Slot: actor
The actor object describes details about the user/role/process that was the
source of the activity. Note that this is not the threat actor of a campaign
but may be part of a campaign.
URI: ocsf:actor Alias: actor
Applicable Classes
| Name | Description | Modifies Slot |
|---|---|---|
| DiscoveryResult | Discovery Result events report the results of a discovery request | no |
| FileActivity | File System Activity events report when a process performs an action on a fil... | yes |
| HttpActivity | HTTP Activity events report HTTP connection and traffic information | no |
| UnmannedSystemsEvent | The Unmanned Systems event is a generic event that defines a set of attribute... | no |
| WindowsServiceActivity | Windows Service Activity events report when a process interacts with the | no |
| UserAccess | User Access Management events report management updates to a user's privilege... | no |
| ProcessRemediationActivity | Process Remediation Activity events report on attempts at remediating | no |
| ApplicationEvent | no | |
| NetworkActivity | Network Activity events report network connection and traffic activity | no |
| ModuleActivity | Module Activity events report when an endpoint process acts on a | yes |
| Evidences | A collection of evidence artifacts associated to the activity/activities that | yes |
| ServiceQuery | Service Query events report information about running services | no |
| SoftwareInfo | Software Inventory Info events report device software inventory data that is | yes |
| SessionQuery | User Session Query events report information about existing user sessions | no |
| Authentication | Authentication events report authentication session activities, including use... | no |
| AuthorizeSession | Authorize Session events report privileges or groups assigned to a new user | no |
| EmailFileActivity | Email File Activity events report files within emails | no |
| FolderQuery | Folder Query events report information about folders that are present on the | no |
| NetworkConnectionQuery | Network Connection Query events report information about active network | no |
| FileRemediationActivity | File Remediation Activity events report on attempts at remediating files | no |
| WindowsEvidences | Extends the evidences object to add Windows specific fields | no |
| ComplianceFinding | Compliance Finding events describe results of evaluations performed against | no |
| ProcessActivity | Process Activity events report when a process launches, injects, opens or | yes |
| DatastoreActivity | Datastore events describe general activities (Read, Update, Query, Delete, | yes |
| DnsActivity | DNS Activity events report DNS queries and answers as seen on the network | no |
| OsintInventoryInfo | OSINT Inventory Info events report open source intelligence or threat | yes |
| IamEvent | The Identity & Access Management event is a generic event that defines a set ... | yes |
| SecurityFinding | Security Finding events describe findings, detections, anomalies, alerts and/... | no |
| NetworkEvent | Network event is a generic event that defines a set of attributes available i... | no |
| FtpActivity | File Transfer Protocol (FTP) Activity events report file transfers between a | no |
| NetworksQuery | Networks Query events report information about network adapters | no |
| DataSecurityFinding | A Data Security Finding describes detections or alerts generated by various | yes |
| UserQuery | User Query events report user data that have been discovered, queried, polled | no |
| BaseEvent | The base event is a generic and concrete event | no |
| ScriptActivity | Script Activity events report when a process executes a script | no |
| Finding | The Finding event is a generic event that defines a set of attributes availab... | no |
| WebResourceAccessActivity | Web Resource Access Activity events describe successful/failed attempts to | no |
| UserInventory | User Inventory Info events report user inventory data that is either logged o... | yes |
| PeripheralDeviceQuery | Peripheral Device Query events report information about peripheral devices | no |
| PeripheralActivity | Peripheral Activity events log a system's interactions with external, | no |
| WindowsResourceActivity | Windows Resource Activity events report when a process accesses a Windows | no |
| PatchState | Operating System Patch State reports the installation of an OS patch to a | no |
| RegistryKeyActivity | Registry Key Activity events report when a process performs an action on a | yes |
| ApiActivity | API events describe general CRUD (Create, Read, Update, Delete) API activitie... | yes |
| EventLogActvity | Event Log Activity events report actions pertaining to the system's event | yes |
| NetworkRemediationActivity | Network Remediation Activity events report on attempts at remediating compute... | no |
| KernelExtensionActivity | Kernel Extension events report when a driver/extension is loaded or unloaded | yes |
| DhcpActivity | DHCP Activity events report MAC to IP assignment via DHCP from a client or | no |
| InventoryInfo | Device Inventory Info events report device inventory data that is either logg... | yes |
| ApplicationError | Application Error events describe issues with an applications | no |
| KernelObjectQuery | Kernel Object Query events report information about discovered kernel | no |
| RemediationActivity | Remediation Activity events report on attempts at remediating a compromised | no |
| ProcessQuery | Process Query events report information about running processes | no |
| DiscoveryEvent | The Discovery event is a generic event that defines a set of attributes | no |
| HostProfile | The attributes that identify host/device attributes | no |
| VulnerabilityFinding | The Vulnerability Finding event is a notification about weakness in an | no |
| ModuleQuery | Module Query events report information about loaded modules | no |
| AirborneBroadcastActivity | Airborne Broadcast Activity events report the activity of any aircraft or | no |
| NetworkFileActivity | Network File Activity events report file activities traversing the network, | yes |
| SmbActivity | Server Message Block (SMB) Protocol Activity events report client/server | no |
| RdpActivity | Remote Desktop Protocol (RDP) Activity events report post-authentication remo... | no |
| RegistryKeyQuery | Registry Key Query events report information about discovered Windows registr... | no |
| MemoryActivity | Memory Activity events report when a process has memory allocated, | no |
| CloudResourcesInventoryInfo | Cloud Resources Inventory Info events report cloud asset inventory data | no |
| SshActivity | SSH Activity events report remote client connections to a server using the | no |
| AccountChange | Account Change events report when specific user account management tasks are | no |
| TunnelActivity | Tunnel Activity events report secure tunnel establishment (such as VPN), | no |
| DroneFlightsActivity | Drone Flights Activity events report the activity of Unmanned Aerial Systems | no |
| IamAnalysisFinding | This finding represents an IAM analysis result, which evaluates IAM policies, | no |
| EmailUrlActivity | Email URL Activity events report URLs within an email | no |
| StartupItemQuery | Startup Item Query events report information about discovered items, e | no |
| DetectionFinding | A Detection Finding describes detections or alerts generated by security | no |
| EntityManagement | Entity Management events report activity by a managed client, a micro service... | no |
| EmailActivity | Email Activity events report SMTP protocol and email activities including tho... | no |
| RegistryValueQuery | Registry Value Query events report information about discovered Windows | no |
| SystemEvent | The System Activity event is a generic event that defines a set of attributes | yes |
| JobQuery | Job Query events report information about scheduled jobs | no |
| FileHosting | File Hosting Activity events report the actions taken by file management | yes |
| EvidenceInfo | Data collected directly from devices that represents forensic information | no |
| IncidentFinding | An Incident Finding reports the creation, update, or closure of security | no |
| NtpActivity | The Network Time Protocol (NTP) Activity events report instances of remote | no |
| WebResourcesActivity | Web Resources Activity events describe actions executed on a set of Web | no |
| ScheduledJobActivity | Scheduled Job Activity events report activities related to scheduled jobs or | yes |
| KernelActivity | Kernel Activity events report when an process creates, reads, or deletes a | no |
| DeviceConfigStateChange | Device Config State Change events report state changes that impact the securi... | yes |
| ScanActivity | Scan events report the start, completion, and results of a scan job | no |
| AdminGroupQuery | Admin Group Query events report information about administrative groups | no |
| ApplicationSecurityPostureFinding | The Application Security Posture Finding event is a notification about any bu... | no |
| RegistryValueActivity | Registry Value Activity events reports when a process performs an action on a | yes |
| ConfigState | Device Config State events report device configuration data, device | yes |
| GroupManagement | Group Management events report management updates to a group, including updat... | no |
| ApplicationLifecycle | Application Lifecycle events report installation, removal, start, stop of an | no |
| PrefetchQuery | Prefetch Query events report information about Windows prefetch files | no |
| FileQuery | File Query events report information about files that are present on the | no |
Properties
Type and Range
Cardinality and Requirements
| Property | Value |
|---|---|
Aliases
- Actor
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:actor |
| native | ocsf:actor |
LinkML Source
name: actor
description: 'The actor object describes details about the user/role/process that
was the
source of the activity. Note that this is not the threat actor of a campaign
but may be part of a campaign.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Actor
rank: 1000
alias: actor
domain_of:
- Evidences
- HostProfile
- ApiActivity
- DatastoreActivity
- FileHosting
- ConfigState
- DeviceConfigStateChange
- InventoryInfo
- OsintInventoryInfo
- SoftwareInfo
- UserInventory
- DataSecurityFinding
- IamEvent
- NetworkFileActivity
- SystemEvent
- EventLogActvity
- FileActivity
- KernelExtensionActivity
- ModuleActivity
- ProcessActivity
- ScheduledJobActivity
- RegistryKeyActivity
- RegistryValueActivity
range: Actor