Class: WindowsQueryEvidence
The resulting evidence information that was queried.
URI: ocsf:WindowsQueryEvidence
classDiagram
class WindowsQueryEvidence
click WindowsQueryEvidence href "../WindowsQueryEvidence/"
QueryEvidence <|-- WindowsQueryEvidence
click QueryEvidence href "../QueryEvidence/"
WindowsQueryEvidence : connection_info
WindowsQueryEvidence --> "0..1 _recommended_" NetworkConnectionInfo : connection_info
click NetworkConnectionInfo href "../NetworkConnectionInfo/"
WindowsQueryEvidence : file
WindowsQueryEvidence --> "0..1 _recommended_" File : file
click File href "../File/"
WindowsQueryEvidence : folder
WindowsQueryEvidence --> "0..1 _recommended_" File : folder
click File href "../File/"
WindowsQueryEvidence : group
WindowsQueryEvidence --> "0..1 _recommended_" Group : group
click Group href "../Group/"
WindowsQueryEvidence : job
WindowsQueryEvidence --> "0..1 _recommended_" Job : job
click Job href "../Job/"
WindowsQueryEvidence : kernel
WindowsQueryEvidence --> "0..1 _recommended_" Kernel : kernel
click Kernel href "../Kernel/"
WindowsQueryEvidence : module
WindowsQueryEvidence --> "0..1 _recommended_" Module : module
click Module href "../Module/"
WindowsQueryEvidence : network_interfaces
WindowsQueryEvidence --> "* _recommended_" NetworkInterface : network_interfaces
click NetworkInterface href "../NetworkInterface/"
WindowsQueryEvidence : peripheral_device
WindowsQueryEvidence --> "0..1 _recommended_" PeripheralDevice : peripheral_device
click PeripheralDevice href "../PeripheralDevice/"
WindowsQueryEvidence : process
WindowsQueryEvidence --> "0..1 _recommended_" Process : process
click Process href "../Process/"
WindowsQueryEvidence : query_type
WindowsQueryEvidence : query_type_id
WindowsQueryEvidence --> "1" QueryEvidenceQueryTypeIdEnum : query_type_id
click QueryEvidenceQueryTypeIdEnum href "../QueryEvidenceQueryTypeIdEnum/"
WindowsQueryEvidence : reg_key
WindowsQueryEvidence --> "0..1 _recommended_" RegKey : reg_key
click RegKey href "../RegKey/"
WindowsQueryEvidence : reg_value
WindowsQueryEvidence --> "0..1 _recommended_" RegValue : reg_value
click RegValue href "../RegValue/"
WindowsQueryEvidence : service
WindowsQueryEvidence --> "0..1 _recommended_" Service : service
click Service href "../Service/"
WindowsQueryEvidence : session
WindowsQueryEvidence --> "0..1 _recommended_" Session : session
click Session href "../Session/"
WindowsQueryEvidence : startup_item
WindowsQueryEvidence --> "0..1 _recommended_" StartupItem : startup_item
click StartupItem href "../StartupItem/"
WindowsQueryEvidence : state
WindowsQueryEvidence : tcp_state_id
WindowsQueryEvidence --> "0..1" TcpStateIdEnum : tcp_state_id
click TcpStateIdEnum href "../TcpStateIdEnum/"
WindowsQueryEvidence : user
WindowsQueryEvidence --> "0..1 _recommended_" User : user
click User href "../User/"
WindowsQueryEvidence : users
WindowsQueryEvidence --> "*" User : users
click User href "../User/"
Inheritance
- OcsfObject
- QueryEvidence
- WindowsQueryEvidence
- QueryEvidence
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| reg_key | 0..1 recommended RegKey |
The registry key object describes a Windows registry key | direct |
| reg_value | 0..1 recommended RegValue |
The registry key object describes a Windows registry value | direct |
| connection_info | 0..1 recommended NetworkConnectionInfo |
The network connection information related to a Network Connection query type | QueryEvidence |
| file | 0..1 recommended File |
The file that is the target of the query when query_type_id indicates a File | QueryEvidence |
| folder | 0..1 recommended File |
The folder that is the target of the query when query_type_id indicates a | QueryEvidence |
| group | 0..1 recommended Group |
The administrative group that is the target of the query when query_type_id | QueryEvidence |
| job | 0..1 recommended Job |
The job object that pertains to the event when query_type_id indicates a Job | QueryEvidence |
| kernel | 0..1 recommended Kernel |
The kernel object that pertains to the event when query_type_id indicates a | QueryEvidence |
| module | 0..1 recommended Module |
The module that pertains to the event when query_type_id indicates a Module | QueryEvidence |
| network_interfaces | * recommended NetworkInterface |
The physical or virtual network interfaces that are associated with the devic... | QueryEvidence |
| peripheral_device | 0..1 recommended PeripheralDevice |
The peripheral device that triggered the event when query_type_id indicates a | QueryEvidence |
| process | 0..1 recommended Process |
The process that pertains to the event when query_type_id indicates a Process | QueryEvidence |
| query_type | 0..1 String |
The normalized caption of query_type_id or the source-specific query type | QueryEvidence |
| query_type_id | 1 QueryEvidenceQueryTypeIdEnum |
The normalized type of system query performed against a device or system | QueryEvidence |
| service | 0..1 recommended Service |
The service that pertains to the event when query_type_id indicates a Service | QueryEvidence |
| session | 0..1 recommended Session |
The authenticated user or service session when query_type_id indicates a | QueryEvidence |
| startup_item | 0..1 recommended StartupItem |
The startup item object that pertains to the event when query_type_id indicat... | QueryEvidence |
| state | 0..1 String |
The state of the socket, normalized to the caption of the state_id value | QueryEvidence |
| tcp_state_id | 0..1 TcpStateIdEnum |
The state of the TCP socket for the network connection | QueryEvidence |
| user | 0..1 recommended User |
The user that pertains to the event when query_type_id indicates a User query | QueryEvidence |
| users | * User |
The users that belong to the administrative group when query_type_id indicate... | QueryEvidence |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| exactly_one_of | [{'slot_conditions': {'connection_info': {'required': True}}}, {'slot_conditions': {'file': {'required': True}}}, {'slot_conditions': {'folder': {'required': True}}}, {'slot_conditions': {'group': {'required': True}}}, {'slot_conditions': {'job': {'required': True}}}, {'slot_conditions': {'kernel': {'required': True}}}, {'slot_conditions': {'module': {'required': True}}}, {'slot_conditions': {'network_interfaces': {'required': True}}}, {'slot_conditions': {'peripheral_device': {'required': True}}}, {'slot_conditions': {'process': {'required': True}}}, {'slot_conditions': {'reg_key': {'required': True}}}, {'slot_conditions': {'reg_value': {'required': True}}}, {'slot_conditions': {'service': {'required': True}}}, {'slot_conditions': {'session': {'required': True}}}, {'slot_conditions': {'startup_item': {'required': True}}}, {'slot_conditions': {'user': {'required': True}}}] |
In Subsets
Aliases
- Query Evidence
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"just_one": ["connection_info", "file", "folder", "group", "job", "kernel", |
| "module", "network_interfaces", "peripheral_device", "process", "reg_key", | |
| "reg_value", "service", "session", "startup_item", "user"]} | |
| ocsf_extension | windows |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:WindowsQueryEvidence |
| native | ocsf:WindowsQueryEvidence |
LinkML Source
Direct
name: WindowsQueryEvidence
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["connection_info", "file", "folder", "group", "job", "kernel",
"module", "network_interfaces", "peripheral_device", "process", "reg_key",
"reg_value", "service", "session", "startup_item", "user"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: The resulting evidence information that was queried.
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Evidence
is_a: QueryEvidence
slots:
- reg_key
- reg_value
slot_usage:
reg_key:
name: reg_key
annotations:
group:
tag: group
value: primary
description: The registry key object describes a Windows registry key.
recommended: true
reg_value:
name: reg_value
annotations:
group:
tag: group
value: primary
description: The registry key object describes a Windows registry value.
recommended: true
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
file:
name: file
required: true
- slot_conditions:
folder:
name: folder
required: true
- slot_conditions:
group:
name: group
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
kernel:
name: kernel
required: true
- slot_conditions:
module:
name: module
required: true
- slot_conditions:
network_interfaces:
name: network_interfaces
required: true
- slot_conditions:
peripheral_device:
name: peripheral_device
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
reg_key:
name: reg_key
required: true
- slot_conditions:
reg_value:
name: reg_value
required: true
- slot_conditions:
service:
name: service
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
startup_item:
name: startup_item
required: true
- slot_conditions:
user:
name: user
required: true
description: 'OCSF just_one: exactly one of [''connection_info'', ''file'', ''folder'',
''group'',
''job'', ''kernel'', ''module'', ''network_interfaces'', ''peripheral_device'',
''process'', ''reg_key'', ''reg_value'', ''service'', ''session'', ''startup_item'',
''user''] must be set.'
Induced
name: WindowsQueryEvidence
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"just_one": ["connection_info", "file", "folder", "group", "job", "kernel",
"module", "network_interfaces", "peripheral_device", "process", "reg_key",
"reg_value", "service", "session", "startup_item", "user"]}'
ocsf_extension:
tag: ocsf_extension
value: windows
description: The resulting evidence information that was queried.
in_subset:
- windows_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Evidence
is_a: QueryEvidence
slot_usage:
reg_key:
name: reg_key
annotations:
group:
tag: group
value: primary
description: The registry key object describes a Windows registry key.
recommended: true
reg_value:
name: reg_value
annotations:
group:
tag: group
value: primary
description: The registry key object describes a Windows registry value.
recommended: true
attributes:
reg_key:
name: reg_key
annotations:
group:
tag: group
value: primary
description: The registry key object describes a Windows registry key.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Registry Key
rank: 1000
alias: reg_key
owner: WindowsQueryEvidence
domain_of:
- WindowsEvidences
- WindowsQueryEvidence
- RegistryKeyActivity
- RegistryKeyQuery
range: RegKey
recommended: true
reg_value:
name: reg_value
annotations:
group:
tag: group
value: primary
description: The registry key object describes a Windows registry value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Registry Value
rank: 1000
alias: reg_value
owner: WindowsQueryEvidence
domain_of:
- WindowsEvidences
- WindowsQueryEvidence
- RegistryValueActivity
- RegistryValueQuery
range: RegValue
recommended: true
connection_info:
name: connection_info
annotations:
group:
tag: group
value: primary
description: The network connection information related to a Network Connection
query type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Connection Info
rank: 1000
alias: connection_info
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Evidences
- FileHosting
- NetworkConnectionQuery
- NetworkEvent
- DnsActivity
- NetworkFileActivity
- RdpActivity
- TunnelActivity
- NetworkRemediationActivity
- UnmannedSystemsEvent
range: NetworkConnectionInfo
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: 'The file that is the target of the query when query_type_id indicates
a File
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: WindowsQueryEvidence
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
folder:
name: folder
annotations:
group:
tag: group
value: primary
description: 'The folder that is the target of the query when query_type_id indicates
a
Folder query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Folder
rank: 1000
alias: folder
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- FolderQuery
range: File
recommended: true
group:
name: group
annotations:
group:
tag: group
value: primary
description: 'The administrative group that is the target of the query when query_type_id
indicates an Admin Group query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Group
rank: 1000
alias: group
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Api
- ApplicationObject
- Databucket
- ManagedEntity
- Policy
- ResourceDetails
- AdminGroupQuery
- AuthorizeSession
- GroupManagement
- LinuxUsersProfile
range: Group
recommended: true
job:
name: job
annotations:
group:
tag: group
value: primary
description: 'The job object that pertains to the event when query_type_id indicates
a Job
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Job
rank: 1000
alias: job
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- StartupItem
- Evidences
- JobQuery
- ScheduledJobActivity
range: Job
recommended: true
kernel:
name: kernel
annotations:
group:
tag: group
value: primary
description: 'The kernel object that pertains to the event when query_type_id
indicates a
Kernel query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kernel
rank: 1000
alias: kernel
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- KernelObjectQuery
- KernelActivity
range: Kernel
recommended: true
module:
name: module
annotations:
group:
tag: group
value: primary
description: 'The module that pertains to the event when query_type_id indicates
a Module
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Module
rank: 1000
alias: module
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- ModuleQuery
- ModuleActivity
- ProcessActivity
range: Module
recommended: true
network_interfaces:
name: network_interfaces
annotations:
group:
tag: group
value: primary
description: 'The physical or virtual network interfaces that are associated with
the device
when query_type_id indicates a Network Interfaces query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Network Interfaces
rank: 1000
alias: network_interfaces
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Device
- NetworksQuery
range: NetworkInterface
recommended: true
multivalued: true
peripheral_device:
name: peripheral_device
annotations:
group:
tag: group
value: primary
description: 'The peripheral device that triggered the event when query_type_id
indicates a
Peripheral Device query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Peripheral Device
rank: 1000
alias: peripheral_device
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- PeripheralDeviceQuery
- PeripheralActivity
range: PeripheralDevice
recommended: true
process:
name: process
annotations:
group:
tag: group
value: primary
description: 'The process that pertains to the event when query_type_id indicates
a Process
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
recommended: true
query_type:
name: query_type
annotations:
group:
tag: group
value: classification
description: The normalized caption of query_type_id or the source-specific query
type.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Type
rank: 1000
alias: query_type
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
range: string
query_type_id:
name: query_type_id
annotations:
group:
tag: group
value: classification
description: 'The normalized type of system query performed against a device or
system
component.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Query Type ID
rank: 1000
alias: query_type_id
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
range: QueryEvidenceQueryTypeIdEnum
required: true
service:
name: service
annotations:
group:
tag: group
value: primary
description: 'The service that pertains to the event when query_type_id indicates
a Service
query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Service
rank: 1000
alias: service
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Span
- Trace
- Api
- MessageContext
- ServiceQuery
- Authentication
range: Service
recommended: true
session:
name: session
annotations:
group:
tag: group
value: primary
description: 'The authenticated user or service session when query_type_id indicates
a
Session query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
recommended: true
startup_item:
name: startup_item
annotations:
group:
tag: group
value: primary
description: 'The startup item object that pertains to the event when query_type_id
indicates
a Startup Item query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Startup Item
rank: 1000
alias: startup_item
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- StartupItemQuery
range: StartupItem
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: 'The state of the socket, normalized to the caption of the state_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- State
rank: 1000
alias: state
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Scim
- SecurityState
- Analytic
- DigitalSignature
- Idp
- DeviceConfigStateChange
- NetworkConnectionQuery
- SecurityFinding
range: string
tcp_state_id:
name: tcp_state_id
annotations:
group:
tag: group
value: context
description: The state of the TCP socket for the network connection.
notes:
- RFC 9293 — https://datatracker.ietf.org/doc/html/rfc9293
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://datatracker.ietf.org/doc/html/rfc9293
aliases:
- TCP State ID
rank: 1000
alias: tcp_state_id
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
range: TcpStateIdEnum
user:
name: user
annotations:
group:
tag: group
value: primary
description: The user that pertains to the event when query_type_id indicates
a User query.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
users:
name: users
annotations:
group:
tag: group
value: context
description: 'The users that belong to the administrative group when query_type_id
indicates
a Users query.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Users
rank: 1000
alias: users
owner: WindowsQueryEvidence
domain_of:
- QueryEvidence
- AdminGroupQuery
range: User
multivalued: true
rules:
- postconditions:
exactly_one_of:
- slot_conditions:
connection_info:
name: connection_info
required: true
- slot_conditions:
file:
name: file
required: true
- slot_conditions:
folder:
name: folder
required: true
- slot_conditions:
group:
name: group
required: true
- slot_conditions:
job:
name: job
required: true
- slot_conditions:
kernel:
name: kernel
required: true
- slot_conditions:
module:
name: module
required: true
- slot_conditions:
network_interfaces:
name: network_interfaces
required: true
- slot_conditions:
peripheral_device:
name: peripheral_device
required: true
- slot_conditions:
process:
name: process
required: true
- slot_conditions:
reg_key:
name: reg_key
required: true
- slot_conditions:
reg_value:
name: reg_value
required: true
- slot_conditions:
service:
name: service
required: true
- slot_conditions:
session:
name: session
required: true
- slot_conditions:
startup_item:
name: startup_item
required: true
- slot_conditions:
user:
name: user
required: true
description: 'OCSF just_one: exactly one of [''connection_info'', ''file'', ''folder'',
''group'',
''job'', ''kernel'', ''module'', ''network_interfaces'', ''peripheral_device'',
''process'', ''reg_key'', ''reg_value'', ''service'', ''session'', ''startup_item'',
''user''] must be set.'