Class: Policy
The Policy object describes the policies that are applicable. Policy
attributes provide traceability to the operational state of the security
product at the time that the event was captured, facilitating forensics,
troubleshooting, and policy tuning/adjustments.
URI: ocsf:Policy
classDiagram
class Policy
click Policy href "../Policy/"
Entity <|-- Policy
click Entity href "../Entity/"
Policy : data
Policy : desc
Policy : group
Policy --> "0..1" Group : group
click Group href "../Group/"
Policy : is_applied
Policy : name
Policy : type
Policy : uid
Policy : version
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| data | 0..1 String |
Additional data about the policy such as the underlying JSON policy itself or | direct |
| desc | 0..1 String |
The description of the policy | direct |
| group | 0..1 Group |
The policy group | direct |
| is_applied | 0..1 recommended Boolean |
A determination if the content of a policy was applied to a target or request... | direct |
| name | 0..1 recommended String |
The policy name | direct |
| type | 0..1 String |
The policy type | direct |
| uid | 0..1 recommended String |
A unique identifier of the policy instance | direct |
| version | 0..1 recommended String |
The policy version number | direct |
Usages
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {}}, {'slot_conditions': {'type': {'required': True}}}, {'slot_conditions': {'uid': {'required': True}}}] |
In Subsets
Aliases
- Policy
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["name", "type", "uid"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Policy |
| native | ocsf:Policy |
| close | iso27001:InformationSecurityPolicy |
LinkML Source
Direct
name: Policy
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["name", "type", "uid"]}'
description: 'The Policy object describes the policies that are applicable. <p>Policy
attributes provide traceability to the operational state of the security
product at the time that the event was captured, facilitating forensics,
troubleshooting, and policy tuning/adjustments.</p>'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
close_mappings:
- iso27001:InformationSecurityPolicy
is_a: Entity
slots:
- data
- desc
- group
- is_applied
- name
- type
- uid
- version
slot_usage:
data:
name: data
description: 'Additional data about the policy such as the underlying JSON policy
itself or
other details.'
desc:
name: desc
description: The description of the policy.
group:
name: group
description: The policy group.
is_applied:
name: is_applied
description: 'A determination if the content of a policy was applied to a target
or request,
or not.'
recommended: true
name:
name: name
description: 'The policy name. For example: <code>AdministratorAccess Policy</code>.'
type:
name: type
description: 'The policy type. For example: <code>Identity Policy, Resource Policy,
Service
Control Policy, etc.</code>.'
uid:
name: uid
description: A unique identifier of the policy instance.
version:
name: version
description: The policy version number.
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
type:
name: type
required: true
- slot_conditions:
uid:
name: uid
required: true
description: 'OCSF at_least_one: at least one of [''name'', ''type'', ''uid''] must
be set.'
Induced
name: Policy
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["name", "type", "uid"]}'
description: 'The Policy object describes the policies that are applicable. <p>Policy
attributes provide traceability to the operational state of the security
product at the time that the event was captured, facilitating forensics,
troubleshooting, and policy tuning/adjustments.</p>'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
close_mappings:
- iso27001:InformationSecurityPolicy
is_a: Entity
slot_usage:
data:
name: data
description: 'Additional data about the policy such as the underlying JSON policy
itself or
other details.'
desc:
name: desc
description: The description of the policy.
group:
name: group
description: The policy group.
is_applied:
name: is_applied
description: 'A determination if the content of a policy was applied to a target
or request,
or not.'
recommended: true
name:
name: name
description: 'The policy name. For example: <code>AdministratorAccess Policy</code>.'
type:
name: type
description: 'The policy type. For example: <code>Identity Policy, Resource Policy,
Service
Control Policy, etc.</code>.'
uid:
name: uid
description: A unique identifier of the policy instance.
version:
name: version
description: The policy version number.
recommended: true
attributes:
data:
name: data
description: 'Additional data about the policy such as the underlying JSON policy
itself or
other details.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data
rank: 1000
alias: data
owner: Policy
domain_of:
- Request
- Response
- TlsExtension
- Resource
- ApplicationObject
- Edge
- Enrichment
- Evidences
- ManagedEntity
- Node
- Policy
- QueryInfo
- WebResource
- RegValue
range: string
desc:
name: desc
description: The description of the policy.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: Policy
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
group:
name: group
description: The policy group.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Group
rank: 1000
alias: group
owner: Policy
domain_of:
- QueryEvidence
- Api
- ApplicationObject
- Databucket
- ManagedEntity
- Policy
- ResourceDetails
- AdminGroupQuery
- AuthorizeSession
- GroupManagement
- LinuxUsersProfile
range: Group
is_applied:
name: is_applied
description: 'A determination if the content of a policy was applied to a target
or request,
or not.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Applied
rank: 1000
alias: is_applied
owner: Policy
domain_of:
- Policy
range: boolean
recommended: true
name:
name: name
description: 'The policy name. For example: <code>AdministratorAccess Policy</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Policy
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
type:
name: type
description: 'The policy type. For example: <code>Identity Policy, Resource Policy,
Service
Control Policy, etc.</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Policy
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
uid:
name: uid
description: A unique identifier of the policy instance.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Policy
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
version:
name: version
description: The policy version number.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: Policy
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
name:
name: name
required: true
- slot_conditions:
type:
name: type
required: true
- slot_conditions:
uid:
name: uid
required: true
description: 'OCSF at_least_one: at least one of [''name'', ''type'', ''uid''] must
be set.'