Class: Observable
The observable object is a pivot element that contains related information
found in many places in the event.
URI: ocsf:Observable
classDiagram
class Observable
click Observable href "../Observable/"
Object <|-- Observable
click Object href "../Object/"
Observable : event_uid
Observable : name
Observable : reputation
Observable --> "0..1" Reputation : reputation
click Reputation href "../Reputation/"
Observable : type
Observable : type_id
Observable --> "1" ObservableTypeIdEnum : type_id
click ObservableTypeIdEnum href "../ObservableTypeIdEnum/"
Observable : type_uid
Observable : value
Inheritance
- OcsfObject
- Object
- Observable
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| event_uid | 0..1 String |
The unique identifier (metadata |
direct |
| name | 0..1 recommended String |
The full name of the observable attribute | direct |
| reputation | 0..1 Reputation |
Contains the original and normalized reputation scores | direct |
| type | 0..1 String |
The observable value type name | direct |
| type_id | 1 ObservableTypeIdEnum |
The observable value type identifier | direct |
| type_uid | 0..1 Integer |
The OCSF event type UID (type_uid) of the source event that this |
direct |
| value | 0..1 String |
The value associated with the observable attribute | direct |
Usages
In Subsets
Aliases
- Observable
See Also
Notes
- OCSF Observables FAQ — https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using Observables.md
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Observable |
| native | ocsf:Observable |
| close | uco_master:ObservableObject |
LinkML Source
Direct
name: Observable
description: 'The observable object is a pivot element that contains related information
found in many places in the event.'
notes:
- 'OCSF Observables FAQ —
https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using
Observables.md'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining%20and%20Using%20Observables.md
aliases:
- Observable
close_mappings:
- uco_master:ObservableObject
is_a: Object
slots:
- event_uid
- name
- reputation
- type
- type_id
- type_uid
- value
slot_usage:
event_uid:
name: event_uid
description: 'The unique identifier (<code>metadata.uid</code>) of the source
OCSF event from
which this observable was extracted. This field enables linking observables
back to their originating event data when observables are stored in a separate
location or system.'
name:
name: name
description: 'The full name of the observable attribute. The <code>name</code>
is a
pointer/reference to an attribute within the OCSF event data. For example:
<code>file.name</code>. Array attributes may be represented in one of three
ways. For example: <code>resources.uid</code>, <code>resources[].uid</code>,
<code>resources[0].uid</code>.'
recommended: true
type:
name: type
description: The observable value type name.
type_id:
name: type_id
description: The observable value type identifier.
range: ObservableTypeIdEnum
required: true
type_uid:
name: type_uid
description: 'The OCSF event type UID (<code>type_uid</code>) of the source event
that this
observable was extracted from. This field enables filtering and categorizing
observables by their originating event type. For example: <code>300101</code>
for Network Activity (class_uid 3001) with activity_id 1.'
value:
name: value
description: 'The value associated with the observable attribute. The meaning
of the value
depends on the observable type.<br/>If the <code>name</code> refers to a scalar
attribute, then the <code>value</code> is the value of the attribute.<br/>If
the <code>name</code> refers to an object attribute, then the
<code>value</code> is not populated.'
Induced
name: Observable
description: 'The observable object is a pivot element that contains related information
found in many places in the event.'
notes:
- 'OCSF Observables FAQ —
https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using
Observables.md'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining%20and%20Using%20Observables.md
aliases:
- Observable
close_mappings:
- uco_master:ObservableObject
is_a: Object
slot_usage:
event_uid:
name: event_uid
description: 'The unique identifier (<code>metadata.uid</code>) of the source
OCSF event from
which this observable was extracted. This field enables linking observables
back to their originating event data when observables are stored in a separate
location or system.'
name:
name: name
description: 'The full name of the observable attribute. The <code>name</code>
is a
pointer/reference to an attribute within the OCSF event data. For example:
<code>file.name</code>. Array attributes may be represented in one of three
ways. For example: <code>resources.uid</code>, <code>resources[].uid</code>,
<code>resources[0].uid</code>.'
recommended: true
type:
name: type
description: The observable value type name.
type_id:
name: type_id
description: The observable value type identifier.
range: ObservableTypeIdEnum
required: true
type_uid:
name: type_uid
description: 'The OCSF event type UID (<code>type_uid</code>) of the source event
that this
observable was extracted from. This field enables filtering and categorizing
observables by their originating event type. For example: <code>300101</code>
for Network Activity (class_uid 3001) with activity_id 1.'
value:
name: value
description: 'The value associated with the observable attribute. The meaning
of the value
depends on the observable type.<br/>If the <code>name</code> refers to a scalar
attribute, then the <code>value</code> is the value of the attribute.<br/>If
the <code>name</code> refers to an object attribute, then the
<code>value</code> is not populated.'
attributes:
event_uid:
name: event_uid
description: 'The unique identifier (<code>metadata.uid</code>) of the source
OCSF event from
which this observable was extracted. This field enables linking observables
back to their originating event data when observables are stored in a separate
location or system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Event UID
rank: 1000
alias: event_uid
owner: Observable
domain_of:
- Observable
- Logger
range: string
name:
name: name
description: 'The full name of the observable attribute. The <code>name</code>
is a
pointer/reference to an attribute within the OCSF event data. For example:
<code>file.name</code>. Array attributes may be represented in one of three
ways. For example: <code>resources.uid</code>, <code>resources[].uid</code>,
<code>resources[0].uid</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Observable
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
reputation:
name: reputation
description: Contains the original and normalized reputation scores.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Reputation Scores
rank: 1000
alias: reputation
owner: Observable
domain_of:
- Observable
- Osint
- Enrichment
range: Reputation
type:
name: type
description: The observable value type name.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Observable
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The observable value type identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Observable
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: ObservableTypeIdEnum
required: true
type_uid:
name: type_uid
annotations:
sibling:
tag: sibling
value: type_name
description: 'The OCSF event type UID (<code>type_uid</code>) of the source event
that this
observable was extracted from. This field enables filtering and categorizing
observables by their originating event type. For example: <code>300101</code>
for Network Activity (class_uid 3001) with activity_id 1.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_uid
owner: Observable
domain_of:
- Observable
- RelatedEvent
- BaseEvent
range: integer
value:
name: value
description: 'The value associated with the observable attribute. The meaning
of the value
depends on the observable type.<br/>If the <code>name</code> refers to a scalar
attribute, then the <code>value</code> is the value of the attribute.<br/>If
the <code>name</code> refers to an object attribute, then the
<code>value</code> is not populated.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Value
rank: 1000
alias: value
owner: Observable
domain_of:
- Observable
- Observation
- Osint
- Packet
- DiscoveryDetails
- Enrichment
- EnvironmentVariable
- Fingerprint
- HttpCookie
- HttpHeader
- Ja4Fingerprint
- KeyValueObject
- LongString
- Metric
range: string