Class: TunnelActivity
Tunnel Activity events report secure tunnel establishment (such as VPN),
teardowns, renewals, and other network tunnel specific actions.
URI: ocsf:TunnelActivity
classDiagram
class TunnelActivity
click TunnelActivity href "../TunnelActivity/"
NetworkEvent <|-- TunnelActivity
click NetworkEvent href "../NetworkEvent/"
TunnelActivity : action
TunnelActivity : action_id
TunnelActivity --> "0..1 _recommended_" ActionIdEnum : action_id
click ActionIdEnum href "../ActionIdEnum/"
TunnelActivity : activity_id
TunnelActivity --> "1" TunnelActivityActivityIdEnum : activity_id
click TunnelActivityActivityIdEnum href "../TunnelActivityActivityIdEnum/"
TunnelActivity : activity_name
TunnelActivity : actor
TunnelActivity --> "0..1" Actor : actor
click Actor href "../Actor/"
TunnelActivity : api
TunnelActivity --> "0..1" Api : api
click Api href "../Api/"
TunnelActivity : app_name
TunnelActivity : app_protocol_name
TunnelActivity : attacks
TunnelActivity --> "*" Attack : attacks
click Attack href "../Attack/"
TunnelActivity : authorizations
TunnelActivity --> "*" Authorization : authorizations
click Authorization href "../Authorization/"
TunnelActivity : category_name
TunnelActivity : category_uid
TunnelActivity --> "1" BaseEventCategoryUidEnum : category_uid
click BaseEventCategoryUidEnum href "../BaseEventCategoryUidEnum/"
TunnelActivity : class_name
TunnelActivity : class_uid
TunnelActivity --> "1" BaseEventClassUidEnum : class_uid
click BaseEventClassUidEnum href "../BaseEventClassUidEnum/"
TunnelActivity : cloud
TunnelActivity --> "1" Cloud : cloud
click Cloud href "../Cloud/"
TunnelActivity : confidence
TunnelActivity : confidence_id
TunnelActivity --> "0..1 _recommended_" ConfidenceIdEnum : confidence_id
click ConfidenceIdEnum href "../ConfidenceIdEnum/"
TunnelActivity : confidence_score
TunnelActivity : connection_info
TunnelActivity --> "0..1 _recommended_" NetworkConnectionInfo : connection_info
click NetworkConnectionInfo href "../NetworkConnectionInfo/"
TunnelActivity : count
TunnelActivity : cumulative_traffic
TunnelActivity --> "0..1" NetworkTraffic : cumulative_traffic
click NetworkTraffic href "../NetworkTraffic/"
TunnelActivity : device
TunnelActivity --> "0..1 _recommended_" Device : device
click Device href "../Device/"
TunnelActivity : disposition
TunnelActivity : disposition_id
TunnelActivity --> "0..1 _recommended_" DispositionIdEnum : disposition_id
click DispositionIdEnum href "../DispositionIdEnum/"
TunnelActivity : dst_endpoint
TunnelActivity --> "0..1 _recommended_" NetworkEndpoint : dst_endpoint
click NetworkEndpoint href "../NetworkEndpoint/"
TunnelActivity : duration
TunnelActivity : end_time
TunnelActivity : enrichments
TunnelActivity --> "*" Enrichment : enrichments
click Enrichment href "../Enrichment/"
TunnelActivity : firewall_rule
TunnelActivity --> "0..1" FirewallRule : firewall_rule
click FirewallRule href "../FirewallRule/"
TunnelActivity : is_alert
TunnelActivity : ja4_fingerprint_list
TunnelActivity --> "*" Ja4Fingerprint : ja4_fingerprint_list
click Ja4Fingerprint href "../Ja4Fingerprint/"
TunnelActivity : load_balancer
TunnelActivity --> "0..1 _recommended_" LoadBalancer : load_balancer
click LoadBalancer href "../LoadBalancer/"
TunnelActivity : malware
TunnelActivity --> "*" Malware : malware
click Malware href "../Malware/"
TunnelActivity : malware_scan_info
TunnelActivity --> "0..1" MalwareScanInfo : malware_scan_info
click MalwareScanInfo href "../MalwareScanInfo/"
TunnelActivity : message
TunnelActivity : metadata
TunnelActivity --> "1" Metadata : metadata
click Metadata href "../Metadata/"
TunnelActivity : network_observation_point
TunnelActivity --> "0..1" NetworkEndpoint : network_observation_point
click NetworkEndpoint href "../NetworkEndpoint/"
TunnelActivity : observables
TunnelActivity --> "* _recommended_" Observable : observables
click Observable href "../Observable/"
TunnelActivity : observation_point
TunnelActivity : observation_point_id
TunnelActivity --> "0..1" NetworkEventObservationPointIdEnum : observation_point_id
click NetworkEventObservationPointIdEnum href "../NetworkEventObservationPointIdEnum/"
TunnelActivity : osint
TunnelActivity --> "1..*" Osint : osint
click Osint href "../Osint/"
TunnelActivity : packet_list
TunnelActivity --> "*" Packet : packet_list
click Packet href "../Packet/"
TunnelActivity : policy
TunnelActivity --> "0..1" Policy : policy
click Policy href "../Policy/"
TunnelActivity : protocol_name
TunnelActivity : proxy
TunnelActivity --> "0..1 _recommended_" NetworkProxy : proxy
click NetworkProxy href "../NetworkProxy/"
TunnelActivity : proxy_connection_info
TunnelActivity --> "0..1 _recommended_" NetworkConnectionInfo : proxy_connection_info
click NetworkConnectionInfo href "../NetworkConnectionInfo/"
TunnelActivity : proxy_endpoint
TunnelActivity --> "0..1" NetworkProxy : proxy_endpoint
click NetworkProxy href "../NetworkProxy/"
TunnelActivity : proxy_http_request
TunnelActivity --> "0..1" HttpRequest : proxy_http_request
click HttpRequest href "../HttpRequest/"
TunnelActivity : proxy_http_response
TunnelActivity --> "0..1" HttpResponse : proxy_http_response
click HttpResponse href "../HttpResponse/"
TunnelActivity : proxy_tls
TunnelActivity --> "0..1 _recommended_" Tls : proxy_tls
click Tls href "../Tls/"
TunnelActivity : proxy_traffic
TunnelActivity --> "0..1 _recommended_" NetworkTraffic : proxy_traffic
click NetworkTraffic href "../NetworkTraffic/"
TunnelActivity : raw_data
TunnelActivity : raw_data_hash
TunnelActivity --> "0..1" Fingerprint : raw_data_hash
click Fingerprint href "../Fingerprint/"
TunnelActivity : raw_data_size
TunnelActivity : risk_details
TunnelActivity : risk_level
TunnelActivity : risk_level_id
TunnelActivity --> "0..1" RiskLevelIdEnum : risk_level_id
click RiskLevelIdEnum href "../RiskLevelIdEnum/"
TunnelActivity : risk_score
TunnelActivity : session
TunnelActivity --> "0..1 _recommended_" Session : session
click Session href "../Session/"
TunnelActivity : severity
TunnelActivity : severity_id
TunnelActivity --> "1" SeverityIdEnum : severity_id
click SeverityIdEnum href "../SeverityIdEnum/"
TunnelActivity : src_endpoint
TunnelActivity --> "0..1 _recommended_" NetworkEndpoint : src_endpoint
click NetworkEndpoint href "../NetworkEndpoint/"
TunnelActivity : start_time
TunnelActivity : status
TunnelActivity : status_code
TunnelActivity : status_detail
TunnelActivity : status_id
TunnelActivity --> "0..1 _recommended_" StatusIdEnum : status_id
click StatusIdEnum href "../StatusIdEnum/"
TunnelActivity : time
TunnelActivity : timezone_offset
TunnelActivity : tls
TunnelActivity --> "0..1" Tls : tls
click Tls href "../Tls/"
TunnelActivity : traffic
TunnelActivity --> "0..1 _recommended_" NetworkTraffic : traffic
click NetworkTraffic href "../NetworkTraffic/"
TunnelActivity : tunnel_interface
TunnelActivity --> "0..1 _recommended_" NetworkInterface : tunnel_interface
click NetworkInterface href "../NetworkInterface/"
TunnelActivity : tunnel_type
TunnelActivity : tunnel_type_id
TunnelActivity --> "0..1 _recommended_" TunnelActivityTunnelTypeIdEnum : tunnel_type_id
click TunnelActivityTunnelTypeIdEnum href "../TunnelActivityTunnelTypeIdEnum/"
TunnelActivity : type_name
TunnelActivity : type_uid
TunnelActivity : unmapped
TunnelActivity --> "0..1" Object : unmapped
click Object href "../Object/"
TunnelActivity : user
TunnelActivity --> "0..1 _recommended_" User : user
click User href "../User/"
Inheritance
- BaseEvent [ CloudProfile DatetimeProfile HostProfile OsintProfile SecurityControlProfile]
- NetworkEvent [ NetworkProxyProfile LoadBalancerProfile]
- TunnelActivity
- NetworkEvent [ NetworkProxyProfile LoadBalancerProfile]
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| activity_id | 1 TunnelActivityActivityIdEnum |
The normalized identifier of the activity that triggered the event | direct |
| connection_info | 0..1 recommended NetworkConnectionInfo |
The tunnel connection information | direct |
| device | 0..1 recommended Device |
The device that reported the event | direct |
| dst_endpoint | 0..1 recommended NetworkEndpoint |
The server responding to the tunnel connection | direct |
| protocol_name | 0..1 String |
The networking protocol associated with the tunnel | direct |
| session | 0..1 recommended Session |
The session associated with the tunnel | direct |
| src_endpoint | 0..1 recommended NetworkEndpoint |
The initiator (client) of the tunnel connection | direct |
| traffic | 0..1 recommended NetworkTraffic |
Traffic refers to the amount of data moving across the tunnel at a given poin... | direct |
| tunnel_interface | 0..1 recommended NetworkInterface |
The information about the virtual tunnel interface, e | direct |
| tunnel_type | 0..1 recommended String |
The type of tunnel configuration, normalized to the caption of the | direct |
| tunnel_type_id | 0..1 recommended TunnelActivityTunnelTypeIdEnum |
The normalized identifier for the type of tunnel configuration, indicating th... | direct |
| user | 0..1 recommended User |
The user associated with the tunnel activity | direct |
| app_name | 0..1 String |
The network application name identified by tools such as NBAR or App ID (e | NetworkEvent |
| app_protocol_name | 0..1 String |
The application-layer (Layer 7) protocol name identified by deep packet inspe... | NetworkEvent |
| cumulative_traffic | 0..1 NetworkTraffic |
The cumulative (running total) network traffic aggregated from the start of a | NetworkEvent |
| ja4_fingerprint_list | * Ja4Fingerprint |
A list of the JA4+ network fingerprints | NetworkEvent |
| network_observation_point | 0..1 NetworkEndpoint |
The network endpoint that observes or inspects network traffic as a third-par... | NetworkEvent |
| observation_point | 0..1 String |
Indicates whether the source network endpoint, destination network endpoint, ... | NetworkEvent |
| observation_point_id | 0..1 NetworkEventObservationPointIdEnum |
The normalized identifier of the observation point | NetworkEvent |
| packet_list | * Packet |
The list of packet objects describing captured network packets | NetworkEvent |
| proxy | 0..1 recommended NetworkProxy |
The proxy (server) in a network connection | NetworkEvent |
| tls | 0..1 Tls |
The Transport Layer Security (TLS) attributes | NetworkEvent |
| proxy_connection_info | 0..1 recommended NetworkConnectionInfo |
The connection information from the proxy server to the remote server | NetworkProxyProfile |
| proxy_endpoint | 0..1 NetworkProxy |
The proxy (server) in a network connection | NetworkProxyProfile |
| proxy_http_request | 0..1 HttpRequest |
The HTTP Request from the proxy server to the remote server | NetworkProxyProfile |
| proxy_http_response | 0..1 HttpResponse |
The HTTP Response from the remote server to the proxy server | NetworkProxyProfile |
| proxy_tls | 0..1 recommended Tls |
The TLS protocol negotiated between the proxy server and the remote server | NetworkProxyProfile |
| proxy_traffic | 0..1 recommended NetworkTraffic |
The network traffic refers to the amount of data moving across a network, fro... | NetworkProxyProfile |
| load_balancer | 0..1 recommended LoadBalancer |
The Load Balancer object contains information related to the device that is | LoadBalancerProfile |
| activity_name | 0..1 String |
The event activity name, as defined by the activity_id | BaseEvent |
| category_name | 0..1 String |
The event category name, as defined by category_uid value | BaseEvent |
| category_uid | 1 BaseEventCategoryUidEnum |
The category unique identifier of the event | BaseEvent |
| class_name | 0..1 String |
The event class name, as defined by class_uid value | BaseEvent |
| class_uid | 1 BaseEventClassUidEnum |
The unique identifier of a class | BaseEvent |
| count | 0..1 Integer |
The number of times that events in the same logical group occurred during the | BaseEvent |
| duration | 0..1 Integer |
The event duration or aggregate time, the amount of time the event covers fro... | BaseEvent |
| end_time | 0..1 TimestampT |
The end time of a time period, or the time of the most recent event included ... | BaseEvent |
| enrichments | * Enrichment |
The additional information from an external data source, which is associated | BaseEvent |
| message | 0..1 recommended String |
The description of the event/finding, as defined by the source | BaseEvent |
| metadata | 1 Metadata |
The metadata associated with the event or a finding | BaseEvent |
| observables | * recommended Observable |
The observables associated with the event or a finding | BaseEvent |
| raw_data | 0..1 String |
The raw event/finding data as received from the source | BaseEvent |
| raw_data_hash | 0..1 Fingerprint |
The hash, which describes the content of the raw_data field | BaseEvent |
| raw_data_size | 0..1 Integer |
The size of the raw data which was transformed into an OCSF event, in bytes | BaseEvent |
| severity | 0..1 String |
The event/finding severity, normalized to the caption of the | BaseEvent |
| severity_id | 1 SeverityIdEnum |
The normalized identifier of the event/finding severity |
BaseEvent |
| start_time | 0..1 TimestampT |
The start time of a time period, or the time of the least recent event includ... | BaseEvent |
| status | 0..1 recommended String |
The event status, normalized to the caption of the status_id value | BaseEvent |
| status_code | 0..1 recommended String |
The event status code, as reported by the event source | BaseEvent |
| status_detail | 0..1 recommended String |
The status detail contains additional information about the event/finding | BaseEvent |
| status_id | 0..1 recommended StatusIdEnum |
The normalized identifier of the event status | BaseEvent |
| time | 1 TimestampT |
The normalized event occurrence time or the finding creation time | BaseEvent |
| timezone_offset | 0..1 recommended Integer |
The number of minutes that the reported event time is ahead or |
BaseEvent |
| type_name | 0..1 String |
The event/finding type name, as defined by the type_uid | BaseEvent |
| type_uid | 1 Integer |
The event/finding type ID | BaseEvent |
| unmapped | 0..1 Object |
The attributes that are not mapped to the event schema | BaseEvent |
| api | 0..1 Api |
Describes details about a typical API (Application Programming Interface) cal... | CloudProfile |
| cloud | 1 Cloud |
Describes details about the Cloud environment where the event or finding was | CloudProfile |
| actor | 0..1 Actor |
The actor object describes details about the user/role/process that was the | HostProfile |
| osint | 1..* Osint |
The OSINT (Open Source Intelligence) object contains details related to an | OsintProfile |
| action | 0..1 String |
The normalized caption of action_id |
SecurityControlProfile |
| action_id | 0..1 recommended ActionIdEnum |
The action taken by a control or other policy-based system leading to an | SecurityControlProfile |
| attacks | * Attack |
An array of MITRE ATT&CK® objects describing identified tactics, techniques & | SecurityControlProfile |
| authorizations | * Authorization |
Provides details about an authorization, such as authorization outcome, and a... | SecurityControlProfile |
| confidence | 0..1 String |
The confidence, normalized to the caption of the confidence_id value | SecurityControlProfile |
| confidence_id | 0..1 recommended ConfidenceIdEnum |
The normalized confidence refers to the accuracy of the rule that created the | SecurityControlProfile |
| confidence_score | 0..1 Integer |
The confidence score as reported by the event source | SecurityControlProfile |
| disposition | 0..1 String |
The disposition name, normalized to the caption of the disposition_id value | SecurityControlProfile |
| disposition_id | 0..1 recommended DispositionIdEnum |
Describes the outcome or action taken by a security control, such as access | SecurityControlProfile |
| firewall_rule | 0..1 FirewallRule |
The firewall rule that pertains to the control that triggered the event, if | SecurityControlProfile |
| is_alert | 0..1 recommended Boolean |
Indicates that the event is considered to be an alertable signal | SecurityControlProfile |
| malware | * Malware |
A list of Malware objects, describing details about the identified malware | SecurityControlProfile |
| malware_scan_info | 0..1 MalwareScanInfo |
Describes details about the scan job that identified malware on the target | SecurityControlProfile |
| policy | 0..1 Policy |
The policy that pertains to the control that triggered the event, if | SecurityControlProfile |
| risk_details | 0..1 String |
Describes the risk associated with the finding | SecurityControlProfile |
| risk_level | 0..1 String |
The risk level, normalized to the caption of the risk_level_id value | SecurityControlProfile |
| risk_level_id | 0..1 RiskLevelIdEnum |
The normalized risk level id | SecurityControlProfile |
| risk_score | 0..1 Integer |
The risk score as reported by the event source | SecurityControlProfile |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'connection_info': {'required': True}}}, {'slot_conditions': {'session': {'required': True}}}, {'slot_conditions': {'src_endpoint': {'required': True}}}, {'slot_conditions': {'traffic': {'required': True}}}, {'slot_conditions': {'tunnel_interface': {'required': True}}}, {'slot_conditions': {'tunnel_type_id': {'required': True}}}] |
In Subsets
Aliases
- Tunnel Activity
See Also
Notes
- D3FEND™ Ontology d3f:TunnelEvent — https://d3fend.mitre.org/event/d3f:TunnelEvent/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["connection_info", "session", "src_endpoint", "traffic", |
| "tunnel_interface", "tunnel_type_id"]} | |
| ocsf_event_uid | 14 |
| associations | {"src_endpoint": ["user"], "user": ["src_endpoint"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:TunnelActivity |
| native | ocsf:TunnelActivity |
LinkML Source
Direct
name: TunnelActivity
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["connection_info", "session", "src_endpoint", "traffic",
"tunnel_interface", "tunnel_type_id"]}'
ocsf_event_uid:
tag: ocsf_event_uid
value: 14
associations:
tag: associations
value: '{"src_endpoint": ["user"], "user": ["src_endpoint"]}'
description: 'Tunnel Activity events report secure tunnel establishment (such as VPN),
teardowns, renewals, and other network tunnel specific actions.'
notes:
- 'D3FEND™ Ontology d3f:TunnelEvent —
https://d3fend.mitre.org/event/d3f:TunnelEvent/'
in_subset:
- network_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/event/d3f:TunnelEvent/
aliases:
- Tunnel Activity
is_a: NetworkEvent
slots:
- activity_id
- connection_info
- device
- dst_endpoint
- protocol_name
- session
- src_endpoint
- traffic
- tunnel_interface
- tunnel_type
- tunnel_type_id
- user
slot_usage:
activity_id:
name: activity_id
range: TunnelActivityActivityIdEnum
required: true
connection_info:
name: connection_info
annotations:
group:
tag: group
value: context
description: The tunnel connection information.
device:
name: device
annotations:
group:
tag: group
value: primary
description: The device that reported the event.
recommended: true
dst_endpoint:
name: dst_endpoint
annotations:
group:
tag: group
value: primary
description: The server responding to the tunnel connection.
recommended: true
protocol_name:
name: protocol_name
annotations:
group:
tag: group
value: context
description: 'The networking protocol associated with the tunnel. E.g. <code>IPSec</code>,
<code>SSL</code>, <code>GRE</code>.'
session:
name: session
annotations:
group:
tag: group
value: primary
description: The session associated with the tunnel.
recommended: true
src_endpoint:
name: src_endpoint
annotations:
group:
tag: group
value: primary
description: The initiator (client) of the tunnel connection.
recommended: true
traffic:
name: traffic
annotations:
group:
tag: group
value: context
description: 'Traffic refers to the amount of data moving across the tunnel at
a given point
of time. Ex: <code>bytes_in</code> and <code>bytes_out</code>.'
tunnel_interface:
name: tunnel_interface
annotations:
group:
tag: group
value: primary
description: 'The information about the virtual tunnel interface, e.g. <code>utun0</code>.
This is usually associated with the private (rfc-1918) ip of the tunnel.'
recommended: true
tunnel_type:
name: tunnel_type
annotations:
group:
tag: group
value: primary
description: 'The type of tunnel configuration, normalized to the caption of the
<code>tunnel_type_id</code> value, indicating the scope of traffic routed
through the connection. Example: <code>Split Tunnel</code> or <code>Full
Tunnel</code>.'
recommended: true
tunnel_type_id:
name: tunnel_type_id
annotations:
group:
tag: group
value: primary
description: 'The normalized identifier for the type of tunnel configuration,
indicating the
scope of traffic routed through the connection. Example: <code>1 (Split
Tunnel)</code> or <code>2 (Full Tunnel)</code>.'
range: TunnelActivityTunnelTypeIdEnum
recommended: true
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user associated with the tunnel activity.
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
src_endpoint:
name: src_endpoint
required: true
- slot_conditions:
traffic:
name: traffic
required: true
- slot_conditions:
tunnel_interface:
name: tunnel_interface
required: true
- slot_conditions:
tunnel_type_id:
name: tunnel_type_id
required: true
description: 'OCSF at_least_one: at least one of [''connection_info'', ''session'',
''src_endpoint'', ''traffic'', ''tunnel_interface'', ''tunnel_type_id''] must
be set.'
Induced
name: TunnelActivity
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["connection_info", "session", "src_endpoint", "traffic",
"tunnel_interface", "tunnel_type_id"]}'
ocsf_event_uid:
tag: ocsf_event_uid
value: 14
associations:
tag: associations
value: '{"src_endpoint": ["user"], "user": ["src_endpoint"]}'
description: 'Tunnel Activity events report secure tunnel establishment (such as VPN),
teardowns, renewals, and other network tunnel specific actions.'
notes:
- 'D3FEND™ Ontology d3f:TunnelEvent —
https://d3fend.mitre.org/event/d3f:TunnelEvent/'
in_subset:
- network_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/event/d3f:TunnelEvent/
aliases:
- Tunnel Activity
is_a: NetworkEvent
slot_usage:
activity_id:
name: activity_id
range: TunnelActivityActivityIdEnum
required: true
connection_info:
name: connection_info
annotations:
group:
tag: group
value: context
description: The tunnel connection information.
device:
name: device
annotations:
group:
tag: group
value: primary
description: The device that reported the event.
recommended: true
dst_endpoint:
name: dst_endpoint
annotations:
group:
tag: group
value: primary
description: The server responding to the tunnel connection.
recommended: true
protocol_name:
name: protocol_name
annotations:
group:
tag: group
value: context
description: 'The networking protocol associated with the tunnel. E.g. <code>IPSec</code>,
<code>SSL</code>, <code>GRE</code>.'
session:
name: session
annotations:
group:
tag: group
value: primary
description: The session associated with the tunnel.
recommended: true
src_endpoint:
name: src_endpoint
annotations:
group:
tag: group
value: primary
description: The initiator (client) of the tunnel connection.
recommended: true
traffic:
name: traffic
annotations:
group:
tag: group
value: context
description: 'Traffic refers to the amount of data moving across the tunnel at
a given point
of time. Ex: <code>bytes_in</code> and <code>bytes_out</code>.'
tunnel_interface:
name: tunnel_interface
annotations:
group:
tag: group
value: primary
description: 'The information about the virtual tunnel interface, e.g. <code>utun0</code>.
This is usually associated with the private (rfc-1918) ip of the tunnel.'
recommended: true
tunnel_type:
name: tunnel_type
annotations:
group:
tag: group
value: primary
description: 'The type of tunnel configuration, normalized to the caption of the
<code>tunnel_type_id</code> value, indicating the scope of traffic routed
through the connection. Example: <code>Split Tunnel</code> or <code>Full
Tunnel</code>.'
recommended: true
tunnel_type_id:
name: tunnel_type_id
annotations:
group:
tag: group
value: primary
description: 'The normalized identifier for the type of tunnel configuration,
indicating the
scope of traffic routed through the connection. Example: <code>1 (Split
Tunnel)</code> or <code>2 (Full Tunnel)</code>.'
range: TunnelActivityTunnelTypeIdEnum
recommended: true
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user associated with the tunnel activity.
recommended: true
attributes:
activity_id:
name: activity_id
annotations:
group:
tag: group
value: classification
description: The normalized identifier of the activity that triggered the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Activity ID
rank: 1000
alias: activity_id
owner: TunnelActivity
domain_of:
- BaseEvent
- ApiActivity
- ApplicationError
- ApplicationLifecycle
- DatastoreActivity
- FileHosting
- ScanActivity
- WebResourceAccessActivity
- WebResourcesActivity
- DiscoveryEvent
- DiscoveryResult
- DataSecurityFinding
- Finding
- IncidentFinding
- SecurityFinding
- AccountChange
- Authentication
- AuthorizeSession
- EntityManagement
- GroupManagement
- UserAccess
- DhcpActivity
- DnsActivity
- EmailActivity
- EmailFileActivity
- EmailUrlActivity
- FtpActivity
- HttpActivity
- NetworkActivity
- NetworkFileActivity
- NtpActivity
- RdpActivity
- SmbActivity
- SshActivity
- TunnelActivity
- RemediationActivity
- EventLogActvity
- FileActivity
- KernelActivity
- KernelExtensionActivity
- MemoryActivity
- ModuleActivity
- PeripheralActivity
- ProcessActivity
- ScheduledJobActivity
- ScriptActivity
- AirborneBroadcastActivity
- DroneFlightsActivity
- RegistryKeyActivity
- RegistryValueActivity
- WindowsResourceActivity
- WindowsServiceActivity
range: TunnelActivityActivityIdEnum
required: true
connection_info:
name: connection_info
annotations:
group:
tag: group
value: context
description: The tunnel connection information.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Connection Info
rank: 1000
alias: connection_info
owner: TunnelActivity
domain_of:
- QueryEvidence
- Evidences
- FileHosting
- NetworkConnectionQuery
- NetworkEvent
- DnsActivity
- NetworkFileActivity
- RdpActivity
- TunnelActivity
- NetworkRemediationActivity
- UnmannedSystemsEvent
range: NetworkConnectionInfo
recommended: true
device:
name: device
annotations:
group:
tag: group
value: primary
description: The device that reported the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Device
rank: 1000
alias: device
owner: TunnelActivity
domain_of:
- AuthFactor
- Evidences
- Logger
- ManagedEntity
- HostProfile
- ConfigState
- DeviceConfigStateChange
- EvidenceInfo
- InventoryInfo
- PatchState
- SoftwareInfo
- DataSecurityFinding
- Finding
- RdpActivity
- TunnelActivity
- SystemEvent
- EventLogActvity
range: Device
recommended: true
dst_endpoint:
name: dst_endpoint
annotations:
group:
tag: group
value: primary
description: The server responding to the tunnel connection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Destination Endpoint
rank: 1000
alias: dst_endpoint
owner: TunnelActivity
domain_of:
- Evidences
- LoadBalancer
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourcesActivity
- DataSecurityFinding
- Authentication
- AuthorizeSession
- NetworkEvent
- DhcpActivity
- DnsActivity
- EmailActivity
- NetworkActivity
- NetworkFileActivity
- TunnelActivity
- EventLogActvity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
range: NetworkEndpoint
recommended: true
protocol_name:
name: protocol_name
annotations:
group:
tag: group
value: context
description: 'The networking protocol associated with the tunnel. E.g. <code>IPSec</code>,
<code>SSL</code>, <code>GRE</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Protocol Name
rank: 1000
alias: protocol_name
owner: TunnelActivity
domain_of:
- PortInfo
- Scim
- Sso
- Idp
- NetworkConnectionInfo
- EmailActivity
- TunnelActivity
- AirborneBroadcastActivity
- DroneFlightsActivity
range: string
session:
name: session
annotations:
group:
tag: group
value: primary
description: The session associated with the tunnel.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: TunnelActivity
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
recommended: true
src_endpoint:
name: src_endpoint
annotations:
group:
tag: group
value: primary
description: The initiator (client) of the tunnel connection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source Endpoint
rank: 1000
alias: src_endpoint
owner: TunnelActivity
domain_of:
- Evidences
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourceAccessActivity
- WebResourcesActivity
- DataSecurityFinding
- IamEvent
- NetworkEvent
- DhcpActivity
- EmailActivity
- NetworkActivity
- NetworkFileActivity
- TunnelActivity
- EventLogActvity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
- DroneFlightsActivity
range: NetworkEndpoint
recommended: true
traffic:
name: traffic
annotations:
group:
tag: group
value: context
description: 'Traffic refers to the amount of data moving across the tunnel at
a given point
of time. Ex: <code>bytes_in</code> and <code>bytes_out</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Traffic
rank: 1000
alias: traffic
owner: TunnelActivity
domain_of:
- NetworkEvent
- DnsActivity
- TunnelActivity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
- DroneFlightsActivity
range: NetworkTraffic
recommended: true
tunnel_interface:
name: tunnel_interface
annotations:
group:
tag: group
value: primary
description: 'The information about the virtual tunnel interface, e.g. <code>utun0</code>.
This is usually associated with the private (rfc-1918) ip of the tunnel.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Interface
rank: 1000
alias: tunnel_interface
owner: TunnelActivity
domain_of:
- TunnelActivity
range: NetworkInterface
recommended: true
tunnel_type:
name: tunnel_type
annotations:
group:
tag: group
value: primary
description: 'The type of tunnel configuration, normalized to the caption of the
<code>tunnel_type_id</code> value, indicating the scope of traffic routed
through the connection. Example: <code>Split Tunnel</code> or <code>Full
Tunnel</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tunnel Type
rank: 1000
alias: tunnel_type
owner: TunnelActivity
domain_of:
- TunnelActivity
range: string
recommended: true
tunnel_type_id:
name: tunnel_type_id
annotations:
group:
tag: group
value: primary
description: 'The normalized identifier for the type of tunnel configuration,
indicating the
scope of traffic routed through the connection. Example: <code>1 (Split
Tunnel)</code> or <code>2 (Full Tunnel)</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tunnel Type ID
rank: 1000
alias: tunnel_type_id
owner: TunnelActivity
domain_of:
- TunnelActivity
range: TunnelActivityTunnelTypeIdEnum
recommended: true
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user associated with the tunnel activity.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: TunnelActivity
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
app_name:
name: app_name
annotations:
group:
tag: group
value: context
description: 'The network application name identified by tools such as NBAR or
App ID (e.g.,
youtube, facebook, webex). This represents a specific network application that
uses standard protocols (such as https or quic) to deliver its service.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Application Name
rank: 1000
alias: app_name
owner: TunnelActivity
domain_of:
- Actor
- NetworkEvent
range: string
app_protocol_name:
name: app_protocol_name
annotations:
group:
tag: group
value: context
description: 'The application-layer (Layer 7) protocol name identified by deep
packet inspection or packet parsing (e.g., <code>https</code>, <code>quic</code>,
<code>ssh</code>, <code>dns</code>), expressed as an IANA-registered service
name from the IANA Service Name and Transport Protocol Port Number Registry.
<p><b>Note:</b> Port numbers alone are not always a reliable indicator of the
actual application protocol in use.</p>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Application Protocol Name
rank: 1000
alias: app_protocol_name
owner: TunnelActivity
domain_of:
- NetworkEvent
range: string
cumulative_traffic:
name: cumulative_traffic
annotations:
group:
tag: group
value: context
description: 'The cumulative (running total) network traffic aggregated from the
start of a
flow or session. Use when reporting: (1) total accumulated bytes/packets since
flow initiation, (2) combined aggregation models where both incremental deltas
and running totals are reported together (populate both <code>traffic</code>
for the delta and this attribute for the cumulative total), or (3) final
summary metrics when a long-lived connection closes. This represents the sum
of
all activity from flow start to the current observation, not a delta or
point-in-time value.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Cumulative Traffic
rank: 1000
alias: cumulative_traffic
owner: TunnelActivity
domain_of:
- NetworkEvent
range: NetworkTraffic
ja4_fingerprint_list:
name: ja4_fingerprint_list
annotations:
group:
tag: group
value: context
description: A list of the JA4+ network fingerprints.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- JA4+ Fingerprints
rank: 1000
alias: ja4_fingerprint_list
owner: TunnelActivity
domain_of:
- Evidences
- NetworkEvent
range: Ja4Fingerprint
multivalued: true
network_observation_point:
name: network_observation_point
annotations:
group:
tag: group
value: context
description: 'The network endpoint that observes or inspects network traffic as
a third-party
system, used when the observer is neither the source nor the destination of
the
communication (when <code>observation_point_id</code> = 3). Examples include
network taps, span ports, inline security devices, or packet capture systems
that monitor traffic between other endpoints.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Observation Point
rank: 1000
alias: network_observation_point
owner: TunnelActivity
domain_of:
- NetworkEvent
range: NetworkEndpoint
observation_point:
name: observation_point
description: 'Indicates whether the source network endpoint, destination network
endpoint, or
neither served as the observation point for the activity. The value is
normalized to the caption of the <code>observation_point_id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Observation Point
rank: 1000
alias: observation_point
owner: TunnelActivity
domain_of:
- NetworkEvent
range: string
observation_point_id:
name: observation_point_id
annotations:
sibling:
tag: sibling
value: observation_point
description: 'The normalized identifier of the observation point. The observation
point
identifier indicates whether the source network endpoint, destination network
endpoint, or neither served as the observation point for the activity.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Observation Point ID
rank: 1000
alias: observation_point_id
owner: TunnelActivity
domain_of:
- NetworkEvent
range: NetworkEventObservationPointIdEnum
packet_list:
name: packet_list
annotations:
group:
tag: group
value: context
description: The list of packet objects describing captured network packets.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Packets
rank: 1000
alias: packet_list
owner: TunnelActivity
domain_of:
- NetworkEvent
range: Packet
multivalued: true
proxy:
name: proxy
annotations:
group:
tag: group
value: primary
description: The proxy (server) in a network connection.
deprecated: Use the <code>proxy_endpoint</code> attribute instead. (since 1.1.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy
rank: 1000
alias: proxy
owner: TunnelActivity
domain_of:
- WebResourceAccessActivity
- NetworkEvent
range: NetworkProxy
recommended: true
tls:
name: tls
annotations:
group:
tag: group
value: context
description: The Transport Layer Security (TLS) attributes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- TLS
rank: 1000
alias: tls
owner: TunnelActivity
domain_of:
- Evidences
- WebResourceAccessActivity
- WebResourcesActivity
- NetworkEvent
- UnmannedSystemsEvent
range: Tls
proxy_connection_info:
name: proxy_connection_info
description: The connection information from the proxy server to the remote server.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy Connection Info
rank: 1000
alias: proxy_connection_info
owner: TunnelActivity
domain_of:
- NetworkProxyProfile
range: NetworkConnectionInfo
recommended: true
proxy_endpoint:
name: proxy_endpoint
description: The proxy (server) in a network connection.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy Endpoint
rank: 1000
alias: proxy_endpoint
owner: TunnelActivity
domain_of:
- NetworkEndpoint
- NetworkProxyProfile
- UnmannedSystemsEvent
range: NetworkProxy
proxy_http_request:
name: proxy_http_request
description: The HTTP Request from the proxy server to the remote server.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy HTTP Request
rank: 1000
alias: proxy_http_request
owner: TunnelActivity
domain_of:
- NetworkProxyProfile
range: HttpRequest
proxy_http_response:
name: proxy_http_response
description: The HTTP Response from the remote server to the proxy server.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy HTTP Response
rank: 1000
alias: proxy_http_response
owner: TunnelActivity
domain_of:
- NetworkProxyProfile
range: HttpResponse
proxy_tls:
name: proxy_tls
description: The TLS protocol negotiated between the proxy server and the remote
server.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy TLS
rank: 1000
alias: proxy_tls
owner: TunnelActivity
domain_of:
- NetworkProxyProfile
range: Tls
recommended: true
proxy_traffic:
name: proxy_traffic
description: 'The network traffic refers to the amount of data moving across a
network, from
proxy to remote server at a given point of time.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Proxy Traffic
rank: 1000
alias: proxy_traffic
owner: TunnelActivity
domain_of:
- NetworkProxyProfile
range: NetworkTraffic
recommended: true
load_balancer:
name: load_balancer
description: 'The Load Balancer object contains information related to the device
that is
distributing incoming traffic to specified destinations.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Load Balancer
rank: 1000
alias: load_balancer
owner: TunnelActivity
domain_of:
- LoadBalancerProfile
range: LoadBalancer
recommended: true
activity_name:
name: activity_name
annotations:
group:
tag: group
value: classification
description: The event activity name, as defined by the activity_id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Activity
rank: 1000
alias: activity_name
owner: TunnelActivity
domain_of:
- BaseEvent
- DataSecurityFinding
- Finding
- IncidentFinding
range: string
category_name:
name: category_name
annotations:
group:
tag: group
value: classification
description: The event category name, as defined by category_uid value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category
rank: 1000
alias: category_name
owner: TunnelActivity
domain_of:
- BaseEvent
range: string
category_uid:
name: category_uid
annotations:
group:
tag: group
value: classification
description: The category unique identifier of the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category ID
rank: 1000
alias: category_uid
owner: TunnelActivity
domain_of:
- BaseEvent
range: BaseEventCategoryUidEnum
required: true
class_name:
name: class_name
annotations:
group:
tag: group
value: classification
description: The event class name, as defined by class_uid value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Class
rank: 1000
alias: class_name
owner: TunnelActivity
domain_of:
- BaseEvent
range: string
class_uid:
name: class_uid
annotations:
group:
tag: group
value: classification
description: 'The unique identifier of a class. A class describes the attributes
available in
an event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Class ID
rank: 1000
alias: class_uid
owner: TunnelActivity
domain_of:
- BaseEvent
range: BaseEventClassUidEnum
required: true
count:
name: count
annotations:
group:
tag: group
value: occurrence
description: 'The number of times that events in the same logical group occurred
during the
event <strong>Start Time</strong> to <strong>End Time</strong> period.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Count
rank: 1000
alias: count
owner: TunnelActivity
domain_of:
- Observation
- RelatedEvent
- Session
- DiscoveryDetails
- UnmannedSystemOperatingArea
- BaseEvent
range: integer
duration:
name: duration
annotations:
group:
tag: group
value: occurrence
description: 'The event duration or aggregate time, the amount of time the event
covers from
<code>start_time</code> to <code>end_time</code> in milliseconds.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Duration Milliseconds
rank: 1000
alias: duration
owner: TunnelActivity
domain_of:
- Span
- Timespan
- Trace
- FirewallRule
- BaseEvent
- ScanActivity
range: integer
end_time:
name: end_time
annotations:
group:
tag: group
value: occurrence
description: 'The end time of a time period, or the time of the most recent event
included in
the aggregate event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- End Time
rank: 1000
alias: end_time
owner: TunnelActivity
domain_of:
- Span
- Timespan
- Trace
- NetworkTraffic
- UnmannedSystemOperatingArea
- MalwareScanInfo
- BaseEvent
- ScanActivity
- Finding
- IncidentFinding
range: TimestampT
enrichments:
name: enrichments
annotations:
group:
tag: group
value: context
description: 'The additional information from an external data source, which is
associated
with the event or a finding. For example add location information for the IP
address in the DNS answers:</p><code>[{"name": "answers.ip", "value":
"92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent":
"Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc":
"Yemen"}}]</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Enrichments
rank: 1000
alias: enrichments
owner: TunnelActivity
domain_of:
- BaseEvent
range: Enrichment
multivalued: true
message:
name: message
annotations:
group:
tag: group
value: primary
description: The description of the event/finding, as defined by the source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Message
rank: 1000
alias: message
owner: TunnelActivity
domain_of:
- Response
- Span
- HttpResponse
- LoadBalancer
- BaseEvent
- ApplicationError
range: string
recommended: true
metadata:
name: metadata
annotations:
group:
tag: group
value: context
description: The metadata associated with the event or a finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Metadata
rank: 1000
alias: metadata
owner: TunnelActivity
domain_of:
- BaseEvent
range: Metadata
required: true
observables:
name: observables
annotations:
group:
tag: group
value: primary
description: The observables associated with the event or a finding.
notes:
- 'OCSF Observables FAQ —
https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md
aliases:
- Observables
rank: 1000
alias: observables
owner: TunnelActivity
domain_of:
- RelatedEvent
- BaseEvent
range: Observable
recommended: true
multivalued: true
raw_data:
name: raw_data
annotations:
group:
tag: group
value: context
description: The raw event/finding data as received from the source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data
rank: 1000
alias: raw_data
owner: TunnelActivity
domain_of:
- BaseEvent
range: string
raw_data_hash:
name: raw_data_hash
annotations:
group:
tag: group
value: context
description: The hash, which describes the content of the raw_data field.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data Hash
rank: 1000
alias: raw_data_hash
owner: TunnelActivity
domain_of:
- BaseEvent
range: Fingerprint
raw_data_size:
name: raw_data_size
annotations:
group:
tag: group
value: context
description: The size of the raw data which was transformed into an OCSF event,
in bytes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data Size
rank: 1000
alias: raw_data_size
owner: TunnelActivity
domain_of:
- BaseEvent
range: integer
severity:
name: severity
annotations:
group:
tag: group
value: classification
description: 'The event/finding severity, normalized to the caption of the
<code>severity_id</code> value. In the case of ''Other'', it is defined by the
source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: TunnelActivity
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
group:
tag: group
value: classification
description: '<p>The normalized identifier of the event/finding severity.</p>The
normalized
severity is a measurement the effort and expense required to manage and resolve
an event or incident. Smaller numerical values represent lower impact events,
and larger numerical values represent higher impact events.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: TunnelActivity
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: SeverityIdEnum
required: true
start_time:
name: start_time
annotations:
group:
tag: group
value: occurrence
description: 'The start time of a time period, or the time of the least recent
event included
in the aggregate event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Time
rank: 1000
alias: start_time
owner: TunnelActivity
domain_of:
- Span
- Timespan
- Trace
- NetworkTraffic
- UnmannedSystemOperatingArea
- MalwareScanInfo
- BaseEvent
- ScanActivity
- Finding
- IncidentFinding
range: TimestampT
status:
name: status
annotations:
group:
tag: group
value: primary
description: 'The event status, normalized to the caption of the status_id value.
In the case
of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status
rank: 1000
alias: status
owner: TunnelActivity
domain_of:
- RelatedEvent
- Ticket
- Whois
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- HttpResponse
- BaseEvent
- Finding
- IncidentFinding
- DroneFlightsActivity
range: string
recommended: true
status_code:
name: status_code
annotations:
group:
tag: group
value: primary
description: 'The event status code, as reported by the event source.<br /><br
/>For example,
in a Windows Failed Authentication event, this would be the value of ''Failure
Code'', e.g. 0x18.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Code
rank: 1000
alias: status_code
owner: TunnelActivity
domain_of:
- Span
- Compliance
- BaseEvent
- EventLogActvity
range: string
recommended: true
status_detail:
name: status_detail
annotations:
group:
tag: group
value: primary
description: 'The status detail contains additional information about the event/finding
outcome.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Detail
rank: 1000
alias: status_detail
owner: TunnelActivity
domain_of:
- Compliance
- LoadBalancer
- BaseEvent
- Authentication
- EventLogActvity
range: string
recommended: true
status_id:
name: status_id
annotations:
group:
tag: group
value: primary
description: The normalized identifier of the event status.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status ID
rank: 1000
alias: status_id
owner: TunnelActivity
domain_of:
- Ticket
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- BaseEvent
- Finding
- IncidentFinding
- RemediationActivity
- DroneFlightsActivity
range: StatusIdEnum
recommended: true
time:
name: time
annotations:
group:
tag: group
value: occurrence
description: The normalized event occurrence time or the finding creation time.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Event Time
rank: 1000
alias: time
owner: TunnelActivity
domain_of:
- TransformationInfo
- BaseEvent
range: TimestampT
required: true
timezone_offset:
name: timezone_offset
annotations:
group:
tag: group
value: occurrence
description: 'The number of minutes that the reported event <code>time</code>
is ahead or
behind UTC, in the range -1,080 to +1,080.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Timezone Offset
rank: 1000
alias: timezone_offset
owner: TunnelActivity
domain_of:
- BaseEvent
range: integer
recommended: true
type_name:
name: type_name
annotations:
group:
tag: group
value: classification
description: The event/finding type name, as defined by the type_uid.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type Name
rank: 1000
alias: type_name
owner: TunnelActivity
domain_of:
- RelatedEvent
- BaseEvent
range: string
type_uid:
name: type_uid
annotations:
group:
tag: group
value: classification
description: 'The event/finding type ID. It identifies the event''s semantics
and structure.
The value is calculated by the logging system as: <code>class_uid * 100 +
activity_id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_uid
owner: TunnelActivity
domain_of:
- Observable
- RelatedEvent
- BaseEvent
range: integer
required: true
unmapped:
name: unmapped
annotations:
group:
tag: group
value: context
description: 'The attributes that are not mapped to the event schema. The names
and values of
those attributes are specific to the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unmapped Data
rank: 1000
alias: unmapped
owner: TunnelActivity
domain_of:
- BaseEvent
range: Object
api:
name: api
annotations:
group:
tag: group
value: context
description: Describes details about a typical API (Application Programming Interface)
call.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- API Details
rank: 1000
alias: api
owner: TunnelActivity
domain_of:
- Evidences
- CloudProfile
- ApiActivity
range: Api
cloud:
name: cloud
annotations:
group:
tag: group
value: primary
description: 'Describes details about the Cloud environment where the event or
finding was
created.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Cloud
rank: 1000
alias: cloud
owner: TunnelActivity
domain_of:
- CloudProfile
- CloudResourcesInventoryInfo
range: Cloud
required: true
actor:
name: actor
description: 'The actor object describes details about the user/role/process that
was the
source of the activity. Note that this is not the threat actor of a campaign
but may be part of a campaign.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Actor
rank: 1000
alias: actor
owner: TunnelActivity
domain_of:
- Evidences
- HostProfile
- ApiActivity
- DatastoreActivity
- FileHosting
- ConfigState
- DeviceConfigStateChange
- InventoryInfo
- OsintInventoryInfo
- SoftwareInfo
- UserInventory
- DataSecurityFinding
- IamEvent
- NetworkFileActivity
- SystemEvent
- EventLogActvity
- FileActivity
- KernelExtensionActivity
- ModuleActivity
- ProcessActivity
- ScheduledJobActivity
- RegistryKeyActivity
- RegistryValueActivity
range: Actor
osint:
name: osint
annotations:
group:
tag: group
value: primary
description: 'The OSINT (Open Source Intelligence) object contains details related
to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OSINT
rank: 1000
alias: osint
owner: TunnelActivity
domain_of:
- OsintProfile
- OsintInventoryInfo
range: Osint
required: true
multivalued: true
action:
name: action
description: The normalized caption of <code>action_id</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action
rank: 1000
alias: action
owner: TunnelActivity
domain_of:
- SecurityControlProfile
range: string
action_id:
name: action_id
annotations:
sibling:
tag: sibling
value: action
description: 'The action taken by a control or other policy-based system leading
to an
outcome or disposition. An unknown action may still correspond to a known
disposition. Refer to <code>disposition_id</code> for the outcome of the
action.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action ID
rank: 1000
alias: action_id
owner: TunnelActivity
domain_of:
- SecurityControlProfile
range: ActionIdEnum
recommended: true
attacks:
name: attacks
description: 'An array of MITRE ATT&CK® objects describing identified tactics,
techniques &
sub-techniques. The objects are compatible with MITRE ATLAS™ tactics,
techniques & sub-techniques.'
notes:
- MITRE ATT&CK® — https://attack.mitre.org
- MITRE ATLAS — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® and ATLAS™ Details
rank: 1000
alias: attacks
owner: TunnelActivity
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
authorizations:
name: authorizations
description: 'Provides details about an authorization, such as authorization outcome,
and any
associated policies related to the activity/event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authorization Information
rank: 1000
alias: authorizations
owner: TunnelActivity
domain_of:
- Actor
- SecurityControlProfile
range: Authorization
multivalued: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
description: 'The confidence, normalized to the caption of the confidence_id value.
In the
case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence
rank: 1000
alias: confidence
owner: TunnelActivity
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: string
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
description: 'The normalized confidence refers to the accuracy of the rule that
created the
finding. A rule with a low confidence means that the finding scope is wide and
may create finding reports that may not be malicious in nature.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence ID
rank: 1000
alias: confidence_id
owner: TunnelActivity
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: ConfidenceIdEnum
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
description: The confidence score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence Score
rank: 1000
alias: confidence_score
owner: TunnelActivity
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: integer
disposition:
name: disposition
description: 'The disposition name, normalized to the caption of the disposition_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition
rank: 1000
alias: disposition
owner: TunnelActivity
domain_of:
- SecurityControlProfile
range: string
disposition_id:
name: disposition_id
annotations:
sibling:
tag: sibling
value: disposition
description: 'Describes the outcome or action taken by a security control, such
as access
control checks, malware detections or various types of policy violations.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition ID
rank: 1000
alias: disposition_id
owner: TunnelActivity
domain_of:
- SecurityControlProfile
range: DispositionIdEnum
recommended: true
firewall_rule:
name: firewall_rule
description: 'The firewall rule that pertains to the control that triggered the
event, if
applicable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Firewall Rule
rank: 1000
alias: firewall_rule
owner: TunnelActivity
domain_of:
- SecurityControlProfile
range: FirewallRule
is_alert:
name: is_alert
description: 'Indicates that the event is considered to be an alertable signal.
Should be set
to <code>true</code> if <code>disposition_id = Alert</code> among other
dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code>
of
the event is elevated. Not all control events will be alertable, for example
if
<code>disposition_id = Exonerated</code> or <code>disposition_id =
Allowed</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alert
rank: 1000
alias: is_alert
owner: TunnelActivity
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: boolean
recommended: true
malware:
name: malware
description: A list of Malware objects, describing details about the identified
malware.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
rank: 1000
alias: malware
owner: TunnelActivity
domain_of:
- Osint
- SecurityControlProfile
- DetectionFinding
- SecurityFinding
range: Malware
multivalued: true
malware_scan_info:
name: malware_scan_info
description: 'Describes details about the scan job that identified malware on
the target
system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware Scan Info
rank: 1000
alias: malware_scan_info
owner: TunnelActivity
domain_of:
- SecurityControlProfile
- DetectionFinding
range: MalwareScanInfo
policy:
name: policy
description: 'The policy that pertains to the control that triggered the event,
if
applicable. For example the name of an anti-malware policy or an access control
policy.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
rank: 1000
alias: policy
owner: TunnelActivity
domain_of:
- PermissionAnalysisResult
- AdditionalRestriction
- Assessment
- Authorization
- DataClassification
- DataSecurity
- ManagedEntity
- SecurityControlProfile
- ScanActivity
- AccountChange
range: Policy
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
description: Describes the risk associated with the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Details
rank: 1000
alias: risk_details
owner: TunnelActivity
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: string
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
description: The risk level, normalized to the caption of the risk_level_id value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level
rank: 1000
alias: risk_level
owner: TunnelActivity
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: string
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
description: The normalized risk level id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level ID
rank: 1000
alias: risk_level_id
owner: TunnelActivity
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: RiskLevelIdEnum
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
description: The risk score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: TunnelActivity
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer
rules:
- postconditions:
any_of:
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
src_endpoint:
name: src_endpoint
required: true
- slot_conditions:
traffic:
name: traffic
required: true
- slot_conditions:
tunnel_interface:
name: tunnel_interface
required: true
- slot_conditions:
tunnel_type_id:
name: tunnel_type_id
required: true
description: 'OCSF at_least_one: at least one of [''connection_info'', ''session'',
''src_endpoint'', ''traffic'', ''tunnel_interface'', ''tunnel_type_id''] must
be set.'