Class: Module

The Module object describes the attributes of a module.

 classDiagram
    class Module
    click Module href "../Module/"
      Object <|-- Module
        click Object href "../Object/"

      Module : base_address

      Module : file





        Module --> "0..1 _recommended_" File : file
        click File href "../File/"



      Module : function_invocation





        Module --> "0..1" FunctionInvocation : function_invocation
        click FunctionInvocation href "../FunctionInvocation/"



      Module : function_name

      Module : load_type

      Module : load_type_id





        Module --> "0..1 _recommended_" ModuleLoadTypeIdEnum : load_type_id
        click ModuleLoadTypeIdEnum href "../ModuleLoadTypeIdEnum/"



      Module : start_address

      Module : type

Inheritance

OcsfObject
- Object
  - Module

Slots

Name	Cardinality and Range	Description	Inheritance
base_address	0..1 recommended String	The memory address where the module was loaded	direct
file	0..1 recommended File	The module file object	direct
function_invocation	0..1 FunctionInvocation	Details about the invocation of the function given in	direct
function_name	0..1 recommended String	The invoked function in the module	direct
load_type	0..1 String	The load type, normalized to the caption of the load_type_id value	direct
load_type_id	0..1 recommended ModuleLoadTypeIdEnum	The normalized identifier for how the module was loaded in memory	direct
start_address	0..1 recommended String	The start address of the execution	direct
type	0..1 recommended String	The module type	direct

Usages

used by	used in	type	used
QueryEvidence	module	range	Module
ModuleQuery	module	range	Module
ModuleActivity	module	range	Module
ProcessActivity	module	range	Module
WindowsQueryEvidence	module	range	Module

Rules

Rule Applied	Preconditions	Postconditions	Elseconditions
any_of		`[{'slot_conditions': {'load_type_id': {'required': True}}}, {'slot_conditions': {'function_name': {'required': True}}}]`

In Subsets

objects_subset

Aliases

Module

Identifier and Mapping Information

Annotations

property	value
ocsf_constraints	{"at_least_one": ["load_type_id", "function_name"]}

Schema Source

from schema: https://w3id.org/lmodel/ocsf

Mappings

Mapping Type	Mapped Value
self	ocsf:Module
native	ocsf:Module
close	uco_master:Library

LinkML Source

Direct

name: Module
annotations:
  ocsf_constraints:
    tag: ocsf_constraints
    value: '{"at_least_one": ["load_type_id", "function_name"]}'
description: The Module object describes the attributes of a module.
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Module
close_mappings:
- uco_master:Library
is_a: Object
slots:
- base_address
- file
- function_invocation
- function_name
- load_type
- load_type_id
- start_address
- type
slot_usage:
  base_address:
    name: base_address
    recommended: true
  file:
    name: file
    description: The module file object.
    recommended: true
  function_invocation:
    name: function_invocation
    description: 'Details about the invocation of the function given in

      <code>function_name</code>.'
  function_name:
    name: function_name
    description: 'The invoked function in the module. For load and unload events,
      this is the

      entry-point function of the module. The system calls the entry-point function

      whenever a process or thread loads or unloads the module.'
    recommended: true
  load_type_id:
    name: load_type_id
    description: The normalized identifier for how the module was loaded in memory.
    range: ModuleLoadTypeIdEnum
    recommended: true
  start_address:
    name: start_address
    recommended: true
  type:
    name: type
    description: The module type.
    recommended: true
rules:
- postconditions:
    any_of:
    - slot_conditions:
        load_type_id:
          name: load_type_id
          required: true
    - slot_conditions:
        function_name:
          name: function_name
          required: true
  description: 'OCSF at_least_one: at least one of [''load_type_id'', ''function_name'']
    must be

    set.'

Induced

name: Module
annotations:
  ocsf_constraints:
    tag: ocsf_constraints
    value: '{"at_least_one": ["load_type_id", "function_name"]}'
description: The Module object describes the attributes of a module.
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Module
close_mappings:
- uco_master:Library
is_a: Object
slot_usage:
  base_address:
    name: base_address
    recommended: true
  file:
    name: file
    description: The module file object.
    recommended: true
  function_invocation:
    name: function_invocation
    description: 'Details about the invocation of the function given in

      <code>function_name</code>.'
  function_name:
    name: function_name
    description: 'The invoked function in the module. For load and unload events,
      this is the

      entry-point function of the module. The system calls the entry-point function

      whenever a process or thread loads or unloads the module.'
    recommended: true
  load_type_id:
    name: load_type_id
    description: The normalized identifier for how the module was loaded in memory.
    range: ModuleLoadTypeIdEnum
    recommended: true
  start_address:
    name: start_address
    recommended: true
  type:
    name: type
    description: The module type.
    recommended: true
attributes:
  base_address:
    name: base_address
    description: The memory address where the module was loaded.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Base Address
    rank: 1000
    alias: base_address
    owner: Module
    domain_of:
    - Module
    - MemoryActivity
    range: string
    recommended: true
  file:
    name: file
    description: The module file object.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - File
    rank: 1000
    alias: file
    owner: Module
    domain_of:
    - Osint
    - QueryEvidence
    - Script
    - AffectedCode
    - Databucket
    - Evidences
    - Job
    - KernelDriver
    - Module
    - Process
    - FileHosting
    - FileQuery
    - DataSecurityFinding
    - EmailFileActivity
    - FtpActivity
    - HttpActivity
    - NetworkFileActivity
    - RdpActivity
    - SmbActivity
    - SshActivity
    - FileRemediationActivity
    - EventLogActvity
    - FileActivity
    range: File
    recommended: true
  function_invocation:
    name: function_invocation
    description: 'Details about the invocation of the function given in

      <code>function_name</code>.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Function Invocation
    rank: 1000
    alias: function_invocation
    owner: Module
    domain_of:
    - Module
    range: FunctionInvocation
  function_name:
    name: function_name
    description: 'The invoked function in the module. For load and unload events,
      this is the

      entry-point function of the module. The system calls the entry-point function

      whenever a process or thread loads or unloads the module.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Function Name
    rank: 1000
    alias: function_name
    owner: Module
    domain_of:
    - Module
    range: string
    recommended: true
  load_type:
    name: load_type
    description: 'The load type, normalized to the caption of the load_type_id value.
      In the case

      of ''Other'', it is defined by the event source.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Load Type
    rank: 1000
    alias: load_type
    owner: Module
    domain_of:
    - Module
    range: string
  load_type_id:
    name: load_type_id
    annotations:
      sibling:
        tag: sibling
        value: load_type
    description: The normalized identifier for how the module was loaded in memory.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Load Type ID
    rank: 1000
    alias: load_type_id
    owner: Module
    domain_of:
    - Module
    range: ModuleLoadTypeIdEnum
    recommended: true
  start_address:
    name: start_address
    description: The start address of the execution.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Start Address
    rank: 1000
    alias: start_address
    owner: Module
    domain_of:
    - Module
    range: string
    recommended: true
  type:
    name: type
    description: The module type.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Type
    rank: 1000
    alias: type
    owner: Module
    domain_of:
    - AnalysisTarget
    - Observable
    - Os
    - Osint
    - Package
    - PrivilegeInfo
    - ProgrammaticCredential
    - RelatedEvent
    - San
    - Sbom
    - Script
    - SoftwareComponent
    - StartupItem
    - ThreatActor
    - Ticket
    - Timespan
    - TlsExtension
    - Token
    - Dns
    - Resource
    - Account
    - Agent
    - Analytic
    - ApplicationObject
    - AuthenticationToken
    - ClassifierDetails
    - Cve
    - Database
    - Databucket
    - DiscoveryDetails
    - DnsAnswer
    - DomainContact
    - EncryptionDetails
    - Endpoint
    - Enrichment
    - File
    - Graph
    - Group
    - Ja4Fingerprint
    - Kernel
    - ManagedEntity
    - Metadata
    - Module
    - NetworkEndpoint
    - NetworkInterface
    - Node
    - PeripheralDevice
    - Policy
    - Rule
    - Scan
    - Trait
    - UnmannedAerialSystem
    - UnmannedSystemOperatingArea
    - User
    - WebResource
    - Device
    - DatastoreActivity
    - FtpActivity
    - RegValue
    - WinResource
    range: string
    recommended: true
rules:
- postconditions:
    any_of:
    - slot_conditions:
        load_type_id:
          name: load_type_id
          required: true
    - slot_conditions:
        function_name:
          name: function_name
          required: true
  description: 'OCSF at_least_one: at least one of [''load_type_id'', ''function_name'']
    must be

    set.'