Enum: QueryEvidenceQueryTypeIdEnum
The normalized type of system query performed against a device or system
component.
URI: ocsf:QueryEvidenceQueryTypeIdEnum
Permissible Values
| Value | Meaning | Description |
|---|---|---|
| UNKNOWN | None | The query type was unknown or not specified |
| KERNEL | None | A query about kernel resources including system calls, shared mutex, or other |
| FILE | None | A query about file attributes, metadata, content, hash values, or properties |
| FOLDER | None | A query about folder attributes, metadata, content, or structure |
| ADMIN_GROUP | None | A query about group membership, privileges, domain, or group properties |
| JOB | None | A query about scheduled jobs, their command lines, run states, or execution |
| MODULE | None | A query about loaded modules, their base addresses, load types, or function |
| NETWORK_CONNECTION | None | A query about active network connections, boundaries, protocols, or TCP state... |
| NETWORK_INTERFACES | None | A query about physical or virtual network interfaces, their IP/MAC addresses, |
| PERIPHERAL_DEVICE | None | A query about attached peripheral devices, their classes, models, or vendor |
| PROCESS | None | A query about running processes, command lines, ancestry, loaded modules, or |
| SERVICE | None | A query about system services, their names, versions, labels, or properties |
| SESSION | None | A query about authenticated user or service sessions, their creation times, o... |
| USER | None | A query about user accounts, their properties, credentials, or domain |
| USERS | None | A query about multiple users belonging to an administrative group |
| STARTUP_ITEM | None | A query about startup configuration items, their run modes, start types, or |
| REGISTRY_KEY | None | A Windows-specific query about registry keys, their paths, security |
| REGISTRY_VALUE | None | A Windows-specific query about registry values, their data types, content, or |
| PREFETCH | None | A Windows-specific query about prefetch files, their run counts, last executi... |
| OTHER | None | The query type was not mapped to a standard category |
Slots
| Name | Description |
|---|---|
| query_type_id | The normalized type of system query performed against a device or system |
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
LinkML Source
name: QueryEvidenceQueryTypeIdEnum
description: 'The normalized type of system query performed against a device or system
component.'
from_schema: https://w3id.org/lmodel/ocsf
rank: 1000
permissible_values:
UNKNOWN:
text: UNKNOWN
description: The query type was unknown or not specified.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '0'
caption:
tag: caption
value: Unknown
KERNEL:
text: KERNEL
description: 'A query about kernel resources including system calls, shared mutex,
or other
kernel components.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '1'
caption:
tag: caption
value: Kernel
FILE:
text: FILE
description: A query about file attributes, metadata, content, hash values, or
properties.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '2'
caption:
tag: caption
value: File
FOLDER:
text: FOLDER
description: A query about folder attributes, metadata, content, or structure.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '3'
caption:
tag: caption
value: Folder
ADMIN_GROUP:
text: ADMIN_GROUP
description: A query about group membership, privileges, domain, or group properties.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '4'
caption:
tag: caption
value: Admin Group
JOB:
text: JOB
description: 'A query about scheduled jobs, their command lines, run states, or
execution
times.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '5'
caption:
tag: caption
value: Job
MODULE:
text: MODULE
description: 'A query about loaded modules, their base addresses, load types,
or function
entry points.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '6'
caption:
tag: caption
value: Module
NETWORK_CONNECTION:
text: NETWORK_CONNECTION
description: A query about active network connections, boundaries, protocols,
or TCP states.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '7'
caption:
tag: caption
value: Network Connection
NETWORK_INTERFACES:
text: NETWORK_INTERFACES
description: 'A query about physical or virtual network interfaces, their IP/MAC
addresses,
or types.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '8'
caption:
tag: caption
value: Network Interfaces
PERIPHERAL_DEVICE:
text: PERIPHERAL_DEVICE
description: 'A query about attached peripheral devices, their classes, models,
or vendor
information.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '9'
caption:
tag: caption
value: Peripheral Device
PROCESS:
text: PROCESS
description: 'A query about running processes, command lines, ancestry, loaded
modules, or
execution context.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '10'
caption:
tag: caption
value: Process
SERVICE:
text: SERVICE
description: A query about system services, their names, versions, labels, or
properties.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '11'
caption:
tag: caption
value: Service
SESSION:
text: SESSION
description: 'A query about authenticated user or service sessions, their creation
times, or
issuer details.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '12'
caption:
tag: caption
value: Session
USER:
text: USER
description: 'A query about user accounts, their properties, credentials, or domain
information.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '13'
caption:
tag: caption
value: User
USERS:
text: USERS
description: A query about multiple users belonging to an administrative group.
annotations:
ocsf_uid:
tag: ocsf_uid
value: '14'
caption:
tag: caption
value: Users
STARTUP_ITEM:
text: STARTUP_ITEM
description: 'A query about startup configuration items, their run modes, start
types, or
current states.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '15'
caption:
tag: caption
value: Startup Item
REGISTRY_KEY:
text: REGISTRY_KEY
description: 'A Windows-specific query about registry keys, their paths, security
descriptors, or modification times.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '16'
caption:
tag: caption
value: Registry Key
REGISTRY_VALUE:
text: REGISTRY_VALUE
description: 'A Windows-specific query about registry values, their data types,
content, or
names.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '17'
caption:
tag: caption
value: Registry Value
PREFETCH:
text: PREFETCH
description: 'A Windows-specific query about prefetch files, their run counts,
last execution
times, or existence.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '18'
caption:
tag: caption
value: Prefetch
OTHER:
text: OTHER
description: 'The query type was not mapped to a standard category. See the query_type
attribute for source-specific value.'
annotations:
ocsf_uid:
tag: ocsf_uid
value: '99'
caption:
tag: caption
value: Other