triggered the detection | direct | |
| file | 0..1 recommended File |
Describes details about the file associated to the activity that triggered th... | direct |
| http_request | 0..1 recommended HttpRequest |
Describes details about the http request associated to the activity that | direct |
| http_response | 0..1 recommended HttpResponse |
Describes details about the http response associated to the activity that | direct |
| ja4_fingerprint_list | * recommended Ja4Fingerprint |
Describes details about the JA4+ fingerprints that triggered the detection | direct |
| job | 0..1 recommended Job |
Describes details about the scheduled job that was associated with the activi... | direct |
| name | 0..1 recommended String |
The naming convention or type identifier of the evidence associated with the | direct |
| process | 0..1 recommended Process |
Describes details about the process associated to the activity that triggered | direct |
| query | 0..1 recommended DnsQuery |
Describes details about the DNS query associated to the activity that trigger... | direct |
| resources | * recommended ResourceDetails |
Describes details about the cloud resources directly related to activity that | direct |
| script | 0..1 recommended Script |
Describes details about the script that was associated with the activity that | direct |
| src_endpoint | 0..1 recommended NetworkEndpoint |
Describes details about the source of the network activity that triggered the | direct |
| tls | 0..1 recommended Tls |
Describes details about the Transport Layer Security (TLS) activity that | direct |
| uid | 0..1 recommended String |
The unique identifier of the evidence associated with the security detection | direct |
| url | 0..1 recommended Url |
The URL object that pertains to the event or object associated to the activit... | direct |
| user | 0..1 recommended User |
Describes details about the user that was the target or somehow else associat... | direct |
| verdict | 0..1 String |
The normalized verdict of the evidence associated with the security detection | direct |
| verdict_id | 0..1 EvidencesVerdictIdEnum |
The normalized verdict (or status) ID of the evidence associated with the | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| ComplianceFinding | evidences | range | Evidences |
| DetectionFinding | evidences | range | Evidences |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'actor': {'required': True}}}, {'slot_conditions': {'api': {'required': True}}}, {'slot_conditions': {'connection_info': {'required': True}}}, {'slot_conditions': {'data': {'required': True}}}, {'slot_conditions': {'database': {'required': True}}}, {'slot_conditions': {'databucket': {'required': True}}}, {'slot_conditions': {'device': {'required': True}}}, {'slot_conditions': {'dst_endpoint': {'required': True}}}, {'slot_conditions': {'email': {'required': True}}}, {'slot_conditions': {'file': {'required': True}}}, {'slot_conditions': {'process': {'required': True}}}, {'slot_conditions': {'query': {'required': True}}}, {'slot_conditions': {'resources': {'required': True}}}, {'slot_conditions': {'src_endpoint': {'required': True}}}, {'slot_conditions': {'url': {'required': True}}}, {'slot_conditions': {'user': {'required': True}}}, {'slot_conditions': {'job': {'required': True}}}, {'slot_conditions': {'script': {'required': True}}}] |
In Subsets
Aliases
- Evidence Artifacts
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["actor", "api", "connection_info", "data", "database", |
| "databucket", "device", "dst_endpoint", "email", "file", "process", "query", | |
| "resources", "src_endpoint", "url", "user", "job", "script"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Evidences |
| native | ocsf:Evidences |
LinkML Source
Direct
name: Evidences
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["actor", "api", "connection_info", "data", "database",
"databucket", "device", "dst_endpoint", "email", "file", "process", "query",
"resources", "src_endpoint", "url", "user", "job", "script"]}'
description: 'A collection of evidence artifacts associated to the activity/activities
that
triggered a security detection.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Evidence Artifacts
is_a: Entity
slots:
- actor
- api
- connection_info
- container
- data
- database
- databucket
- device
- dst_endpoint
- email
- file
- http_request
- http_response
- ja4_fingerprint_list
- job
- name
- process
- query
- resources
- script
- src_endpoint
- tls
- uid
- url
- user
- verdict
- verdict_id
slot_usage:
actor:
name: actor
description: 'Describes details about the user/role/process that was the source
of the
activity that triggered the detection.'
recommended: true
api:
name: api
description: 'Describes details about the API call associated to the activity
that triggered
the detection.'
recommended: true
connection_info:
name: connection_info
description: 'Describes details about the network connection associated to the
activity that
triggered the detection.'
recommended: true
container:
name: container
description: 'Describes details about the container associated to the activity
that triggered
the detection.'
recommended: true
data:
name: data
description: 'Additional evidence data that is not accounted for in the specific
evidence
attributes.<code> Use only when absolutely necessary.</code>'
database:
name: database
description: 'Describes details about the database associated to the activity
that triggered
the detection.'
recommended: true
databucket:
name: databucket
description: 'Describes details about the databucket associated to the activity
that
triggered the detection.'
recommended: true
device:
name: device
description: 'An addressable device, computer system or host associated to the
activity that
triggered the detection.'
recommended: true
dst_endpoint:
name: dst_endpoint
description: 'Describes details about the destination of the network activity
that triggered
the detection.'
recommended: true
email:
name: email
description: The email object associated to the activity that triggered the detection.
recommended: true
file:
name: file
description: 'Describes details about the file associated to the activity that
triggered the
detection.'
recommended: true
http_request:
name: http_request
description: 'Describes details about the http request associated to the activity
that
triggered the detection.'
recommended: true
http_response:
name: http_response
description: 'Describes details about the http response associated to the activity
that
triggered the detection.'
recommended: true
ja4_fingerprint_list:
name: ja4_fingerprint_list
description: Describes details about the JA4+ fingerprints that triggered the
detection.
recommended: true
job:
name: job
description: 'Describes details about the scheduled job that was associated with
the activity
that triggered the detection.'
recommended: true
name:
name: name
description: 'The naming convention or type identifier of the evidence associated
with the
security detection. For example, the <code>@odata.type</code> from Microsoft
Graph Alerts V2 or <code>display_name</code> from CrowdStrike Falcon Incident
Behaviors.'
process:
name: process
description: 'Describes details about the process associated to the activity that
triggered
the detection.'
recommended: true
query:
name: query
description: 'Describes details about the DNS query associated to the activity
that triggered
the detection.'
recommended: true
resources:
name: resources
description: 'Describes details about the cloud resources directly related to
activity that
triggered the detection. For resources impacted by the detection, use
<code>Affected Resources</code> at the top-level of the finding.'
recommended: true
script:
name: script
description: 'Describes details about the script that was associated with the
activity that
triggered the detection.'
recommended: true
src_endpoint:
name: src_endpoint
description: 'Describes details about the source of the network activity that
triggered the
detection.'
recommended: true
tls:
name: tls
description: 'Describes details about the Transport Layer Security (TLS) activity
that
triggered the detection.'
recommended: true
uid:
name: uid
description: 'The unique identifier of the evidence associated with the security
detection.
For example, the <code>activity_id</code> from CrowdStrike Falcon Alerts or
<code>behavior_id</code> from CrowdStrike Falcon Incident Behaviors.'
url:
name: url
description: 'The URL object that pertains to the event or object associated to
the activity
that triggered the detection.'
recommended: true
user:
name: user
description: 'Describes details about the user that was the target or somehow
else associated
with the activity that triggered the detection.'
recommended: true
verdict:
name: verdict
description: The normalized verdict of the evidence associated with the security
detection.
verdict_id:
name: verdict_id
description: 'The normalized verdict (or status) ID of the evidence associated
with the
security detection. For example, Microsoft Graph Security Alerts contain a
<code>verdict</code> enumeration for each type of <code>evidence</code>
associated with the Alert. This is typically set by an automated investigation
process or an analyst/investigator assigned to the finding.'
range: EvidencesVerdictIdEnum
rules:
- postconditions:
any_of:
- slot_conditions:
actor:
name: actor
required: true
- slot_conditions:
api:
name: api
required: true
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
data:
name: data
required: true
- slot_conditions:
database:
name: database
required: true
- slot_conditions:
databucket:
name: databucket
required: true
- slot_conditions:
device:
name: device
required: true
- slot_conditions:
dst_endpoint:
name: dst_endpoint
required: true
- slot_conditions:
email:
name: email
required: true
- slot_conditions:
file:
name: file
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
query:
name: query
required: true
- slot_conditions:
resources:
name: resources
required: true
- slot_conditions:
src_endpoint:
name: src_endpoint
required: true
- slot_conditions:
url:
name: url
required: true
- slot_conditions:
user:
name: user
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
script:
name: script
required: true
description: 'OCSF at_least_one: at least one of [''actor'', ''api'', ''connection_info'',
''data'',
''database'', ''databucket'', ''device'', ''dst_endpoint'', ''email'', ''file'',
''process'',
''query'', ''resources'', ''src_endpoint'', ''url'', ''user'', ''job'', ''script'']
must be
set.'
Induced
name: Evidences
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["actor", "api", "connection_info", "data", "database",
"databucket", "device", "dst_endpoint", "email", "file", "process", "query",
"resources", "src_endpoint", "url", "user", "job", "script"]}'
description: 'A collection of evidence artifacts associated to the activity/activities
that
triggered a security detection.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Evidence Artifacts
is_a: Entity
slot_usage:
actor:
name: actor
description: 'Describes details about the user/role/process that was the source
of the
activity that triggered the detection.'
recommended: true
api:
name: api
description: 'Describes details about the API call associated to the activity
that triggered
the detection.'
recommended: true
connection_info:
name: connection_info
description: 'Describes details about the network connection associated to the
activity that
triggered the detection.'
recommended: true
container:
name: container
description: 'Describes details about the container associated to the activity
that triggered
the detection.'
recommended: true
data:
name: data
description: 'Additional evidence data that is not accounted for in the specific
evidence
attributes.<code> Use only when absolutely necessary.</code>'
database:
name: database
description: 'Describes details about the database associated to the activity
that triggered
the detection.'
recommended: true
databucket:
name: databucket
description: 'Describes details about the databucket associated to the activity
that
triggered the detection.'
recommended: true
device:
name: device
description: 'An addressable device, computer system or host associated to the
activity that
triggered the detection.'
recommended: true
dst_endpoint:
name: dst_endpoint
description: 'Describes details about the destination of the network activity
that triggered
the detection.'
recommended: true
email:
name: email
description: The email object associated to the activity that triggered the detection.
recommended: true
file:
name: file
description: 'Describes details about the file associated to the activity that
triggered the
detection.'
recommended: true
http_request:
name: http_request
description: 'Describes details about the http request associated to the activity
that
triggered the detection.'
recommended: true
http_response:
name: http_response
description: 'Describes details about the http response associated to the activity
that
triggered the detection.'
recommended: true
ja4_fingerprint_list:
name: ja4_fingerprint_list
description: Describes details about the JA4+ fingerprints that triggered the
detection.
recommended: true
job:
name: job
description: 'Describes details about the scheduled job that was associated with
the activity
that triggered the detection.'
recommended: true
name:
name: name
description: 'The naming convention or type identifier of the evidence associated
with the
security detection. For example, the <code>@odata.type</code> from Microsoft
Graph Alerts V2 or <code>display_name</code> from CrowdStrike Falcon Incident
Behaviors.'
process:
name: process
description: 'Describes details about the process associated to the activity that
triggered
the detection.'
recommended: true
query:
name: query
description: 'Describes details about the DNS query associated to the activity
that triggered
the detection.'
recommended: true
resources:
name: resources
description: 'Describes details about the cloud resources directly related to
activity that
triggered the detection. For resources impacted by the detection, use
<code>Affected Resources</code> at the top-level of the finding.'
recommended: true
script:
name: script
description: 'Describes details about the script that was associated with the
activity that
triggered the detection.'
recommended: true
src_endpoint:
name: src_endpoint
description: 'Describes details about the source of the network activity that
triggered the
detection.'
recommended: true
tls:
name: tls
description: 'Describes details about the Transport Layer Security (TLS) activity
that
triggered the detection.'
recommended: true
uid:
name: uid
description: 'The unique identifier of the evidence associated with the security
detection.
For example, the <code>activity_id</code> from CrowdStrike Falcon Alerts or
<code>behavior_id</code> from CrowdStrike Falcon Incident Behaviors.'
url:
name: url
description: 'The URL object that pertains to the event or object associated to
the activity
that triggered the detection.'
recommended: true
user:
name: user
description: 'Describes details about the user that was the target or somehow
else associated
with the activity that triggered the detection.'
recommended: true
verdict:
name: verdict
description: The normalized verdict of the evidence associated with the security
detection.
verdict_id:
name: verdict_id
description: 'The normalized verdict (or status) ID of the evidence associated
with the
security detection. For example, Microsoft Graph Security Alerts contain a
<code>verdict</code> enumeration for each type of <code>evidence</code>
associated with the Alert. This is typically set by an automated investigation
process or an analyst/investigator assigned to the finding.'
range: EvidencesVerdictIdEnum
attributes:
actor:
name: actor
description: 'Describes details about the user/role/process that was the source
of the
activity that triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Actor
rank: 1000
alias: actor
owner: Evidences
domain_of:
- Evidences
- HostProfile
- ApiActivity
- DatastoreActivity
- FileHosting
- ConfigState
- DeviceConfigStateChange
- InventoryInfo
- OsintInventoryInfo
- SoftwareInfo
- UserInventory
- DataSecurityFinding
- IamEvent
- NetworkFileActivity
- SystemEvent
- EventLogActvity
- FileActivity
- KernelExtensionActivity
- ModuleActivity
- ProcessActivity
- ScheduledJobActivity
- RegistryKeyActivity
- RegistryValueActivity
range: Actor
recommended: true
api:
name: api
description: 'Describes details about the API call associated to the activity
that triggered
the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- API Details
rank: 1000
alias: api
owner: Evidences
domain_of:
- Evidences
- CloudProfile
- ApiActivity
range: Api
recommended: true
connection_info:
name: connection_info
description: 'Describes details about the network connection associated to the
activity that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Connection Info
rank: 1000
alias: connection_info
owner: Evidences
domain_of:
- QueryEvidence
- Evidences
- FileHosting
- NetworkConnectionQuery
- NetworkEvent
- DnsActivity
- NetworkFileActivity
- RdpActivity
- TunnelActivity
- NetworkRemediationActivity
- UnmannedSystemsEvent
range: NetworkConnectionInfo
recommended: true
container:
name: container
description: 'Describes details about the container associated to the activity
that triggered
the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: Evidences
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
data:
name: data
description: 'Additional evidence data that is not accounted for in the specific
evidence
attributes.<code> Use only when absolutely necessary.</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data
rank: 1000
alias: data
owner: Evidences
domain_of:
- Request
- Response
- TlsExtension
- Resource
- ApplicationObject
- Edge
- Enrichment
- Evidences
- ManagedEntity
- Node
- Policy
- QueryInfo
- WebResource
- RegValue
range: string
database:
name: database
description: 'Describes details about the database associated to the activity
that triggered
the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Database
rank: 1000
alias: database
owner: Evidences
domain_of:
- Evidences
- DatastoreActivity
- CloudResourcesInventoryInfo
- DataSecurityFinding
range: Database
recommended: true
databucket:
name: databucket
description: 'Describes details about the databucket associated to the activity
that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Databucket
rank: 1000
alias: databucket
owner: Evidences
domain_of:
- Evidences
- DatastoreActivity
- CloudResourcesInventoryInfo
- DataSecurityFinding
range: Databucket
recommended: true
device:
name: device
description: 'An addressable device, computer system or host associated to the
activity that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Device
rank: 1000
alias: device
owner: Evidences
domain_of:
- AuthFactor
- Evidences
- Logger
- ManagedEntity
- HostProfile
- ConfigState
- DeviceConfigStateChange
- EvidenceInfo
- InventoryInfo
- PatchState
- SoftwareInfo
- DataSecurityFinding
- Finding
- RdpActivity
- TunnelActivity
- SystemEvent
- EventLogActvity
range: Device
recommended: true
dst_endpoint:
name: dst_endpoint
description: 'Describes details about the destination of the network activity
that triggered
the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Destination Endpoint
rank: 1000
alias: dst_endpoint
owner: Evidences
domain_of:
- Evidences
- LoadBalancer
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourcesActivity
- DataSecurityFinding
- Authentication
- AuthorizeSession
- NetworkEvent
- DhcpActivity
- DnsActivity
- EmailActivity
- NetworkActivity
- NetworkFileActivity
- TunnelActivity
- EventLogActvity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
range: NetworkEndpoint
recommended: true
email:
name: email
description: The email object associated to the activity that triggered the detection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Email
rank: 1000
alias: email
owner: Evidences
domain_of:
- Osint
- Evidences
- ManagedEntity
- EmailActivity
range: Email
recommended: true
file:
name: file
description: 'Describes details about the file associated to the activity that
triggered the
detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: Evidences
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
http_request:
name: http_request
description: 'Describes details about the http request associated to the activity
that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- HTTP Request
rank: 1000
alias: http_request
owner: Evidences
domain_of:
- Evidences
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourceAccessActivity
- WebResourcesActivity
- IamEvent
- HttpActivity
range: HttpRequest
recommended: true
http_response:
name: http_response
description: 'Describes details about the http response associated to the activity
that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- HTTP Response
rank: 1000
alias: http_response
owner: Evidences
domain_of:
- Evidences
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourceAccessActivity
- WebResourcesActivity
- IamEvent
- HttpActivity
range: HttpResponse
recommended: true
ja4_fingerprint_list:
name: ja4_fingerprint_list
description: Describes details about the JA4+ fingerprints that triggered the
detection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- JA4+ Fingerprints
rank: 1000
alias: ja4_fingerprint_list
owner: Evidences
domain_of:
- Evidences
- NetworkEvent
range: Ja4Fingerprint
recommended: true
multivalued: true
job:
name: job
description: 'Describes details about the scheduled job that was associated with
the activity
that triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Job
rank: 1000
alias: job
owner: Evidences
domain_of:
- QueryEvidence
- StartupItem
- Evidences
- JobQuery
- ScheduledJobActivity
range: Job
recommended: true
name:
name: name
description: 'The naming convention or type identifier of the evidence associated
with the
security detection. For example, the <code>@odata.type</code> from Microsoft
Graph Alerts V2 or <code>display_name</code> from CrowdStrike Falcon Incident
Behaviors.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Evidences
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
process:
name: process
description: 'Describes details about the process associated to the activity that
triggered
the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: Evidences
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
recommended: true
query:
name: query
description: 'Describes details about the DNS query associated to the activity
that triggered
the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- DNS Query
rank: 1000
alias: query
owner: Evidences
domain_of:
- Evidences
- DnsActivity
range: DnsQuery
recommended: true
resources:
name: resources
description: 'Describes details about the cloud resources directly related to
activity that
triggered the detection. For resources impacted by the detection, use
<code>Affected Resources</code> at the top-level of the finding.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Resources Array
rank: 1000
alias: resources
owner: Evidences
domain_of:
- Evidences
- ApiActivity
- CloudResourcesInventoryInfo
- ApplicationSecurityPostureFinding
- ComplianceFinding
- DataSecurityFinding
- DetectionFinding
- IamAnalysisFinding
- SecurityFinding
- VulnerabilityFinding
- UserAccess
range: ResourceDetails
recommended: true
multivalued: true
script:
name: script
description: 'Describes details about the script that was associated with the
activity that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Script
rank: 1000
alias: script
owner: Evidences
domain_of:
- Osint
- Evidences
- ScriptActivity
range: Script
recommended: true
src_endpoint:
name: src_endpoint
description: 'Describes details about the source of the network activity that
triggered the
detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source Endpoint
rank: 1000
alias: src_endpoint
owner: Evidences
domain_of:
- Evidences
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourceAccessActivity
- WebResourcesActivity
- DataSecurityFinding
- IamEvent
- NetworkEvent
- DhcpActivity
- EmailActivity
- NetworkActivity
- NetworkFileActivity
- TunnelActivity
- EventLogActvity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
- DroneFlightsActivity
range: NetworkEndpoint
recommended: true
tls:
name: tls
description: 'Describes details about the Transport Layer Security (TLS) activity
that
triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- TLS
rank: 1000
alias: tls
owner: Evidences
domain_of:
- Evidences
- WebResourceAccessActivity
- WebResourcesActivity
- NetworkEvent
- UnmannedSystemsEvent
range: Tls
recommended: true
uid:
name: uid
description: 'The unique identifier of the evidence associated with the security
detection.
For example, the <code>activity_id</code> from CrowdStrike Falcon Alerts or
<code>behavior_id</code> from CrowdStrike Falcon Incident Behaviors.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Evidences
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
url:
name: url
description: 'The URL object that pertains to the event or object associated to
the activity
that triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- URL
rank: 1000
alias: url
owner: Evidences
domain_of:
- ApplicationObject
- Evidences
- File
- HttpRequest
- EmailUrlActivity
- NetworkActivity
range: Url
recommended: true
user:
name: user
description: 'Describes details about the user that was the target or somehow
else associated
with the activity that triggered the detection.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: Evidences
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
verdict:
name: verdict
description: The normalized verdict of the evidence associated with the security
detection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Verdict
rank: 1000
alias: verdict
owner: Evidences
domain_of:
- Evidences
- IncidentProfile
- IncidentFinding
range: string
verdict_id:
name: verdict_id
annotations:
sibling:
tag: sibling
value: verdict
description: 'The normalized verdict (or status) ID of the evidence associated
with the
security detection. For example, Microsoft Graph Security Alerts contain a
<code>verdict</code> enumeration for each type of <code>evidence</code>
associated with the Alert. This is typically set by an automated investigation
process or an analyst/investigator assigned to the finding.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Verdict ID
rank: 1000
alias: verdict_id
owner: Evidences
domain_of:
- Evidences
- IncidentProfile
- IncidentFinding
range: EvidencesVerdictIdEnum
rules:
- postconditions:
any_of:
- slot_conditions:
actor:
name: actor
required: true
- slot_conditions:
api:
name: api
required: true
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
data:
name: data
required: true
- slot_conditions:
database:
name: database
required: true
- slot_conditions:
databucket:
name: databucket
required: true
- slot_conditions:
device:
name: device
required: true
- slot_conditions:
dst_endpoint:
name: dst_endpoint
required: true
- slot_conditions:
email:
name: email
required: true
- slot_conditions:
file:
name: file
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
query:
name: query
required: true
- slot_conditions:
resources:
name: resources
required: true
- slot_conditions:
src_endpoint:
name: src_endpoint
required: true
- slot_conditions:
url:
name: url
required: true
- slot_conditions:
user:
name: user
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
script:
name: script
required: true
description: 'OCSF at_least_one: at least one of [''actor'', ''api'', ''connection_info'',
''data'',
''database'', ''databucket'', ''device'', ''dst_endpoint'', ''email'', ''file'',
''process'',
''query'', ''resources'', ''src_endpoint'', ''url'', ''user'', ''job'', ''script'']
must be
set.'