Class: SecurityControlProfile
The attributes including disposition that represent the outcome of a security
control including but not limited to access control, malware or policy
violation, network proxy, intrusion detection, firewall, or data control. The
profile is intended to augment activities or findings with an outcome when a
security control has observed or intervened. If the control detected a security
violation, and the disposition_id or action_id is an
alertable outcome or action, the is_alert flag may be set to
true.
URI: ocsf:SecurityControlProfile
classDiagram
class SecurityControlProfile
click SecurityControlProfile href "../SecurityControlProfile/"
SecurityControlProfile <|-- BaseEvent
click BaseEvent href "../BaseEvent/"
SecurityControlProfile : action
SecurityControlProfile : action_id
SecurityControlProfile --> "0..1 _recommended_" ActionIdEnum : action_id
click ActionIdEnum href "../ActionIdEnum/"
SecurityControlProfile : attacks
SecurityControlProfile --> "*" Attack : attacks
click Attack href "../Attack/"
SecurityControlProfile : authorizations
SecurityControlProfile --> "*" Authorization : authorizations
click Authorization href "../Authorization/"
SecurityControlProfile : confidence
SecurityControlProfile : confidence_id
SecurityControlProfile --> "0..1 _recommended_" ConfidenceIdEnum : confidence_id
click ConfidenceIdEnum href "../ConfidenceIdEnum/"
SecurityControlProfile : confidence_score
SecurityControlProfile : disposition
SecurityControlProfile : disposition_id
SecurityControlProfile --> "0..1 _recommended_" DispositionIdEnum : disposition_id
click DispositionIdEnum href "../DispositionIdEnum/"
SecurityControlProfile : firewall_rule
SecurityControlProfile --> "0..1" FirewallRule : firewall_rule
click FirewallRule href "../FirewallRule/"
SecurityControlProfile : is_alert
SecurityControlProfile : malware
SecurityControlProfile --> "*" Malware : malware
click Malware href "../Malware/"
SecurityControlProfile : malware_scan_info
SecurityControlProfile --> "0..1" MalwareScanInfo : malware_scan_info
click MalwareScanInfo href "../MalwareScanInfo/"
SecurityControlProfile : policy
SecurityControlProfile --> "0..1" Policy : policy
click Policy href "../Policy/"
SecurityControlProfile : risk_details
SecurityControlProfile : risk_level
SecurityControlProfile : risk_level_id
SecurityControlProfile --> "0..1" RiskLevelIdEnum : risk_level_id
click RiskLevelIdEnum href "../RiskLevelIdEnum/"
SecurityControlProfile : risk_score
Class Properties
| Property | Value |
|---|---|
| Mixin | Yes |
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| action | 0..1 String |
The normalized caption of action_id |
direct |
| action_id | 0..1 recommended ActionIdEnum |
The action taken by a control or other policy-based system leading to an | direct |
| attacks | * Attack |
An array of MITRE ATT&CK® objects describing identified tactics, techniques & | direct |
| authorizations | * Authorization |
Provides details about an authorization, such as authorization outcome, and a... | direct |
| confidence | 0..1 String |
The confidence, normalized to the caption of the confidence_id value | direct |
| confidence_id | 0..1 recommended ConfidenceIdEnum |
The normalized confidence refers to the accuracy of the rule that created the | direct |
| confidence_score | 0..1 Integer |
The confidence score as reported by the event source | direct |
| disposition | 0..1 String |
The disposition name, normalized to the caption of the disposition_id value | direct |
| disposition_id | 0..1 recommended DispositionIdEnum |
Describes the outcome or action taken by a security control, such as access | direct |
| firewall_rule | 0..1 FirewallRule |
The firewall rule that pertains to the control that triggered the event, if | direct |
| is_alert | 0..1 recommended Boolean |
Indicates that the event is considered to be an alertable signal | direct |
| malware | * Malware |
A list of Malware objects, describing details about the identified malware | direct |
| malware_scan_info | 0..1 MalwareScanInfo |
Describes details about the scan job that identified malware on the target | direct |
| policy | 0..1 Policy |
The policy that pertains to the control that triggered the event, if | direct |
| risk_details | 0..1 String |
Describes the risk associated with the finding | direct |
| risk_level | 0..1 String |
The risk level, normalized to the caption of the risk_level_id value | direct |
| risk_level_id | 0..1 RiskLevelIdEnum |
The normalized risk level id | direct |
| risk_score | 0..1 Integer |
The risk score as reported by the event source | direct |
Mixin Usage
| mixed into | description |
|---|---|
| BaseEvent | The base event is a generic and concrete event |
In Subsets
Aliases
- Security Control
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_profile | security_control |
| group | primary |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:SecurityControlProfile |
| native | ocsf:SecurityControlProfile |
LinkML Source
Direct
name: SecurityControlProfile
annotations:
ocsf_profile:
tag: ocsf_profile
value: security_control
group:
tag: group
value: primary
description: 'The attributes including disposition that represent the outcome of a
security
control including but not limited to access control, malware or policy
violation, network proxy, intrusion detection, firewall, or data control. The
profile is intended to augment activities or findings with an outcome when a
security control has observed or intervened. If the control detected a security
violation, and the <code>disposition_id</code> or <code>action_id</code> is an
alertable outcome or action, the <code>is_alert</code> flag may be set to
<code>true</code>.'
in_subset:
- security_control_profile_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Security Control
mixin: true
slots:
- action
- action_id
- attacks
- authorizations
- confidence
- confidence_id
- confidence_score
- disposition
- disposition_id
- firewall_rule
- is_alert
- malware
- malware_scan_info
- policy
- risk_details
- risk_level
- risk_level_id
- risk_score
slot_usage:
action:
name: action
description: The normalized caption of <code>action_id</code>.
action_id:
name: action_id
description: 'The action taken by a control or other policy-based system leading
to an
outcome or disposition. An unknown action may still correspond to a known
disposition. Refer to <code>disposition_id</code> for the outcome of the
action.'
recommended: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
disposition_id:
name: disposition_id
recommended: true
firewall_rule:
name: firewall_rule
description: 'The firewall rule that pertains to the control that triggered the
event, if
applicable.'
is_alert:
name: is_alert
description: 'Indicates that the event is considered to be an alertable signal.
Should be set
to <code>true</code> if <code>disposition_id = Alert</code> among other
dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code>
of
the event is elevated. Not all control events will be alertable, for example
if
<code>disposition_id = Exonerated</code> or <code>disposition_id =
Allowed</code>.'
recommended: true
policy:
name: policy
description: 'The policy that pertains to the control that triggered the event,
if
applicable. For example the name of an anti-malware policy or an access control
policy.'
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
Induced
name: SecurityControlProfile
annotations:
ocsf_profile:
tag: ocsf_profile
value: security_control
group:
tag: group
value: primary
description: 'The attributes including disposition that represent the outcome of a
security
control including but not limited to access control, malware or policy
violation, network proxy, intrusion detection, firewall, or data control. The
profile is intended to augment activities or findings with an outcome when a
security control has observed or intervened. If the control detected a security
violation, and the <code>disposition_id</code> or <code>action_id</code> is an
alertable outcome or action, the <code>is_alert</code> flag may be set to
<code>true</code>.'
in_subset:
- security_control_profile_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Security Control
mixin: true
slot_usage:
action:
name: action
description: The normalized caption of <code>action_id</code>.
action_id:
name: action_id
description: 'The action taken by a control or other policy-based system leading
to an
outcome or disposition. An unknown action may still correspond to a known
disposition. Refer to <code>disposition_id</code> for the outcome of the
action.'
recommended: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
disposition_id:
name: disposition_id
recommended: true
firewall_rule:
name: firewall_rule
description: 'The firewall rule that pertains to the control that triggered the
event, if
applicable.'
is_alert:
name: is_alert
description: 'Indicates that the event is considered to be an alertable signal.
Should be set
to <code>true</code> if <code>disposition_id = Alert</code> among other
dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code>
of
the event is elevated. Not all control events will be alertable, for example
if
<code>disposition_id = Exonerated</code> or <code>disposition_id =
Allowed</code>.'
recommended: true
policy:
name: policy
description: 'The policy that pertains to the control that triggered the event,
if
applicable. For example the name of an anti-malware policy or an access control
policy.'
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
attributes:
action:
name: action
description: The normalized caption of <code>action_id</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action
rank: 1000
alias: action
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
range: string
action_id:
name: action_id
annotations:
sibling:
tag: sibling
value: action
description: 'The action taken by a control or other policy-based system leading
to an
outcome or disposition. An unknown action may still correspond to a known
disposition. Refer to <code>disposition_id</code> for the outcome of the
action.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action ID
rank: 1000
alias: action_id
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
range: ActionIdEnum
recommended: true
attacks:
name: attacks
description: 'An array of MITRE ATT&CK® objects describing identified tactics,
techniques &
sub-techniques. The objects are compatible with MITRE ATLAS™ tactics,
techniques & sub-techniques.'
notes:
- MITRE ATT&CK® — https://attack.mitre.org
- MITRE ATLAS — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® and ATLAS™ Details
rank: 1000
alias: attacks
owner: SecurityControlProfile
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
authorizations:
name: authorizations
description: 'Provides details about an authorization, such as authorization outcome,
and any
associated policies related to the activity/event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authorization Information
rank: 1000
alias: authorizations
owner: SecurityControlProfile
domain_of:
- Actor
- SecurityControlProfile
range: Authorization
multivalued: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
description: 'The confidence, normalized to the caption of the confidence_id value.
In the
case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence
rank: 1000
alias: confidence
owner: SecurityControlProfile
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: string
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
description: 'The normalized confidence refers to the accuracy of the rule that
created the
finding. A rule with a low confidence means that the finding scope is wide and
may create finding reports that may not be malicious in nature.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence ID
rank: 1000
alias: confidence_id
owner: SecurityControlProfile
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: ConfidenceIdEnum
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
description: The confidence score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence Score
rank: 1000
alias: confidence_score
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: integer
disposition:
name: disposition
description: 'The disposition name, normalized to the caption of the disposition_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition
rank: 1000
alias: disposition
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
range: string
disposition_id:
name: disposition_id
annotations:
sibling:
tag: sibling
value: disposition
description: 'Describes the outcome or action taken by a security control, such
as access
control checks, malware detections or various types of policy violations.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition ID
rank: 1000
alias: disposition_id
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
range: DispositionIdEnum
recommended: true
firewall_rule:
name: firewall_rule
description: 'The firewall rule that pertains to the control that triggered the
event, if
applicable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Firewall Rule
rank: 1000
alias: firewall_rule
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
range: FirewallRule
is_alert:
name: is_alert
description: 'Indicates that the event is considered to be an alertable signal.
Should be set
to <code>true</code> if <code>disposition_id = Alert</code> among other
dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code>
of
the event is elevated. Not all control events will be alertable, for example
if
<code>disposition_id = Exonerated</code> or <code>disposition_id =
Allowed</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alert
rank: 1000
alias: is_alert
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: boolean
recommended: true
malware:
name: malware
description: A list of Malware objects, describing details about the identified
malware.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
rank: 1000
alias: malware
owner: SecurityControlProfile
domain_of:
- Osint
- SecurityControlProfile
- DetectionFinding
- SecurityFinding
range: Malware
multivalued: true
malware_scan_info:
name: malware_scan_info
description: 'Describes details about the scan job that identified malware on
the target
system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware Scan Info
rank: 1000
alias: malware_scan_info
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
- DetectionFinding
range: MalwareScanInfo
policy:
name: policy
description: 'The policy that pertains to the control that triggered the event,
if
applicable. For example the name of an anti-malware policy or an access control
policy.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
rank: 1000
alias: policy
owner: SecurityControlProfile
domain_of:
- PermissionAnalysisResult
- AdditionalRestriction
- Assessment
- Authorization
- DataClassification
- DataSecurity
- ManagedEntity
- SecurityControlProfile
- ScanActivity
- AccountChange
range: Policy
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
description: Describes the risk associated with the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Details
rank: 1000
alias: risk_details
owner: SecurityControlProfile
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: string
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
description: The risk level, normalized to the caption of the risk_level_id value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level
rank: 1000
alias: risk_level
owner: SecurityControlProfile
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: string
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
description: The normalized risk level id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level ID
rank: 1000
alias: risk_level_id
owner: SecurityControlProfile
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: RiskLevelIdEnum
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
description: The risk score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: SecurityControlProfile
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer