| Service |
The Service object describes characteristics of a service, e |
yes |
| HttpHeader |
The HTTP Header object represents the headers sent in an HTTP request or |
yes |
| Table |
The table object represents a table within a structured relational database o... |
yes |
| KeyValueObject |
A generic object allowing to define a {key:value} pair |
yes |
| Trait |
Describes a characteristic or feature of an entity that was observed |
yes |
| WindowsProcess |
Extends the process object to add Windows specific fields |
no |
| Mitigation |
The MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID |
yes |
| Process |
The Process object describes a running instance of a launched program |
no |
| Entity |
The Entity object is an unordered collection of attributes, with a name and |
yes |
| D3fTactic |
The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is |
yes |
| Evidences |
A collection of evidence artifacts associated to the activity/activities that |
yes |
| Os |
The Operating System (OS) object describes characteristics of an OS, such as |
yes |
| CisBenchmarkResult |
The CIS Benchmark Result object contains information as defined by the Center |
yes |
| ClassifierDetails |
The Classifier Details object describes details about the classifier used for |
yes |
| WinService |
The Windows Service object describes a Windows service |
yes |
| SoftwareComponent |
The Software Component object describes characteristics of a software compone... |
yes |
| MacosProcess |
Extends the process object to add macOS specific fields |
no |
| Rule |
The Rule object describes characteristics of a rule associated with a policy ... |
yes |
| MessageContext |
Communication context for AI system interactions including protocols, roles, |
yes |
| AnalysisTarget |
The analysis target defines the scope of monitored activities, specifying wha... |
yes |
| Enrichment |
The Enrichment object provides inline enrichment data for specific attributes |
yes |
| WindowsEvidences |
Extends the evidences object to add Windows specific fields |
no |
| AuthenticationToken |
The Authentication Token object extends the base token object an... |
no |
| Group |
The Group object represents a collection or association of entities, such as |
yes |
| WebResource |
The Web Resource object describes characteristics of a web resource that was |
yes |
| Image |
The Image object provides a description of a specific Virtual Machine (VM) or |
yes |
| Agent |
An Agent (also known as a Sensor) is typically installed on an Operating Syst... |
yes |
| FtpActivity |
File Transfer Protocol (FTP) Activity events report file transfers between a |
yes |
| Aircraft |
The Aircraft object represents any aircraft or otherwise airborne asset such ... |
yes |
| ManagedEntity |
The Managed Entity object describes the type and version of an entity, such a... |
yes |
| HttpCookie |
The HTTP Cookie object, also known as a web cookie or browser cookie, contain... |
yes |
| MalwareScanInfo |
The malware scan information object describes characteristics, metadata of a |
no |
| WindowsStartupItem |
The startup item object describes an application component that has associate... |
no |
| Scim |
The System for Cross-domain Identity Management (SCIM) Configuration object |
yes |
| Tactic |
The MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name |
yes |
| NetworkEndpoint |
The Network Endpoint object describes characteristics of a network endpoint |
no |
| Observable |
The observable object is a pivot element that contains related information |
yes |
| Analytic |
The Analytic object contains details about the analytic technique used to |
yes |
| Script |
The Script object describes a script or command that can be executed by a |
yes |
| RegValue |
The registry value object describes a Windows registry value |
yes |
| Job |
The Job object provides information about a scheduled job or task, including |
yes |
| LoadBalancer |
The load balancer object describes the load balancer entity and contains |
yes |
| Extension |
The OCSF Schema Extension object provides detailed information about the sche... |
yes |
| Campaign |
Campaign represent organized efforts by threat actors to achieve malicious |
yes |
| Device |
The Device object represents an addressable computer system or host, which is |
yes |
| UnmannedAerialSystem |
The Unmanned Aerial System object describes the characteristics, Position |
yes |
| AffectedPackage |
The Affected Package object describes details about a software package |
no |
| Malware |
The Malware object describes the classification of known malicious software, |
yes |
| Sso |
The Single Sign-On (SSO) object provides a structure for normalizing SSO |
yes |
| AiModel |
The AI Model object describes the characteristics of an AI/ML model |
yes |
| PeripheralDevice |
The peripheral device object describes the properties of external, connectabl... |
yes |
| Parameter |
The Parameter object provides details regarding a parameter of a a function |
yes |
| Feature |
The Feature object provides information about the software product feature th... |
yes |
| Databucket |
The databucket object is a basic container that holds data, typically organiz... |
yes |
| ServicePrivilegeAnalysis |
The Service Privilege Analysis object describes privilege analysis results fo... |
yes |
| Product |
The Product object describes characteristics of a software product |
yes |
| File |
The File object represents the metadata associated with a file stored in a |
yes |
| Database |
The database object is used for databases which are typically datastore |
yes |
| Check |
The check object defines a specific, testable compliance verification point |
yes |
| Container |
The Container object describes an instance of a specific container |
yes |
| CisBenchmark |
The CIS Benchmark object describes best practices for securely configuring IT |
yes |
| Scan |
The Scan object describes characteristics of a proactive scan |
yes |
| ResourceDetails |
The Resource Details object describes details about resources that were |
yes |
| D3fTechnique |
The MITRE D3FEND™ Technique object describes the leaf defensive technique ID |
yes |
| Account |
The Account object contains details about the account that initiated or |
yes |
| Package |
The Software Package object describes details about a software package |
yes |
| StartupItem |
The startup item object describes an application component that has associate... |
yes |
| WinResource |
The Windows resource object describes a resource object managed by Windows, |
yes |
| TransformationInfo |
The transformation_info object represents the mapping or transformation used |
yes |
| Graph |
A graph data structure representation with nodes and edges |
yes |
| CisControl |
The CIS Control (aka Critical Security Control) object describes a prioritize... |
yes |
| Kernel |
The Kernel Resource object provides information about a specific kernel |
yes |
| ProcessEntity |
The Process Entity object provides critical fields for referencing a process |
yes |
| PrivilegeInfo |
The Privilege Info object describes information about a specific privilege, |
yes |
| Reporter |
The entity from which an event or finding was reported |
yes |
| Organization |
The Organization object describes characteristics of an organization or compa... |
yes |
| Edge |
Represents a connection or relationship between two nodes in a graph |
yes |
| Node |
Represents a node or a vertex in a graph structure |
yes |
| QueryInfo |
The query info object holds information related to data access within a |
yes |
| Logger |
The Logger object represents the device and product where events are stored |
yes |
| Metric |
The Metric object defines a simple name/value pair entity for a metric |
yes |
| Osint |
The OSINT (Open Source Intelligence) object contains details related to an |
yes |
| NetworkInterface |
The Network Interface object describes the type and associated attributes of ... |
yes |
| NetworkProxy |
The network proxy endpoint object describes a proxy server, which acts as an |
no |
| DomainContact |
The contact information related to a domain registration, e |
yes |
| LinuxProcess |
Extends the process object to add Linux specific fields |
no |
| Idp |
The Identity Provider object contains detailed information about a provider |
yes |
| ThreatActor |
Threat actor is responsible for the observed malicious activity |
yes |
| Technique |
The MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/o... |
yes |
| User |
The User object describes the characteristics of a user/person or a security |
yes |
| Resource |
The Resource object contains attributes that provide information about a |
yes |
| ApplicationObject |
An Application describes the details for an inventoried application as report... |
yes |
| Policy |
The Policy object describes the policies that are applicable |
yes |
| Endpoint |
The Endpoint object describes a physical or virtual device that connects to a... |
yes |
| San |
The Subject Alternative name (SAN) object describes a SAN secured by a digita... |
yes |
| AutonomousSystem |
An autonomous system (AS) is a collection of connected Internet Protocol (IP) |
yes |
| FirewallRule |
The Firewall Rule object represents a specific rule within a firewall policy ... |
no |
| EnvironmentVariable |
An environment variable |
yes |
| Token |
The Token object is the base object for representing tokens, API keys, and |
yes |
| PrefetchQuery |
Prefetch Query events report information about Windows prefetch files |
yes |
| Assessment |
The Assessment object describes a point-in-time assessment, check, or |
yes |
| SubTechnique |
The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ... |
yes |