Skip to content

Enum: EvidencesVerdictIdEnum

The normalized verdict (or status) ID of the evidence associated with the

security detection. For example, Microsoft Graph Security Alerts contain a

verdict enumeration for each type of evidence

associated with the Alert. This is typically set by an automated investigation

process or an analyst/investigator assigned to the finding.

URI: ocsf:EvidencesVerdictIdEnum

Permissible Values

Value Meaning Description
UNKNOWN None The type is unknown
FALSE_POSITIVE None The verdict for the evidence has been identified as a False Positive
TRUE_POSITIVE None The verdict for the evidence has been identified as a True Positive
DISREGARD None The verdict for the evidence is that is should be Disregarded
SUSPICIOUS None The verdict for the evidence is that the behavior has been identified as
BENIGN None The verdict for the evidence is that the behavior has been identified as
TEST None The evidence is part of a Test, or other sanctioned behavior(s)
INSUFFICIENT_DATA None There is insufficient data to render a verdict on the evidence
SECURITY_RISK None The verdict for the evidence is that the behavior has been identified as a
MANAGED_EXTERNALLY None The verdict for the evidence is Managed Externally, such as in a case
DUPLICATE None This evidence duplicates existing evidence related to this finding
OTHER None The type is not mapped

Slots

Name Description
verdict_id The normalized verdict (or status) ID of the evidence associated with the

Identifier and Mapping Information

Schema Source

LinkML Source

name: EvidencesVerdictIdEnum
description: 'The normalized verdict (or status) ID of the evidence associated with
  the

  security detection. For example, Microsoft Graph Security Alerts contain a

  <code>verdict</code> enumeration for each type of <code>evidence</code>

  associated with the Alert. This is typically set by an automated investigation

  process or an analyst/investigator assigned to the finding.'
from_schema: https://w3id.org/lmodel/ocsf
rank: 1000
permissible_values:
  UNKNOWN:
    text: UNKNOWN
    description: The type is unknown.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '0'
      caption:
        tag: caption
        value: Unknown
  FALSE_POSITIVE:
    text: FALSE_POSITIVE
    description: The verdict for the evidence has been identified as a False Positive.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '1'
      caption:
        tag: caption
        value: False Positive
  TRUE_POSITIVE:
    text: TRUE_POSITIVE
    description: The verdict for the evidence has been identified as a True Positive.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '2'
      caption:
        tag: caption
        value: True Positive
  DISREGARD:
    text: DISREGARD
    description: The verdict for the evidence is that is should be Disregarded.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '3'
      caption:
        tag: caption
        value: Disregard
  SUSPICIOUS:
    text: SUSPICIOUS
    description: 'The verdict for the evidence is that the behavior has been identified
      as

      Suspicious.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '4'
      caption:
        tag: caption
        value: Suspicious
  BENIGN:
    text: BENIGN
    description: 'The verdict for the evidence is that the behavior has been identified
      as

      Benign.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '5'
      caption:
        tag: caption
        value: Benign
  TEST:
    text: TEST
    description: The evidence is part of a Test, or other sanctioned behavior(s).
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '6'
      caption:
        tag: caption
        value: Test
  INSUFFICIENT_DATA:
    text: INSUFFICIENT_DATA
    description: There is insufficient data to render a verdict on the evidence.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '7'
      caption:
        tag: caption
        value: Insufficient Data
  SECURITY_RISK:
    text: SECURITY_RISK
    description: 'The verdict for the evidence is that the behavior has been identified
      as a

      Security Risk.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '8'
      caption:
        tag: caption
        value: Security Risk
  MANAGED_EXTERNALLY:
    text: MANAGED_EXTERNALLY
    description: 'The verdict for the evidence is Managed Externally, such as in a
      case

      management tool.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '9'
      caption:
        tag: caption
        value: Managed Externally
  DUPLICATE:
    text: DUPLICATE
    description: This evidence duplicates existing evidence related to this finding.
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '10'
      caption:
        tag: caption
        value: Duplicate
  OTHER:
    text: OTHER
    description: 'The type is not mapped. See the <code>type</code> attribute, which
      contains a

      data source specific value.'
    annotations:
      ocsf_uid:
        tag: ocsf_uid
        value: '99'
      caption:
        tag: caption
        value: Other