Class: QueryEvidence
The specific resulting evidence information that was queried or discovered.
When mapping raw telemetry data users should select the appropriate child
object that best matches the evidence type as defined by query_type_id.
URI: ocsf:QueryEvidence
classDiagram
class QueryEvidence
click QueryEvidence href "../QueryEvidence/"
OcsfObject <|-- QueryEvidence
click OcsfObject href "../OcsfObject/"
QueryEvidence <|-- WindowsQueryEvidence
click WindowsQueryEvidence href "../WindowsQueryEvidence/"
QueryEvidence : connection_info
QueryEvidence --> "0..1 _recommended_" NetworkConnectionInfo : connection_info
click NetworkConnectionInfo href "../NetworkConnectionInfo/"
QueryEvidence : file
QueryEvidence --> "0..1 _recommended_" File : file
click File href "../File/"
QueryEvidence : folder
QueryEvidence --> "0..1 _recommended_" File : folder
click File href "../File/"
QueryEvidence : group
QueryEvidence --> "0..1 _recommended_" Group : group
click Group href "../Group/"
QueryEvidence : job
QueryEvidence --> "0..1 _recommended_" Job : job
click Job href "../Job/"
QueryEvidence : kernel
QueryEvidence --> "0..1 _recommended_" Kernel : kernel
click Kernel href "../Kernel/"
QueryEvidence : module
QueryEvidence --> "0..1 _recommended_" Module : module
click Module href "../Module/"
QueryEvidence : network_interfaces
QueryEvidence --> "* _recommended_" NetworkInterface : network_interfaces
click NetworkInterface href "../NetworkInterface/"
QueryEvidence : peripheral_device
QueryEvidence --> "0..1 _recommended_" PeripheralDevice : peripheral_device
click PeripheralDevice href "../PeripheralDevice/"
QueryEvidence : process
QueryEvidence --> "0..1 _recommended_" Process : process
click Process href "../Process/"
QueryEvidence : query_type
QueryEvidence : query_type_id
QueryEvidence --> "1" QueryEvidenceQueryTypeIdEnum : query_type_id
click QueryEvidenceQueryTypeIdEnum href "../QueryEvidenceQueryTypeIdEnum/"
QueryEvidence : service
QueryEvidence --> "0..1 _recommended_" Service : service
click Service href "../Service/"
QueryEvidence : session
QueryEvidence --> "0..1 _recommended_" Session : session
click Session href "../Session/"
QueryEvidence : startup_item
QueryEvidence --> "0..1 _recommended_" StartupItem : startup_item
click StartupItem href "../StartupItem/"
QueryEvidence : state
QueryEvidence : tcp_state_id
QueryEvidence --> "0..1" TcpStateIdEnum : tcp_state_id
click TcpStateIdEnum href "../TcpStateIdEnum/"
QueryEvidence : user
QueryEvidence --> "0..1 _recommended_" User : user
click User href "../User/"
QueryEvidence : users
QueryEvidence --> "*" User : users
click User href "../User/"
Inheritance
- OcsfObject
- QueryEvidence
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| connection_info | 0..1 recommended NetworkConnectionInfo |
The network connection information related to a Network Connection query type | direct |
| file | 0..1 recommended File |
The file that is the target of the query when query_type_id indicates a File | direct |
| folder | 0..1 recommended File |
The folder that is the target of the query when query_type_id indicates a | direct |
| group | 0..1 recommended Group |
The administrative group that is the target of the query when query_type_id | direct |
| job | 0..1 recommended Job |
The job object that pertains to the event when query_type_id indicates a Job | direct |
| kernel | 0..1 recommended Kernel |
The kernel object that pertains to the event when query_type_id indicates a | direct |
| module | 0..1 recommended Module |
The module that pertains to the event when query_type_id indicates a Module | direct |
| network_interfaces | * recommended NetworkInterface |
The physical or virtual network interfaces that are associated with the devic... | direct |
| peripheral_device | 0..1 recommended PeripheralDevice |
The peripheral device that triggered the event when query_type_id indicates a | direct |
| process | 0..1 recommended Process |
The process that pertains to the event when query_type_id indicates a Process | direct |
| query_type | 0..1 String |
The normalized caption of query_type_id or the source-specific query type | direct |
| query_type_id | 1 QueryEvidenceQueryTypeIdEnum |
The normalized type of system query performed against a device or system | direct |
| service | 0..1 recommended Service |
The service that pertains to the event when query_type_id indicates a Service | direct |
| session | 0..1 recommended Session |
The authenticated user or service session when query_type_id indicates a | direct |
| startup_item | 0..1 recommended StartupItem |
The startup item object that pertains to the event when query_type_id indicat... | direct |
| state | 0..1 String |
The state of the socket, normalized to the caption of the state_id value | direct |
| tcp_state_id | 0..1 TcpStateIdEnum |
The state of the TCP socket for the network connection | direct |
| user | 0..1 recommended User |
The user that pertains to the event when query_type_id indicates a User query | direct |
| users | * User |
The users that belong to the administrative group when query_type_id indicate... | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| EvidenceInfo | query_evidence | range | QueryEvidence |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| exactly_one_of | [{'slot_conditions': {'connection_info': {'required': True}}}, {'slot_conditions': {'file': {'required': True}}}, {'slot_conditions': {'folder': {'required': True}}}, {'slot_conditions': {'group': {'required': True}}}, {'slot_conditions': {'job': {'required': True}}}, {'slot_conditions': {'kernel': {'required': True}}}, {'slot_conditions': {'module': {'required': True}}}, {'slot_conditions': {'network_interfaces': {'required': True}}}, {'slot_conditions': {'peripheral_device': {'required': True}}}, {'slot_conditions': {'process': {'required': True}}}, {'slot_conditions': {'service': {'required': True}}}, {'slot_conditions': {'session': {'required': True}}}, {'slot_conditions': {'startup_item': {'required': True}}}, {'slot_conditions': {'user': {'required': True}}}] |
In Subsets
Aliases
- Query Evidence
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"just_one": ["connection_info", "file", "folder", "group", "job", "kernel", |
| "module", "network_interfaces", "peripheral_device", "process", "service", | |
| "session", "startup_item", "user"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:QueryEvidence |
| native | ocsf:QueryEvidence |
LinkML Source
Direct
name: QueryEvidence
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["connection_info", "file", "folder", "group", "job", "kernel",
"module", "network_interfaces", "peripheral_device", "process", "service",
"session", "startup_item", "user"]}'
description: 'The specific resulting evidence information that was queried or discovered.
When mapping raw telemetry data users should select the appropriate child
object that best matches the evidence type as defined by query_type_id.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Evidence
is_a: OcsfObject
slots:
- connection_info
- file
- folder
- group
- job
- kernel
- module
- network_interfaces
- peripheral_device
- process
- query_type
- query_type_id
- service
- session
- startup_item
- state
- tcp_state_id
- user
- users
slot_usage:
connection_info:
name: connection_info
annotations:
group:
tag: group
value: primary
description: The network connection information related to a Network Connection
query type.
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: 'The file that is the target of the query when query_type_id indicates
a File
query.'
recommended: true
folder:
name: folder
annotations:
group:
tag: group
value: primary
description: 'The folder that is the target of the query when query_type_id indicates
a
Folder query.'
recommended: true
group:
name: group
annotations:
group:
tag: group
value: primary
description: 'The administrative group that is the target of the query when query_type_id
indicates an Admin Group query.'
recommended: true
job:
name: job
annotations:
group:
tag: group
value: primary
description: 'The job object that pertains to the event when query_type_id indicates
a Job
query.'
recommended: true
kernel:
name: kernel
annotations:
group:
tag: group
value: primary
description: 'The kernel object that pertains to the event when query_type_id
indicates a
Kernel query.'
recommended: true
module:
name: module
annotations:
group:
tag: group
value: primary
description: 'The module that pertains to the event when query_type_id indicates
a Module
query.'
recommended: true
network_interfaces:
name: network_interfaces
annotations:
group:
tag: group
value: primary
description: 'The physical or virtual network interfaces that are associated with
the device
when query_type_id indicates a Network Interfaces query.'
recommended: true
peripheral_device:
name: peripheral_device
annotations:
group:
tag: group
value: primary
description: 'The peripheral device that triggered the event when query_type_id
indicates a
Peripheral Device query.'
recommended: true
process:
name: process
annotations:
group:
tag: group
value: primary
description: 'The process that pertains to the event when query_type_id indicates
a Process
query.'
recommended: true
query_type:
name: query_type
annotations:
group:
tag: group
value: classification
description: The normalized caption of query_type_id or the source-specific query
type.
query_type_id:
name: query_type_id
annotations:
group:
tag: group
value: classification
description: 'The normalized type of system query performed against a device or
system
component.'
range: QueryEvidenceQueryTypeIdEnum
required: true
service:
name: service
annotations:
group:
tag: group
value: primary
description: 'The service that pertains to the event when query_type_id indicates
a Service
query.'
recommended: true
session:
name: session
annotations:
group:
tag: group
value: primary
description: 'The authenticated user or service session when query_type_id indicates
a
Session query.'
recommended: true
startup_item:
name: startup_item
annotations:
group:
tag: group
value: primary
description: 'The startup item object that pertains to the event when query_type_id
indicates
a Startup Item query.'
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: 'The state of the socket, normalized to the caption of the state_id
value. In
the case of ''Other'', it is defined by the event source.'
tcp_state_id:
name: tcp_state_id
annotations:
group:
tag: group
value: context
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user that pertains to the event when query_type_id indicates
a User query.
recommended: true
users:
name: users
annotations:
group:
tag: group
value: context
description: 'The users that belong to the administrative group when query_type_id
indicates
a Users query.'
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
file:
name: file
required: true
- slot_conditions:
folder:
name: folder
required: true
- slot_conditions:
group:
name: group
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
kernel:
name: kernel
required: true
- slot_conditions:
module:
name: module
required: true
- slot_conditions:
network_interfaces:
name: network_interfaces
required: true
- slot_conditions:
peripheral_device:
name: peripheral_device
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
service:
name: service
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
startup_item:
name: startup_item
required: true
- slot_conditions:
user:
name: user
required: true
description: 'OCSF just_one: exactly one of [''connection_info'', ''file'', ''folder'',
''group'',
''job'', ''kernel'', ''module'', ''network_interfaces'', ''peripheral_device'',
''process'', ''service'', ''session'', ''startup_item'', ''user''] must be set.'
Induced
name: QueryEvidence
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["connection_info", "file", "folder", "group", "job", "kernel",
"module", "network_interfaces", "peripheral_device", "process", "service",
"session", "startup_item", "user"]}'
description: 'The specific resulting evidence information that was queried or discovered.
When mapping raw telemetry data users should select the appropriate child
object that best matches the evidence type as defined by query_type_id.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Evidence
is_a: OcsfObject
slot_usage:
connection_info:
name: connection_info
annotations:
group:
tag: group
value: primary
description: The network connection information related to a Network Connection
query type.
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: 'The file that is the target of the query when query_type_id indicates
a File
query.'
recommended: true
folder:
name: folder
annotations:
group:
tag: group
value: primary
description: 'The folder that is the target of the query when query_type_id indicates
a
Folder query.'
recommended: true
group:
name: group
annotations:
group:
tag: group
value: primary
description: 'The administrative group that is the target of the query when query_type_id
indicates an Admin Group query.'
recommended: true
job:
name: job
annotations:
group:
tag: group
value: primary
description: 'The job object that pertains to the event when query_type_id indicates
a Job
query.'
recommended: true
kernel:
name: kernel
annotations:
group:
tag: group
value: primary
description: 'The kernel object that pertains to the event when query_type_id
indicates a
Kernel query.'
recommended: true
module:
name: module
annotations:
group:
tag: group
value: primary
description: 'The module that pertains to the event when query_type_id indicates
a Module
query.'
recommended: true
network_interfaces:
name: network_interfaces
annotations:
group:
tag: group
value: primary
description: 'The physical or virtual network interfaces that are associated with
the device
when query_type_id indicates a Network Interfaces query.'
recommended: true
peripheral_device:
name: peripheral_device
annotations:
group:
tag: group
value: primary
description: 'The peripheral device that triggered the event when query_type_id
indicates a
Peripheral Device query.'
recommended: true
process:
name: process
annotations:
group:
tag: group
value: primary
description: 'The process that pertains to the event when query_type_id indicates
a Process
query.'
recommended: true
query_type:
name: query_type
annotations:
group:
tag: group
value: classification
description: The normalized caption of query_type_id or the source-specific query
type.
query_type_id:
name: query_type_id
annotations:
group:
tag: group
value: classification
description: 'The normalized type of system query performed against a device or
system
component.'
range: QueryEvidenceQueryTypeIdEnum
required: true
service:
name: service
annotations:
group:
tag: group
value: primary
description: 'The service that pertains to the event when query_type_id indicates
a Service
query.'
recommended: true
session:
name: session
annotations:
group:
tag: group
value: primary
description: 'The authenticated user or service session when query_type_id indicates
a
Session query.'
recommended: true
startup_item:
name: startup_item
annotations:
group:
tag: group
value: primary
description: 'The startup item object that pertains to the event when query_type_id
indicates
a Startup Item query.'
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: 'The state of the socket, normalized to the caption of the state_id
value. In
the case of ''Other'', it is defined by the event source.'
tcp_state_id:
name: tcp_state_id
annotations:
group:
tag: group
value: context
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user that pertains to the event when query_type_id indicates
a User query.
recommended: true
users:
name: users
annotations:
group:
tag: group
value: context
description: 'The users that belong to the administrative group when query_type_id
indicates
a Users query.'
attributes:
connection_info:
name: connection_info
annotations:
group:
tag: group
value: primary
description: The network connection information related to a Network Connection
query type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Connection Info
rank: 1000
alias: connection_info
owner: QueryEvidence
domain_of:
- QueryEvidence
- Evidences
- FileHosting
- NetworkConnectionQuery
- NetworkEvent
- DnsActivity
- NetworkFileActivity
- RdpActivity
- TunnelActivity
- NetworkRemediationActivity
- UnmannedSystemsEvent
range: NetworkConnectionInfo
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: 'The file that is the target of the query when query_type_id indicates
a File
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: QueryEvidence
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
folder:
name: folder
annotations:
group:
tag: group
value: primary
description: 'The folder that is the target of the query when query_type_id indicates
a
Folder query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Folder
rank: 1000
alias: folder
owner: QueryEvidence
domain_of:
- QueryEvidence
- FolderQuery
range: File
recommended: true
group:
name: group
annotations:
group:
tag: group
value: primary
description: 'The administrative group that is the target of the query when query_type_id
indicates an Admin Group query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Group
rank: 1000
alias: group
owner: QueryEvidence
domain_of:
- QueryEvidence
- Api
- ApplicationObject
- Databucket
- ManagedEntity
- Policy
- ResourceDetails
- AdminGroupQuery
- AuthorizeSession
- GroupManagement
- LinuxUsersProfile
range: Group
recommended: true
job:
name: job
annotations:
group:
tag: group
value: primary
description: 'The job object that pertains to the event when query_type_id indicates
a Job
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Job
rank: 1000
alias: job
owner: QueryEvidence
domain_of:
- QueryEvidence
- StartupItem
- Evidences
- JobQuery
- ScheduledJobActivity
range: Job
recommended: true
kernel:
name: kernel
annotations:
group:
tag: group
value: primary
description: 'The kernel object that pertains to the event when query_type_id
indicates a
Kernel query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kernel
rank: 1000
alias: kernel
owner: QueryEvidence
domain_of:
- QueryEvidence
- KernelObjectQuery
- KernelActivity
range: Kernel
recommended: true
module:
name: module
annotations:
group:
tag: group
value: primary
description: 'The module that pertains to the event when query_type_id indicates
a Module
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Module
rank: 1000
alias: module
owner: QueryEvidence
domain_of:
- QueryEvidence
- ModuleQuery
- ModuleActivity
- ProcessActivity
range: Module
recommended: true
network_interfaces:
name: network_interfaces
annotations:
group:
tag: group
value: primary
description: 'The physical or virtual network interfaces that are associated with
the device
when query_type_id indicates a Network Interfaces query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interfaces
rank: 1000
alias: network_interfaces
owner: QueryEvidence
domain_of:
- QueryEvidence
- Device
- NetworksQuery
range: NetworkInterface
recommended: true
multivalued: true
peripheral_device:
name: peripheral_device
annotations:
group:
tag: group
value: primary
description: 'The peripheral device that triggered the event when query_type_id
indicates a
Peripheral Device query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Peripheral Device
rank: 1000
alias: peripheral_device
owner: QueryEvidence
domain_of:
- QueryEvidence
- PeripheralDeviceQuery
- PeripheralActivity
range: PeripheralDevice
recommended: true
process:
name: process
annotations:
group:
tag: group
value: primary
description: 'The process that pertains to the event when query_type_id indicates
a Process
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: QueryEvidence
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
recommended: true
query_type:
name: query_type
annotations:
group:
tag: group
value: classification
description: The normalized caption of query_type_id or the source-specific query
type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Type
rank: 1000
alias: query_type
owner: QueryEvidence
domain_of:
- QueryEvidence
range: string
query_type_id:
name: query_type_id
annotations:
group:
tag: group
value: classification
description: 'The normalized type of system query performed against a device or
system
component.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Type ID
rank: 1000
alias: query_type_id
owner: QueryEvidence
domain_of:
- QueryEvidence
range: QueryEvidenceQueryTypeIdEnum
required: true
service:
name: service
annotations:
group:
tag: group
value: primary
description: 'The service that pertains to the event when query_type_id indicates
a Service
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service
rank: 1000
alias: service
owner: QueryEvidence
domain_of:
- QueryEvidence
- Span
- Trace
- Api
- MessageContext
- ServiceQuery
- Authentication
range: Service
recommended: true
session:
name: session
annotations:
group:
tag: group
value: primary
description: 'The authenticated user or service session when query_type_id indicates
a
Session query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: QueryEvidence
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
recommended: true
startup_item:
name: startup_item
annotations:
group:
tag: group
value: primary
description: 'The startup item object that pertains to the event when query_type_id
indicates
a Startup Item query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Startup Item
rank: 1000
alias: startup_item
owner: QueryEvidence
domain_of:
- QueryEvidence
- StartupItemQuery
range: StartupItem
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: 'The state of the socket, normalized to the caption of the state_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- State
rank: 1000
alias: state
owner: QueryEvidence
domain_of:
- QueryEvidence
- Scim
- SecurityState
- Analytic
- DigitalSignature
- Idp
- DeviceConfigStateChange
- NetworkConnectionQuery
- SecurityFinding
range: string
tcp_state_id:
name: tcp_state_id
annotations:
group:
tag: group
value: context
description: The state of the TCP socket for the network connection.
notes:
- RFC 9293 — https://datatracker.ietf.org/doc/html/rfc9293
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://datatracker.ietf.org/doc/html/rfc9293
aliases:
- TCP State ID
rank: 1000
alias: tcp_state_id
owner: QueryEvidence
domain_of:
- QueryEvidence
range: TcpStateIdEnum
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user that pertains to the event when query_type_id indicates
a User query.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: QueryEvidence
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
users:
name: users
annotations:
group:
tag: group
value: context
description: 'The users that belong to the administrative group when query_type_id
indicates
a Users query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Users
rank: 1000
alias: users
owner: QueryEvidence
domain_of:
- QueryEvidence
- AdminGroupQuery
range: User
multivalued: true
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
file:
name: file
required: true
- slot_conditions:
folder:
name: folder
required: true
- slot_conditions:
group:
name: group
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
kernel:
name: kernel
required: true
- slot_conditions:
module:
name: module
required: true
- slot_conditions:
network_interfaces:
name: network_interfaces
required: true
- slot_conditions:
peripheral_device:
name: peripheral_device
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
service:
name: service
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
startup_item:
name: startup_item
required: true
- slot_conditions:
user:
name: user
required: true
description: 'OCSF just_one: exactly one of [''connection_info'', ''file'', ''folder'',
''group'',
''job'', ''kernel'', ''module'', ''network_interfaces'', ''peripheral_device'',
''process'', ''service'', ''session'', ''startup_item'', ''user''] must be set.'