Class: WindowsEvidences

name: WindowsEvidences
annotations:
  ocsf_constraints:
    tag: ocsf_constraints
    value: '{"at_least_one": ["actor", "api", "connection_info", "data", "database",

      "databucket", "device", "dst_endpoint", "email", "file", "process", "query",

      "src_endpoint", "url", "user", "job", "script", "reg_key", "reg_value",

      "win_service"]}'
  ocsf_extension:
    tag: ocsf_extension
    value: windows
description: Extends the evidences object to add Windows specific fields
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Windows Evidence Artifacts
is_a: Evidences
slots:
- reg_key
- reg_value
- win_service
slot_usage:
  reg_key:
    name: reg_key
    description: Describes details about the registry key that triggered the detection.
    recommended: true
  reg_value:
    name: reg_value
    description: Describes details about the registry value that triggered the detection.
    recommended: true
  win_service:
    name: win_service
    description: Describes details about the Windows service that triggered the detection.
    recommended: true
rules:
- postconditions:
    any_of:
    - slot_conditions:
        actor:
          name: actor
          required: true
    - slot_conditions:
        api:
          name: api
          required: true
    - slot_conditions:
        connection_info:
          name: connection_info
          required: true
    - slot_conditions:
        data:
          name: data
          required: true
    - slot_conditions:
        database:
          name: database
          required: true
    - slot_conditions:
        databucket:
          name: databucket
          required: true
    - slot_conditions:
        device:
          name: device
          required: true
    - slot_conditions:
        dst_endpoint:
          name: dst_endpoint
          required: true
    - slot_conditions:
        email:
          name: email
          required: true
    - slot_conditions:
        file:
          name: file
          required: true
    - slot_conditions:
        process:
          name: process
          required: true
    - slot_conditions:
        query:
          name: query
          required: true
    - slot_conditions:
        src_endpoint:
          name: src_endpoint
          required: true
    - slot_conditions:
        url:
          name: url
          required: true
    - slot_conditions:
        user:
          name: user
          required: true
    - slot_conditions:
        job:
          name: job
          required: true
    - slot_conditions:
        script:
          name: script
          required: true
    - slot_conditions:
        reg_key:
          name: reg_key
          required: true
    - slot_conditions:
        reg_value:
          name: reg_value
          required: true
    - slot_conditions:
        win_service:
          name: win_service
          required: true
  description: 'OCSF at_least_one: at least one of [''actor'', ''api'', ''connection_info'',
    ''data'',

    ''database'', ''databucket'', ''device'', ''dst_endpoint'', ''email'', ''file'',
    ''process'',

    ''query'', ''src_endpoint'', ''url'', ''user'', ''job'', ''script'', ''reg_key'',

    ''reg_value'', ''win_service''] must be set.'

name: WindowsEvidences
annotations:
  ocsf_constraints:
    tag: ocsf_constraints
    value: '{"at_least_one": ["actor", "api", "connection_info", "data", "database",

      "databucket", "device", "dst_endpoint", "email", "file", "process", "query",

      "src_endpoint", "url", "user", "job", "script", "reg_key", "reg_value",

      "win_service"]}'
  ocsf_extension:
    tag: ocsf_extension
    value: windows
description: Extends the evidences object to add Windows specific fields
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Windows Evidence Artifacts
is_a: Evidences
slot_usage:
  reg_key:
    name: reg_key
    description: Describes details about the registry key that triggered the detection.
    recommended: true
  reg_value:
    name: reg_value
    description: Describes details about the registry value that triggered the detection.
    recommended: true
  win_service:
    name: win_service
    description: Describes details about the Windows service that triggered the detection.
    recommended: true
attributes:
  reg_key:
    name: reg_key
    annotations:
      ocsf_extension:
        tag: ocsf_extension
        value: windows
    description: Describes details about the registry key that triggered the detection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Registry Key
    rank: 1000
    alias: reg_key
    owner: WindowsEvidences
    domain_of:
    - WindowsEvidences
    - WindowsQueryEvidence
    - RegistryKeyActivity
    - RegistryKeyQuery
    range: RegKey
    recommended: true
  reg_value:
    name: reg_value
    annotations:
      ocsf_extension:
        tag: ocsf_extension
        value: windows
    description: Describes details about the registry value that triggered the detection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Registry Value
    rank: 1000
    alias: reg_value
    owner: WindowsEvidences
    domain_of:
    - WindowsEvidences
    - WindowsQueryEvidence
    - RegistryValueActivity
    - RegistryValueQuery
    range: RegValue
    recommended: true
  win_service:
    name: win_service
    annotations:
      ocsf_extension:
        tag: ocsf_extension
        value: windows
    description: Describes details about the Windows service that triggered the detection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Windows Service
    rank: 1000
    alias: win_service
    owner: WindowsEvidences
    domain_of:
    - WindowsEvidences
    - WindowsStartupItem
    - WindowsServiceActivity
    range: WinService
    recommended: true
  actor:
    name: actor
    description: 'Describes details about the user/role/process that was the source
      of the

      activity that triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Actor
    rank: 1000
    alias: actor
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - HostProfile
    - ApiActivity
    - DatastoreActivity
    - FileHosting
    - ConfigState
    - DeviceConfigStateChange
    - InventoryInfo
    - OsintInventoryInfo
    - SoftwareInfo
    - UserInventory
    - DataSecurityFinding
    - IamEvent
    - NetworkFileActivity
    - SystemEvent
    - EventLogActvity
    - FileActivity
    - KernelExtensionActivity
    - ModuleActivity
    - ProcessActivity
    - ScheduledJobActivity
    - RegistryKeyActivity
    - RegistryValueActivity
    range: Actor
    recommended: true
  api:
    name: api
    description: 'Describes details about the API call associated to the activity
      that triggered

      the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - API Details
    rank: 1000
    alias: api
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - CloudProfile
    - ApiActivity
    range: Api
    recommended: true
  connection_info:
    name: connection_info
    description: 'Describes details about the network connection associated to the
      activity that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Connection Info
    rank: 1000
    alias: connection_info
    owner: WindowsEvidences
    domain_of:
    - QueryEvidence
    - Evidences
    - FileHosting
    - NetworkConnectionQuery
    - NetworkEvent
    - DnsActivity
    - NetworkFileActivity
    - RdpActivity
    - TunnelActivity
    - NetworkRemediationActivity
    - UnmannedSystemsEvent
    range: NetworkConnectionInfo
    recommended: true
  container:
    name: container
    description: 'Describes details about the container associated to the activity
      that triggered

      the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Container
    rank: 1000
    alias: container
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - ContainerProfile
    - CloudResourcesInventoryInfo
    range: Container
    recommended: true
  data:
    name: data
    description: 'Additional evidence data that is not accounted for in the specific
      evidence

      attributes.<code> Use only when absolutely necessary.</code>'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Data
    rank: 1000
    alias: data
    owner: WindowsEvidences
    domain_of:
    - Request
    - Response
    - TlsExtension
    - Resource
    - ApplicationObject
    - Edge
    - Enrichment
    - Evidences
    - ManagedEntity
    - Node
    - Policy
    - QueryInfo
    - WebResource
    - RegValue
    range: string
  database:
    name: database
    description: 'Describes details about the database associated to the activity
      that triggered

      the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Database
    rank: 1000
    alias: database
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - DatastoreActivity
    - CloudResourcesInventoryInfo
    - DataSecurityFinding
    range: Database
    recommended: true
  databucket:
    name: databucket
    description: 'Describes details about the databucket associated to the activity
      that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Databucket
    rank: 1000
    alias: databucket
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - DatastoreActivity
    - CloudResourcesInventoryInfo
    - DataSecurityFinding
    range: Databucket
    recommended: true
  device:
    name: device
    description: 'An addressable device, computer system or host associated to the
      activity that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Device
    rank: 1000
    alias: device
    owner: WindowsEvidences
    domain_of:
    - AuthFactor
    - Evidences
    - Logger
    - ManagedEntity
    - HostProfile
    - ConfigState
    - DeviceConfigStateChange
    - EvidenceInfo
    - InventoryInfo
    - PatchState
    - SoftwareInfo
    - DataSecurityFinding
    - Finding
    - RdpActivity
    - TunnelActivity
    - SystemEvent
    - EventLogActvity
    range: Device
    recommended: true
  dst_endpoint:
    name: dst_endpoint
    description: 'Describes details about the destination of the network activity
      that triggered

      the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Destination Endpoint
    rank: 1000
    alias: dst_endpoint
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - LoadBalancer
    - ApiActivity
    - DatastoreActivity
    - FileHosting
    - WebResourcesActivity
    - DataSecurityFinding
    - Authentication
    - AuthorizeSession
    - NetworkEvent
    - DhcpActivity
    - DnsActivity
    - EmailActivity
    - NetworkActivity
    - NetworkFileActivity
    - TunnelActivity
    - EventLogActvity
    - UnmannedSystemsEvent
    - AirborneBroadcastActivity
    range: NetworkEndpoint
    recommended: true
  email:
    name: email
    description: The email object associated to the activity that triggered the detection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Email
    rank: 1000
    alias: email
    owner: WindowsEvidences
    domain_of:
    - Osint
    - Evidences
    - ManagedEntity
    - EmailActivity
    range: Email
    recommended: true
  file:
    name: file
    description: 'Describes details about the file associated to the activity that
      triggered the

      detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - File
    rank: 1000
    alias: file
    owner: WindowsEvidences
    domain_of:
    - Osint
    - QueryEvidence
    - Script
    - AffectedCode
    - Databucket
    - Evidences
    - Job
    - KernelDriver
    - Module
    - Process
    - FileHosting
    - FileQuery
    - DataSecurityFinding
    - EmailFileActivity
    - FtpActivity
    - HttpActivity
    - NetworkFileActivity
    - RdpActivity
    - SmbActivity
    - SshActivity
    - FileRemediationActivity
    - EventLogActvity
    - FileActivity
    range: File
    recommended: true
  http_request:
    name: http_request
    description: 'Describes details about the http request associated to the activity
      that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - HTTP Request
    rank: 1000
    alias: http_request
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - ApiActivity
    - DatastoreActivity
    - FileHosting
    - WebResourceAccessActivity
    - WebResourcesActivity
    - IamEvent
    - HttpActivity
    range: HttpRequest
    recommended: true
  http_response:
    name: http_response
    description: 'Describes details about the http response associated to the activity
      that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - HTTP Response
    rank: 1000
    alias: http_response
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - ApiActivity
    - DatastoreActivity
    - FileHosting
    - WebResourceAccessActivity
    - WebResourcesActivity
    - IamEvent
    - HttpActivity
    range: HttpResponse
    recommended: true
  ja4_fingerprint_list:
    name: ja4_fingerprint_list
    description: Describes details about the JA4+ fingerprints that triggered the
      detection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - JA4+ Fingerprints
    rank: 1000
    alias: ja4_fingerprint_list
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - NetworkEvent
    range: Ja4Fingerprint
    recommended: true
    multivalued: true
  job:
    name: job
    description: 'Describes details about the scheduled job that was associated with
      the activity

      that triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Job
    rank: 1000
    alias: job
    owner: WindowsEvidences
    domain_of:
    - QueryEvidence
    - StartupItem
    - Evidences
    - JobQuery
    - ScheduledJobActivity
    range: Job
    recommended: true
  name:
    name: name
    description: 'The naming convention or type identifier of the evidence associated
      with the

      security detection. For example, the <code>@odata.type</code> from Microsoft

      Graph Alerts V2 or <code>display_name</code> from CrowdStrike Falcon Incident

      Behaviors.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Name
    rank: 1000
    alias: name
    owner: WindowsEvidences
    domain_of:
    - AnalysisTarget
    - Observable
    - Os
    - Osint
    - Package
    - Parameter
    - PrivilegeInfo
    - San
    - Scim
    - Script
    - ServicePrivilegeAnalysis
    - SoftwareComponent
    - Sso
    - StartupItem
    - ThreatActor
    - Token
    - Entity
    - Resource
    - Account
    - Agent
    - AiModel
    - Aircraft
    - Analytic
    - ApplicationObject
    - Assessment
    - AutonomousSystem
    - Campaign
    - Check
    - CisBenchmark
    - CisBenchmarkResult
    - CisControl
    - ClassifierDetails
    - Container
    - D3fTactic
    - D3fTechnique
    - Database
    - Databucket
    - DomainContact
    - Edge
    - Endpoint
    - Enrichment
    - EnvironmentVariable
    - Evidences
    - Extension
    - Feature
    - File
    - Graph
    - Group
    - HttpCookie
    - HttpHeader
    - Idp
    - Image
    - Job
    - Kernel
    - KeyValueObject
    - LoadBalancer
    - Logger
    - Malware
    - ManagedEntity
    - MessageContext
    - Metric
    - Mitigation
    - NetworkInterface
    - Node
    - Organization
    - PeripheralDevice
    - Policy
    - ProcessEntity
    - Product
    - QueryInfo
    - Reporter
    - ResourceDetails
    - Rule
    - Scan
    - Service
    - SubTechnique
    - Table
    - Tactic
    - Technique
    - Trait
    - TransformationInfo
    - UnmannedAerialSystem
    - User
    - WebResource
    - Device
    - FtpActivity
    - RegValue
    - WinResource
    - WinService
    - PrefetchQuery
    range: string
    recommended: true
  process:
    name: process
    description: 'Describes details about the process associated to the activity that
      triggered

      the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Process
    rank: 1000
    alias: process
    owner: WindowsEvidences
    domain_of:
    - QueryEvidence
    - StartupItem
    - Actor
    - Evidences
    - ModuleQuery
    - NetworkConnectionQuery
    - ProcessQuery
    - SecurityFinding
    - ProcessRemediationActivity
    - MemoryActivity
    - ProcessActivity
    range: Process
    recommended: true
  query:
    name: query
    description: 'Describes details about the DNS query associated to the activity
      that triggered

      the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - DNS Query
    rank: 1000
    alias: query
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - DnsActivity
    range: DnsQuery
    recommended: true
  resources:
    name: resources
    description: 'Describes details about the cloud resources directly related to
      activity that

      triggered the detection. For resources impacted by the detection, use

      <code>Affected Resources</code> at the top-level of the finding.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Resources Array
    rank: 1000
    alias: resources
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - ApiActivity
    - CloudResourcesInventoryInfo
    - ApplicationSecurityPostureFinding
    - ComplianceFinding
    - DataSecurityFinding
    - DetectionFinding
    - IamAnalysisFinding
    - SecurityFinding
    - VulnerabilityFinding
    - UserAccess
    range: ResourceDetails
    recommended: true
    multivalued: true
  script:
    name: script
    description: 'Describes details about the script that was associated with the
      activity that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Script
    rank: 1000
    alias: script
    owner: WindowsEvidences
    domain_of:
    - Osint
    - Evidences
    - ScriptActivity
    range: Script
    recommended: true
  src_endpoint:
    name: src_endpoint
    description: 'Describes details about the source of the network activity that
      triggered the

      detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Source Endpoint
    rank: 1000
    alias: src_endpoint
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - ApiActivity
    - DatastoreActivity
    - FileHosting
    - WebResourceAccessActivity
    - WebResourcesActivity
    - DataSecurityFinding
    - IamEvent
    - NetworkEvent
    - DhcpActivity
    - EmailActivity
    - NetworkActivity
    - NetworkFileActivity
    - TunnelActivity
    - EventLogActvity
    - UnmannedSystemsEvent
    - AirborneBroadcastActivity
    - DroneFlightsActivity
    range: NetworkEndpoint
    recommended: true
  tls:
    name: tls
    description: 'Describes details about the Transport Layer Security (TLS) activity
      that

      triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - TLS
    rank: 1000
    alias: tls
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - WebResourceAccessActivity
    - WebResourcesActivity
    - NetworkEvent
    - UnmannedSystemsEvent
    range: Tls
    recommended: true
  uid:
    name: uid
    description: 'The unique identifier of the evidence associated with the security
      detection.

      For example, the <code>activity_id</code> from CrowdStrike Falcon Alerts or

      <code>behavior_id</code> from CrowdStrike Falcon Incident Behaviors.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Unique ID
    rank: 1000
    alias: uid
    owner: WindowsEvidences
    domain_of:
    - Osint
    - Package
    - ProgrammaticCredential
    - RelatedEvent
    - Request
    - Sbom
    - Scim
    - Script
    - Session
    - Span
    - Sso
    - Ticket
    - Token
    - Trace
    - Entity
    - Resource
    - Account
    - Advisory
    - Agent
    - AiModel
    - Aircraft
    - Analytic
    - ApplicationObject
    - Assessment
    - Certificate
    - Check
    - ClassifierDetails
    - Container
    - Cve
    - Cwe
    - D3fTactic
    - D3fTechnique
    - DataClassification
    - Database
    - Databucket
    - DomainContact
    - Edge
    - Email
    - Endpoint
    - Evidences
    - Extension
    - Feature
    - File
    - FindingObject
    - FindingInfo
    - Graph
    - Group
    - HttpRequest
    - Idp
    - Image
    - KbArticle
    - LoadBalancer
    - Logger
    - Malware
    - ManagedEntity
    - MessageContext
    - Metadata
    - Mitigation
    - NetworkConnectionInfo
    - NetworkEndpoint
    - NetworkInterface
    - Node
    - Organization
    - PeripheralDevice
    - Policy
    - ProcessEntity
    - Product
    - QueryInfo
    - Reporter
    - Rule
    - Scan
    - Service
    - SubTechnique
    - Table
    - Tactic
    - Technique
    - Trait
    - TransformationInfo
    - UnmannedAerialSystem
    - User
    - WebResource
    - Device
    - WinResource
    range: string
    recommended: true
  url:
    name: url
    description: 'The URL object that pertains to the event or object associated to
      the activity

      that triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - URL
    rank: 1000
    alias: url
    owner: WindowsEvidences
    domain_of:
    - ApplicationObject
    - Evidences
    - File
    - HttpRequest
    - EmailUrlActivity
    - NetworkActivity
    range: Url
    recommended: true
  user:
    name: user
    description: 'Describes details about the user that was the target or somehow
      else associated

      with the activity that triggered the detection.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - User
    rank: 1000
    alias: user
    owner: WindowsEvidences
    domain_of:
    - QueryEvidence
    - Actor
    - Evidences
    - Job
    - ManagedEntity
    - Process
    - UserInventory
    - UserQuery
    - IamAnalysisFinding
    - AccountChange
    - Authentication
    - AuthorizeSession
    - GroupManagement
    - UserAccess
    - RdpActivity
    - TunnelActivity
    range: User
    recommended: true
  verdict:
    name: verdict
    description: The normalized verdict of the evidence associated with the security
      detection.
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Verdict
    rank: 1000
    alias: verdict
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - IncidentProfile
    - IncidentFinding
    range: string
  verdict_id:
    name: verdict_id
    annotations:
      sibling:
        tag: sibling
        value: verdict
    description: 'The normalized verdict (or status) ID of the evidence associated
      with the

      security detection. For example, Microsoft Graph Security Alerts contain a

      <code>verdict</code> enumeration for each type of <code>evidence</code>

      associated with the Alert. This is typically set by an automated investigation

      process or an analyst/investigator assigned to the finding.'
    from_schema: https://w3id.org/lmodel/ocsf
    aliases:
    - Verdict ID
    rank: 1000
    alias: verdict_id
    owner: WindowsEvidences
    domain_of:
    - Evidences
    - IncidentProfile
    - IncidentFinding
    range: EvidencesVerdictIdEnum
rules:
- postconditions:
    any_of:
    - slot_conditions:
        actor:
          name: actor
          required: true
    - slot_conditions:
        api:
          name: api
          required: true
    - slot_conditions:
        connection_info:
          name: connection_info
          required: true
    - slot_conditions:
        data:
          name: data
          required: true
    - slot_conditions:
        database:
          name: database
          required: true
    - slot_conditions:
        databucket:
          name: databucket
          required: true
    - slot_conditions:
        device:
          name: device
          required: true
    - slot_conditions:
        dst_endpoint:
          name: dst_endpoint
          required: true
    - slot_conditions:
        email:
          name: email
          required: true
    - slot_conditions:
        file:
          name: file
          required: true
    - slot_conditions:
        process:
          name: process
          required: true
    - slot_conditions:
        query:
          name: query
          required: true
    - slot_conditions:
        src_endpoint:
          name: src_endpoint
          required: true
    - slot_conditions:
        url:
          name: url
          required: true
    - slot_conditions:
        user:
          name: user
          required: true
    - slot_conditions:
        job:
          name: job
          required: true
    - slot_conditions:
        script:
          name: script
          required: true
    - slot_conditions:
        reg_key:
          name: reg_key
          required: true
    - slot_conditions:
        reg_value:
          name: reg_value
          required: true
    - slot_conditions:
        win_service:
          name: win_service
          required: true
  description: 'OCSF at_least_one: at least one of [''actor'', ''api'', ''connection_info'',
    ''data'',

    ''database'', ''databucket'', ''device'', ''dst_endpoint'', ''email'', ''file'',
    ''process'',

    ''query'', ''src_endpoint'', ''url'', ''user'', ''job'', ''script'', ''reg_key'',

    ''reg_value'', ''win_service''] must be set.'