Class: Osint
The OSINT (Open Source Intelligence) object contains details related to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.
URI: ocsf:Osint
classDiagram
class Osint
click Osint href "../Osint/"
Object <|-- Osint
click Object href "../Object/"
Osint : answers
Osint --> "*" DnsAnswer : answers
click DnsAnswer href "../DnsAnswer/"
Osint : attacks
Osint --> "*" Attack : attacks
click Attack href "../Attack/"
Osint : autonomous_system
Osint --> "0..1" AutonomousSystem : autonomous_system
click AutonomousSystem href "../AutonomousSystem/"
Osint : campaign
Osint --> "0..1" Campaign : campaign
click Campaign href "../Campaign/"
Osint : category
Osint : comment
Osint : confidence
Osint : confidence_id
Osint --> "0..1 _recommended_" ConfidenceIdEnum : confidence_id
click ConfidenceIdEnum href "../ConfidenceIdEnum/"
Osint : created_time
Osint : creator
Osint --> "0..1" User : creator
click User href "../User/"
Osint : desc
Osint : detection_pattern
Osint : detection_pattern_type
Osint : detection_pattern_type_id
Osint --> "0..1" DetectionPatternTypeIdEnum : detection_pattern_type_id
click DetectionPatternTypeIdEnum href "../DetectionPatternTypeIdEnum/"
Osint : email
Osint --> "0..1" Email : email
click Email href "../Email/"
Osint : email_auth
Osint --> "0..1" EmailAuth : email_auth
click EmailAuth href "../EmailAuth/"
Osint : expiration_time
Osint : external_uid
Osint : file
Osint --> "0..1" File : file
click File href "../File/"
Osint : intrusion_sets
Osint : kill_chain
Osint --> "*" KillChainPhase : kill_chain
click KillChainPhase href "../KillChainPhase/"
Osint : labels
Osint : location
Osint --> "0..1" Location : location
click Location href "../Location/"
Osint : malware
Osint --> "*" Malware : malware
click Malware href "../Malware/"
Osint : modified_time
Osint : name
Osint : references
Osint : related_analytics
Osint --> "*" Analytic : related_analytics
click Analytic href "../Analytic/"
Osint : reputation
Osint --> "0..1" Reputation : reputation
click Reputation href "../Reputation/"
Osint : risk_score
Osint : script
Osint --> "0..1" Script : script
click Script href "../Script/"
Osint : severity
Osint : severity_id
Osint --> "0..1" SeverityIdEnum : severity_id
click SeverityIdEnum href "../SeverityIdEnum/"
Osint : signatures
Osint --> "*" DigitalSignature : signatures
click DigitalSignature href "../DigitalSignature/"
Osint : src_url
Osint : subdomains
Osint : subnet
Osint : threat_actor
Osint --> "0..1" ThreatActor : threat_actor
click ThreatActor href "../ThreatActor/"
Osint : tlp
Osint --> "0..1 _recommended_" OsintTlpEnum : tlp
click OsintTlpEnum href "../OsintTlpEnum/"
Osint : type
Osint : type_id
Osint --> "1" OsintTypeIdEnum : type_id
click OsintTypeIdEnum href "../OsintTypeIdEnum/"
Osint : uid
Osint : uploaded_time
Osint : value
Osint : vendor_name
Osint : vulnerabilities
Osint --> "*" Vulnerability : vulnerabilities
click Vulnerability href "../Vulnerability/"
Osint : whois
Osint --> "0..1" Whois : whois
click Whois href "../Whois/"
Inheritance
- OcsfObject
- Object
- Osint
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| answers | * DnsAnswer |
Any pertinent DNS answers information related to an indicator or OSINT | direct |
| attacks | * Attack |
MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an | direct |
| autonomous_system | 0..1 AutonomousSystem |
Any pertinent autonomous system information related to an indicator or OSINT | direct |
| campaign | 0..1 Campaign |
The campaign object describes details about the campaign that was the source ... | direct |
| category | 0..1 String |
Categorizes the threat indicator based on its functional or operational role | direct |
| comment | 0..1 String |
Analyst commentary or source commentary about an indicator or OSINT analysis | direct |
| confidence | 0..1 String |
The confidence of an indicator being malicious and/or pertinent, normalized t... | direct |
| confidence_id | 0..1 recommended ConfidenceIdEnum |
The normalized confidence refers to the accuracy of collected information | direct |
| created_time | 0..1 TimestampT |
The timestamp when the indicator was initially created or identified | direct |
| creator | 0..1 User |
The identifier of the user, system, or organization that contributed the | direct |
| desc | 0..1 String |
A detailed explanation of the indicator, including its context, purpose, and | direct |
| detection_pattern | 0..1 String |
The specific detection pattern or signature associated with the indicator | direct |
| detection_pattern_type | 0..1 String |
The detection pattern type, normalized to the caption of the | direct |
| detection_pattern_type_id | 0..1 DetectionPatternTypeIdEnum |
Specifies the type of detection pattern used to identify the associated threa... | direct |
| 0..1 |
Any email information pertinent to an indicator or OSINT analysis | direct | |
| email_auth | 0..1 EmailAuth |
Any email authentication information pertinent to an indicator or OSINT | direct |
| expiration_time | 0..1 TimestampT |
The expiration date of the indicator, after which it is no longer considered | direct |
| external_uid | 0..1 String |
A unique identifier assigned by an external system for cross-referencing | direct |
| file | 0..1 File |
Any pertinent file information related to an indicator or OSINT analysis | direct |
| intrusion_sets | * String |
A grouping of adversarial behaviors and resources believed to be associated | direct |
| kill_chain | * KillChainPhase |
Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis | direct |
| labels | * String |
Tags or keywords associated with the indicator to enhance searchability | direct |
| location | 0..1 Location |
Any pertinent geolocation information related to an indicator or OSINT | direct |
| malware | * Malware |
A list of Malware objects, describing details about the identified malware | direct |
| modified_time | 0..1 TimestampT |
The timestamp of the last modification or update to the indicator | direct |
| name | 0..1 String |
The name is a pointer/reference to an attribute within the OCSF |
direct |
| references | * String |
Provides a reference to an external source of information related to the CTI | direct |
| related_analytics | * Analytic |
Any analytics related to an indicator or OSINT analysis | direct |
| reputation | 0..1 Reputation |
Related reputational analysis from third-party engines and analysts for a giv... | direct |
| risk_score | 0..1 Integer |
A numerical representation of the threat indicator’s risk level | direct |
| script | 0..1 Script |
Any pertinent script information related to an indicator or OSINT analysis | direct |
| severity | 0..1 String |
Represents the severity level of the threat indicator, typically reflecting i... | direct |
| severity_id | 0..1 SeverityIdEnum |
The normalized severity level of the threat indicator, typically reflecting i... | direct |
| signatures | * DigitalSignature |
Any digital signatures or hashes related to an indicator or OSINT analysis | direct |
| src_url | 0..1 UrlT |
The source URL of an indicator or OSINT analysis, e | direct |
| subdomains | * String |
Any pertinent subdomain information - such as those generated by a Domain | direct |
| subnet | 0..1 SubnetT |
A CIDR or network block related to an indicator or OSINT analysis | direct |
| threat_actor | 0..1 ThreatActor |
A threat actor is an individual or group that conducts malicious cyber | direct |
| tlp | 0..1 recommended OsintTlpEnum |
The <a target='_blank' href='https://www | direct |
| type | 0..1 String |
The OSINT indicator type | direct |
| type_id | 1 OsintTypeIdEnum |
The OSINT indicator type ID | direct |
| uid | 0..1 String |
The unique identifier for the OSINT object | direct |
| uploaded_time | 0..1 TimestampT |
The timestamp indicating when the associated indicator or intelligence was | direct |
| value | 1 String |
The actual indicator value in scope, e | direct |
| vendor_name | 0..1 String |
The vendor name of a tool which generates intelligence or provides indicators | direct |
| vulnerabilities | * Vulnerability |
Any vulnerabilities related to an indicator or OSINT analysis | direct |
| whois | 0..1 Whois |
Any pertinent WHOIS information related to an indicator or OSINT analysis | direct |
Usages
In Subsets
Aliases
- OSINT
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Osint |
| native | ocsf:Osint |
LinkML Source
Direct
name: Osint
description: 'The OSINT (Open Source Intelligence) object contains details related
to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OSINT
is_a: Object
slots:
- answers
- attacks
- autonomous_system
- campaign
- category
- comment
- confidence
- confidence_id
- created_time
- creator
- desc
- detection_pattern
- detection_pattern_type
- detection_pattern_type_id
- email
- email_auth
- expiration_time
- external_uid
- file
- intrusion_sets
- kill_chain
- labels
- location
- malware
- modified_time
- name
- references
- related_analytics
- reputation
- risk_score
- script
- severity
- severity_id
- signatures
- src_url
- subdomains
- subnet
- threat_actor
- tlp
- type
- type_id
- uid
- uploaded_time
- value
- vendor_name
- vulnerabilities
- whois
slot_usage:
answers:
name: answers
description: 'Any pertinent DNS answers information related to an indicator or
OSINT
analysis.'
attacks:
name: attacks
description: 'MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent
to an
indicator or OSINT analysis.'
autonomous_system:
name: autonomous_system
description: 'Any pertinent autonomous system information related to an indicator
or OSINT
analysis.'
category:
name: category
description: Categorizes the threat indicator based on its functional or operational
role.
comment:
name: comment
description: Analyst commentary or source commentary about an indicator or OSINT
analysis.
confidence:
name: confidence
description: 'The confidence of an indicator being malicious and/or pertinent,
normalized to
the caption of the confidence_id value. In the case of ''Other'', it is defined
by the event source or analyst.'
confidence_id:
name: confidence_id
description: 'The normalized confidence refers to the accuracy of collected information
related to the OSINT or how pertinent an indicator or analysis is to a specific
event or finding. A low confidence means that the information collected or
analysis conducted lacked detail or is not accurate enough to qualify an
indicator as fully malicious.'
recommended: true
created_time:
name: created_time
description: The timestamp when the indicator was initially created or identified.
creator:
name: creator
description: 'The identifier of the user, system, or organization that contributed
the
indicator.'
desc:
name: desc
description: 'A detailed explanation of the indicator, including its context,
purpose, and
relevance.'
detection_pattern:
name: detection_pattern
description: The specific detection pattern or signature associated with the indicator.
email:
name: email
description: Any email information pertinent to an indicator or OSINT analysis.
email_auth:
name: email_auth
description: 'Any email authentication information pertinent to an indicator or
OSINT
analysis.'
expiration_time:
name: expiration_time
description: 'The expiration date of the indicator, after which it is no longer
considered
reliable.'
file:
name: file
description: Any pertinent file information related to an indicator or OSINT analysis.
kill_chain:
name: kill_chain
description: Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT
analysis.
labels:
name: labels
description: Tags or keywords associated with the indicator to enhance searchability.
location:
name: location
description: 'Any pertinent geolocation information related to an indicator or
OSINT
analysis.'
modified_time:
name: modified_time
description: The timestamp of the last modification or update to the indicator.
name:
name: name
description: 'The <code>name</code> is a pointer/reference to an attribute within
the OCSF
event data. For example: file.name.'
references:
name: references
description: 'Provides a reference to an external source of information related
to the CTI
being represented. This may include a URL, a document, or some other type of
reference that provides additional context or information about the CTI.'
related_analytics:
name: related_analytics
description: Any analytics related to an indicator or OSINT analysis.
reputation:
name: reputation
description: 'Related reputational analysis from third-party engines and analysts
for a given
indicator or OSINT analysis.'
risk_score:
name: risk_score
description: A numerical representation of the threat indicator’s risk level.
script:
name: script
description: Any pertinent script information related to an indicator or OSINT
analysis.
severity:
name: severity
description: 'Represents the severity level of the threat indicator, typically
reflecting its
potential impact or damage.'
severity_id:
name: severity_id
description: 'The normalized severity level of the threat indicator, typically
reflecting its
potential impact or damage.'
signatures:
name: signatures
description: Any digital signatures or hashes related to an indicator or OSINT
analysis.
src_url:
name: src_url
description: 'The source URL of an indicator or OSINT analysis, e.g., a URL back
to a TIP,
report, or otherwise.'
subdomains:
name: subdomains
description: 'Any pertinent subdomain information - such as those generated by
a Domain
Generation Algorithm - related to an indicator or OSINT analysis.'
subnet:
name: subnet
description: A CIDR or network block related to an indicator or OSINT analysis.
tlp:
name: tlp
description: 'The <a target=''_blank'' href=''https://www.first.org/tlp/''>Traffic
Light
Protocol</a> was created to facilitate greater sharing of potentially sensitive
information and more effective collaboration. TLP provides a simple and
intuitive schema for indicating with whom potentially sensitive information
can
be shared.'
range: OsintTlpEnum
recommended: true
type:
name: type
description: The OSINT indicator type.
type_id:
name: type_id
description: The OSINT indicator type ID.
range: OsintTypeIdEnum
required: true
uid:
name: uid
description: The unique identifier for the OSINT object.
uploaded_time:
name: uploaded_time
description: 'The timestamp indicating when the associated indicator or intelligence
was
added to the system or repository.'
value:
name: value
description: 'The actual indicator value in scope, e.g., a SHA-256 hash hexdigest
or a domain
name.'
required: true
vendor_name:
name: vendor_name
description: The vendor name of a tool which generates intelligence or provides
indicators.
vulnerabilities:
name: vulnerabilities
description: Any vulnerabilities related to an indicator or OSINT analysis.
whois:
name: whois
description: Any pertinent WHOIS information related to an indicator or OSINT
analysis.
Induced
name: Osint
description: 'The OSINT (Open Source Intelligence) object contains details related
to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OSINT
is_a: Object
slot_usage:
answers:
name: answers
description: 'Any pertinent DNS answers information related to an indicator or
OSINT
analysis.'
attacks:
name: attacks
description: 'MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent
to an
indicator or OSINT analysis.'
autonomous_system:
name: autonomous_system
description: 'Any pertinent autonomous system information related to an indicator
or OSINT
analysis.'
category:
name: category
description: Categorizes the threat indicator based on its functional or operational
role.
comment:
name: comment
description: Analyst commentary or source commentary about an indicator or OSINT
analysis.
confidence:
name: confidence
description: 'The confidence of an indicator being malicious and/or pertinent,
normalized to
the caption of the confidence_id value. In the case of ''Other'', it is defined
by the event source or analyst.'
confidence_id:
name: confidence_id
description: 'The normalized confidence refers to the accuracy of collected information
related to the OSINT or how pertinent an indicator or analysis is to a specific
event or finding. A low confidence means that the information collected or
analysis conducted lacked detail or is not accurate enough to qualify an
indicator as fully malicious.'
recommended: true
created_time:
name: created_time
description: The timestamp when the indicator was initially created or identified.
creator:
name: creator
description: 'The identifier of the user, system, or organization that contributed
the
indicator.'
desc:
name: desc
description: 'A detailed explanation of the indicator, including its context,
purpose, and
relevance.'
detection_pattern:
name: detection_pattern
description: The specific detection pattern or signature associated with the indicator.
email:
name: email
description: Any email information pertinent to an indicator or OSINT analysis.
email_auth:
name: email_auth
description: 'Any email authentication information pertinent to an indicator or
OSINT
analysis.'
expiration_time:
name: expiration_time
description: 'The expiration date of the indicator, after which it is no longer
considered
reliable.'
file:
name: file
description: Any pertinent file information related to an indicator or OSINT analysis.
kill_chain:
name: kill_chain
description: Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT
analysis.
labels:
name: labels
description: Tags or keywords associated with the indicator to enhance searchability.
location:
name: location
description: 'Any pertinent geolocation information related to an indicator or
OSINT
analysis.'
modified_time:
name: modified_time
description: The timestamp of the last modification or update to the indicator.
name:
name: name
description: 'The <code>name</code> is a pointer/reference to an attribute within
the OCSF
event data. For example: file.name.'
references:
name: references
description: 'Provides a reference to an external source of information related
to the CTI
being represented. This may include a URL, a document, or some other type of
reference that provides additional context or information about the CTI.'
related_analytics:
name: related_analytics
description: Any analytics related to an indicator or OSINT analysis.
reputation:
name: reputation
description: 'Related reputational analysis from third-party engines and analysts
for a given
indicator or OSINT analysis.'
risk_score:
name: risk_score
description: A numerical representation of the threat indicator’s risk level.
script:
name: script
description: Any pertinent script information related to an indicator or OSINT
analysis.
severity:
name: severity
description: 'Represents the severity level of the threat indicator, typically
reflecting its
potential impact or damage.'
severity_id:
name: severity_id
description: 'The normalized severity level of the threat indicator, typically
reflecting its
potential impact or damage.'
signatures:
name: signatures
description: Any digital signatures or hashes related to an indicator or OSINT
analysis.
src_url:
name: src_url
description: 'The source URL of an indicator or OSINT analysis, e.g., a URL back
to a TIP,
report, or otherwise.'
subdomains:
name: subdomains
description: 'Any pertinent subdomain information - such as those generated by
a Domain
Generation Algorithm - related to an indicator or OSINT analysis.'
subnet:
name: subnet
description: A CIDR or network block related to an indicator or OSINT analysis.
tlp:
name: tlp
description: 'The <a target=''_blank'' href=''https://www.first.org/tlp/''>Traffic
Light
Protocol</a> was created to facilitate greater sharing of potentially sensitive
information and more effective collaboration. TLP provides a simple and
intuitive schema for indicating with whom potentially sensitive information
can
be shared.'
range: OsintTlpEnum
recommended: true
type:
name: type
description: The OSINT indicator type.
type_id:
name: type_id
description: The OSINT indicator type ID.
range: OsintTypeIdEnum
required: true
uid:
name: uid
description: The unique identifier for the OSINT object.
uploaded_time:
name: uploaded_time
description: 'The timestamp indicating when the associated indicator or intelligence
was
added to the system or repository.'
value:
name: value
description: 'The actual indicator value in scope, e.g., a SHA-256 hash hexdigest
or a domain
name.'
required: true
vendor_name:
name: vendor_name
description: The vendor name of a tool which generates intelligence or provides
indicators.
vulnerabilities:
name: vulnerabilities
description: Any vulnerabilities related to an indicator or OSINT analysis.
whois:
name: whois
description: Any pertinent WHOIS information related to an indicator or OSINT
analysis.
attributes:
answers:
name: answers
description: 'Any pertinent DNS answers information related to an indicator or
OSINT
analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- DNS Answer
rank: 1000
alias: answers
owner: Osint
domain_of:
- Osint
- DnsActivity
range: DnsAnswer
multivalued: true
attacks:
name: attacks
description: 'MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent
to an
indicator or OSINT analysis.'
notes:
- MITRE ATT&CK® — https://attack.mitre.org
- MITRE ATLAS — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® and ATLAS™ Details
rank: 1000
alias: attacks
owner: Osint
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
autonomous_system:
name: autonomous_system
description: 'Any pertinent autonomous system information related to an indicator
or OSINT
analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Autonomous System
rank: 1000
alias: autonomous_system
owner: Osint
domain_of:
- Osint
- Whois
- NetworkEndpoint
range: AutonomousSystem
campaign:
name: campaign
description: 'The campaign object describes details about the campaign that was
the source of
the activity.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Campaign
rank: 1000
alias: campaign
owner: Osint
domain_of:
- Osint
range: Campaign
category:
name: category
description: Categorizes the threat indicator based on its functional or operational
role.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category
rank: 1000
alias: category
owner: Osint
domain_of:
- Osint
- Vulnerability
- Analytic
- Assessment
- Compliance
- DataClassification
- Rule
- Trait
range: string
comment:
name: comment
description: Analyst commentary or source commentary about an indicator or OSINT
analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Comment
rank: 1000
alias: comment
owner: Osint
domain_of:
- Osint
- Finding
- IncidentFinding
- EntityManagement
- DroneFlightsActivity
range: string
confidence:
name: confidence
description: 'The confidence of an indicator being malicious and/or pertinent,
normalized to
the caption of the confidence_id value. In the case of ''Other'', it is defined
by the event source or analyst.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence
rank: 1000
alias: confidence
owner: Osint
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: string
confidence_id:
name: confidence_id
annotations:
sibling:
tag: sibling
value: confidence
description: 'The normalized confidence refers to the accuracy of collected information
related to the OSINT or how pertinent an indicator or analysis is to a specific
event or finding. A low confidence means that the information collected or
analysis conducted lacked detail or is not accurate enough to qualify an
indicator as fully malicious.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence ID
rank: 1000
alias: confidence_id
owner: Osint
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: ConfidenceIdEnum
recommended: true
created_time:
name: created_time
description: The timestamp when the indicator was initially created or identified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: Osint
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
creator:
name: creator
description: 'The identifier of the user, system, or organization that contributed
the
indicator.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Creator
rank: 1000
alias: creator
owner: Osint
domain_of:
- Osint
- File
range: User
desc:
name: desc
description: 'A detailed explanation of the indicator, including its context,
purpose, and
relevance.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: Osint
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
detection_pattern:
name: detection_pattern
description: The specific detection pattern or signature associated with the indicator.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Detection Pattern
rank: 1000
alias: detection_pattern
owner: Osint
domain_of:
- Osint
- DataSecurity
range: string
detection_pattern_type:
name: detection_pattern_type
description: 'The detection pattern type, normalized to the caption of the
detection_pattern_type_id value. In the case of ''Other'', it is defined by
the
event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Detection Pattern
rank: 1000
alias: detection_pattern_type
owner: Osint
domain_of:
- Osint
range: string
detection_pattern_type_id:
name: detection_pattern_type_id
annotations:
sibling:
tag: sibling
value: detection_pattern_type
description: 'Specifies the type of detection pattern used to identify the associated
threat
indicator.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Detection Pattern Type ID
rank: 1000
alias: detection_pattern_type_id
owner: Osint
domain_of:
- Osint
range: DetectionPatternTypeIdEnum
email:
name: email
description: Any email information pertinent to an indicator or OSINT analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Email
rank: 1000
alias: email
owner: Osint
domain_of:
- Osint
- Evidences
- ManagedEntity
- EmailActivity
range: Email
email_auth:
name: email_auth
description: 'Any email authentication information pertinent to an indicator or
OSINT
analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Email Authentication
rank: 1000
alias: email_auth
owner: Osint
domain_of:
- Osint
- EmailActivity
range: EmailAuth
expiration_time:
name: expiration_time
description: 'The expiration date of the indicator, after which it is no longer
considered
reliable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Expiration Time
rank: 1000
alias: expiration_time
owner: Osint
domain_of:
- Osint
- Session
- Token
- AuthenticationToken
- Certificate
- HttpCookie
- FileHosting
- NetworkFileActivity
range: TimestampT
external_uid:
name: external_uid
description: A unique identifier assigned by an external system for cross-referencing.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- External ID
rank: 1000
alias: external_uid
owner: Osint
domain_of:
- Osint
range: string
file:
name: file
description: Any pertinent file information related to an indicator or OSINT analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: Osint
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
intrusion_sets:
name: intrusion_sets
description: 'A grouping of adversarial behaviors and resources believed to be
associated
with specific threat actors or campaigns. Intrusion sets often encompass
multiple campaigns and are used to organize related activities under a common
label.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Intrusion Sets
rank: 1000
alias: intrusion_sets
owner: Osint
domain_of:
- Osint
range: string
multivalued: true
kill_chain:
name: kill_chain
description: Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT
analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kill Chain
rank: 1000
alias: kill_chain
owner: Osint
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityFinding
range: KillChainPhase
multivalued: true
labels:
name: labels
description: Tags or keywords associated with the indicator to enhance searchability.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Labels
rank: 1000
alias: labels
owner: Osint
domain_of:
- Osint
- Resource
- Account
- ApplicationObject
- Container
- Image
- LdapPerson
- Metadata
- Service
range: string
multivalued: true
location:
name: location
description: 'Any pertinent geolocation information related to an indicator or
OSINT
analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Geo Location
rank: 1000
alias: location
owner: Osint
domain_of:
- Osint
- Aircraft
- DomainContact
- Endpoint
- LdapPerson
- ManagedEntity
- UnmannedAerialSystem
- Device
range: Location
malware:
name: malware
description: A list of Malware objects, describing details about the identified
malware.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
rank: 1000
alias: malware
owner: Osint
domain_of:
- Osint
- SecurityControlProfile
- DetectionFinding
- SecurityFinding
range: Malware
multivalued: true
modified_time:
name: modified_time
description: The timestamp of the last modification or update to the indicator.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: Osint
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
name:
name: name
description: 'The <code>name</code> is a pointer/reference to an attribute within
the OCSF
event data. For example: file.name.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Osint
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
references:
name: references
description: 'Provides a reference to an external source of information related
to the CTI
being represented. This may include a URL, a document, or some other type of
reference that provides additional context or information about the CTI.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- References
rank: 1000
alias: references
owner: Osint
domain_of:
- Osint
- Remediation
- Vulnerability
- Advisory
- Cve
range: string
multivalued: true
related_analytics:
name: related_analytics
description: Any analytics related to an indicator or OSINT analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Related Analytics
rank: 1000
alias: related_analytics
owner: Osint
domain_of:
- Osint
- Analytic
- FindingInfo
range: Analytic
multivalued: true
reputation:
name: reputation
description: 'Related reputational analysis from third-party engines and analysts
for a given
indicator or OSINT analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Reputation Scores
rank: 1000
alias: reputation
owner: Osint
domain_of:
- Observable
- Osint
- Enrichment
range: Reputation
risk_score:
name: risk_score
description: A numerical representation of the threat indicator’s risk level.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: Osint
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer
script:
name: script
description: Any pertinent script information related to an indicator or OSINT
analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Script
rank: 1000
alias: script
owner: Osint
domain_of:
- Osint
- Evidences
- ScriptActivity
range: Script
severity:
name: severity
description: 'Represents the severity level of the threat indicator, typically
reflecting its
potential impact or damage.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: Osint
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
sibling:
tag: sibling
value: severity
description: 'The normalized severity level of the threat indicator, typically
reflecting its
potential impact or damage.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: Osint
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: SeverityIdEnum
signatures:
name: signatures
description: Any digital signatures or hashes related to an indicator or OSINT
analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Digital Signatures
rank: 1000
alias: signatures
owner: Osint
domain_of:
- Osint
- File
range: DigitalSignature
multivalued: true
src_url:
name: src_url
description: 'The source URL of an indicator or OSINT analysis, e.g., a URL back
to a TIP,
report, or otherwise.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source URL
rank: 1000
alias: src_url
owner: Osint
domain_of:
- Osint
- Package
- Ticket
- Advisory
- Cvss
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Enrichment
- FindingObject
- FindingInfo
- KbArticle
- Mitigation
- SubTechnique
- Tactic
- Technique
- IncidentProfile
- IncidentFinding
range: UrlT
subdomains:
name: subdomains
description: 'Any pertinent subdomain information - such as those generated by
a Domain
Generation Algorithm - related to an indicator or OSINT analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subdomains
rank: 1000
alias: subdomains
owner: Osint
domain_of:
- Osint
- Whois
range: string
multivalued: true
subnet:
name: subnet
description: A CIDR or network block related to an indicator or OSINT analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subnet
rank: 1000
alias: subnet
owner: Osint
domain_of:
- Osint
- Whois
- Device
range: SubnetT
threat_actor:
name: threat_actor
description: 'A threat actor is an individual or group that conducts malicious
cyber
activities, often with financial, political, or ideological motives.'
notes:
- 'STIX Threat Actor definition —
https://stixproject.github.io/data-model/1.2/ta/ThreatActorType/'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://stixproject.github.io/data-model/1.2/ta/ThreatActorType/
aliases:
- Threat Actor
rank: 1000
alias: threat_actor
owner: Osint
domain_of:
- Osint
range: ThreatActor
tlp:
name: tlp
description: 'The <a target=''_blank'' href=''https://www.first.org/tlp/''>Traffic
Light
Protocol</a> was created to facilitate greater sharing of potentially sensitive
information and more effective collaboration. TLP provides a simple and
intuitive schema for indicating with whom potentially sensitive information
can
be shared.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Traffic Light Protocol
rank: 1000
alias: tlp
owner: Osint
domain_of:
- Osint
range: OsintTlpEnum
recommended: true
type:
name: type
description: The OSINT indicator type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Osint
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The OSINT indicator type ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Osint
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: OsintTypeIdEnum
required: true
uid:
name: uid
description: The unique identifier for the OSINT object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Osint
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
uploaded_time:
name: uploaded_time
description: 'The timestamp indicating when the associated indicator or intelligence
was
added to the system or repository.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Uploaded Time
rank: 1000
alias: uploaded_time
owner: Osint
domain_of:
- Osint
range: TimestampT
value:
name: value
description: 'The actual indicator value in scope, e.g., a SHA-256 hash hexdigest
or a domain
name.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Value
rank: 1000
alias: value
owner: Osint
domain_of:
- Observable
- Observation
- Osint
- Packet
- DiscoveryDetails
- Enrichment
- EnvironmentVariable
- Fingerprint
- HttpCookie
- HttpHeader
- Ja4Fingerprint
- KeyValueObject
- LongString
- Metric
range: string
required: true
vendor_name:
name: vendor_name
description: The vendor name of a tool which generates intelligence or provides
indicators.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Vendor Name
rank: 1000
alias: vendor_name
owner: Osint
domain_of:
- Osint
- Package
- Scim
- Sso
- Vulnerability
- Agent
- Cvss
- DeviceHwInfo
- GpuInfo
- PeripheralDevice
- Product
- Device
range: string
vulnerabilities:
name: vulnerabilities
description: Any vulnerabilities related to an indicator or OSINT analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Vulnerabilities
rank: 1000
alias: vulnerabilities
owner: Osint
domain_of:
- Osint
- ApplicationSecurityPostureFinding
- DetectionFinding
- SecurityFinding
- VulnerabilityFinding
range: Vulnerability
multivalued: true
whois:
name: whois
description: Any pertinent WHOIS information related to an indicator or OSINT
analysis.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- WHOIS
rank: 1000
alias: whois
owner: Osint
domain_of:
- Osint
range: Whois