Subset: objects_subset
Reusable OCSF object definitions (mirrors upstream objects/ directory).
URI: objects_subset
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Classes in subset
| Class | Description |
|---|---|
| AccessAnalysisResult | The Access Analysis Result object describes access relationships and pathways |
| Account | The Account object contains details about the account that initiated or |
| Actor | The Actor object contains details about the user, role, application, service, |
| AdditionalRestriction | The Additional Restriction object describes supplementary access controls and |
| Advisory | The Advisory object represents publicly disclosed cybersecurity vulnerabiliti... |
| AffectedCode | The Affected Code object describes details about a code block identified as |
| AffectedPackage | The Affected Package object describes details about a software package |
| Agent | An Agent (also known as a Sensor) is typically installed on an Operating Syst... |
| AiModel | The AI Model object describes the characteristics of an AI/ML model |
| Aircraft | The Aircraft object represents any aircraft or otherwise airborne asset such ... |
| AnalysisTarget | The analysis target defines the scope of monitored activities, specifying wha... |
| Analytic | The Analytic object contains details about the analytic technique used to |
| Anomaly | Describes an anomaly or deviation detected in a system |
| AnomalyAnalysis | Describes the analysis of activity patterns and anomalies of target entities ... |
| Api | The API, or Application Programming Interface, object represents information |
| ApplicationObject | An Application describes the details for an inventoried application as report... |
| Assessment | The Assessment object describes a point-in-time assessment, check, or |
| Attack | The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique, |
| AuthenticationToken | The Authentication Token object extends the base token object an... |
| AuthFactor | An Authentication Factor object describes a category of methods used for |
| Authorization | The Authorization Result object provides details about the authorization |
| AutonomousSystem | An autonomous system (AS) is a collection of connected Internet Protocol (IP) |
| Baseline | Describes the baseline or expected behavior of a system, service, or componen... |
| Campaign | Campaign represent organized efforts by threat actors to achieve malicious |
| Certificate | The Digital Certificate, also known as a Public Key Certificate, object |
| Check | The check object defines a specific, testable compliance verification point |
| CisBenchmark | The CIS Benchmark object describes best practices for securely configuring IT |
| CisBenchmarkResult | The CIS Benchmark Result object contains information as defined by the Center |
| CisControl | The CIS Control (aka Critical Security Control) object describes a prioritize... |
| CisCsc | The CIS Critical Security Control (CSC) contains information as defined by th... |
| ClassifierDetails | The Classifier Details object describes details about the classifier used for |
| Cloud | The Cloud object describes the cloud computing environment where an event or |
| Compliance | The Compliance object contains information about Industry and Regulatory |
| Container | The Container object describes an instance of a specific container |
| Cve | The Common Vulnerabilities and Exposures (CVE) object represents publicly |
| Cvss | The Common Vulnerability Scoring System (<a target='_blank' |
| Cwe | The CWE object represents a weakness in a software system that can be exploit... |
| D3fend | The MITRE D3FEND™ object describes the tactic & technique associated with a |
| D3fTactic | The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is |
| D3fTechnique | The MITRE D3FEND™ Technique object describes the leaf defensive technique ID |
| Database | The database object is used for databases which are typically datastore |
| Databucket | The databucket object is a basic container that holds data, typically organiz... |
| DataClassification | The Data Classification object includes information about data classification |
| DataSecurity | The Data Security object describes the characteristics, techniques and conten... |
| DceRpc | The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, obje... |
| Device | The Device object represents an addressable computer system or host, which is |
| DeviceHwInfo | The Device Hardware Information object contains details and specifications of |
| DigitalSignature | The Digital Signature object contains information about the cryptographic |
| DiscoveryDetails | The Discovery Details object describes results of a discovery task/job |
| Display | The Display object contains information about the physical or virtual display |
| Dns | The Domain Name System (DNS) object represents the shared information |
| DnsAnswer | The DNS Answer object represents a specific response provided by the Domain |
| DnsQuery | The DNS query object represents a specific request made to the Domain Name |
| DomainContact | The contact information related to a domain registration, e |
| Edge | Represents a connection or relationship between two nodes in a graph |
| The Email object describes the email metadata such as sender, recipients, and | |
| EmailAuth | The Email Authentication object describes the Sender Policy Framework (SPF), |
| EncryptionDetails | Details about the encryption methodology utilized |
| Endpoint | The Endpoint object describes a physical or virtual device that connects to a... |
| EndpointConnection | The Endpoint Connection object contains information detailing a connection |
| Enrichment | The Enrichment object provides inline enrichment data for specific attributes |
| Entity | The Entity object is an unordered collection of attributes, with a name and |
| EnvironmentVariable | An environment variable |
| Epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated |
| Evidences | A collection of evidence artifacts associated to the activity/activities that |
| Extension | The OCSF Schema Extension object provides detailed information about the sche... |
| Feature | The Feature object provides information about the software product feature th... |
| File | The File object represents the metadata associated with a file stored in a |
| FindingInfo | The Finding Information object describes metadata related to a security findi... |
| FindingObject | The Finding object describes metadata related to a security finding generated |
| Fingerprint | The Fingerprint object provides detailed information about a fingerprint, whi... |
| FirewallRule | The Firewall Rule object represents a specific rule within a firewall policy ... |
| FunctionInvocation | The Function Invocation object provides details regarding the invocation of a |
| GpuInfo | The GPU information object contains attributes describing graphical processin... |
| Graph | A graph data structure representation with nodes and edges |
| Group | The Group object represents a collection or association of entities, such as |
| Hassh | The HASSH object contains SSH network fingerprinting values for specific |
| HttpCookie | The HTTP Cookie object, also known as a web cookie or browser cookie, contain... |
| HttpHeader | The HTTP Header object represents the headers sent in an HTTP request or |
| HttpRequest | The HTTP Request object represents the attributes of a request made to a web |
| HttpResponse | The HTTP Response object contains detailed information about the response sen... |
| IdentityActivityMetrics | The Identity Activity Metrics object captures usage patterns, authentication |
| Idp | The Identity Provider object contains detailed information about a provider |
| Image | The Image object provides a description of a specific Virtual Machine (VM) or |
| Ja4Fingerprint | The JA4+ fingerprint object provides detailed fingerprint information about |
| Job | The Job object provides information about a scheduled job or task, including |
| KbArticle | The KB Article object contains metadata that describes the patch or update |
| Kernel | The Kernel Resource object provides information about a specific kernel |
| KernelDriver | The Kernel Extension object describes a kernel driver that has been loaded or |
| KeyboardInfo | The Keyboard Information object contains details and attributes related to a |
| KeyValueObject | A generic object allowing to define a {key:value} pair |
| KillChainPhase | The Kill Chain Phase object represents a single phase of a cyber attack, |
| LdapPerson | The additional LDAP attributes that describe a person |
| LoadBalancer | The load balancer object describes the load balancer entity and contains |
| Location | The Geo Location object describes a geographical location, usually associated |
| Logger | The Logger object represents the device and product where events are stored |
| LongString | This object is a used to capture strings which may be truncated by a security |
| Malware | The Malware object describes the classification of known malicious software, |
| MalwareScanInfo | The malware scan information object describes characteristics, metadata of a |
| ManagedEntity | The Managed Entity object describes the type and version of an entity, such a... |
| MessageContext | Communication context for AI system interactions including protocols, roles, |
| Metadata | The Metadata object describes the metadata associated with the event |
| Metric | The Metric object defines a simple name/value pair entity for a metric |
| Mitigation | The MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID |
| Module | The Module object describes the attributes of a module |
| NetworkConnectionInfo | The Network Connection Information object describes characteristics of an OSI |
| NetworkEndpoint | The Network Endpoint object describes characteristics of a network endpoint |
| NetworkInterface | The Network Interface object describes the type and associated attributes of ... |
| NetworkProxy | The network proxy endpoint object describes a proxy server, which acts as an |
| NetworkTraffic | The Network Traffic object describes characteristics of network traffic over ... |
| Node | Represents a node or a vertex in a graph structure |
| Object | An unordered collection of attributes |
| Observable | The observable object is a pivot element that contains related information |
| Observation | A record of an observed value or event that captures the timing and frequency |
| OccurrenceDetails | Details about where in the target entity, specified information was discovere... |
| OcsfObject | Abstract root for every OCSF object class |
| Organization | The Organization object describes characteristics of an organization or compa... |
| Os | The Operating System (OS) object describes characteristics of an OS, such as |
| Osint | The OSINT (Open Source Intelligence) object contains details related to an |
| Package | The Software Package object describes details about a software package |
| Packet | The Packet object represents a single captured network packet and its |
| Parameter | The Parameter object provides details regarding a parameter of a a function |
| PeripheralDevice | The peripheral device object describes the properties of external, connectabl... |
| PermissionAnalysisResult | The Permission Analysis object describes analysis results of permissions, |
| Policy | The Policy object describes the policies that are applicable |
| PortInfo | The Port Information object describes a port and its associated protocol |
| PrivilegeAttackInfo | The Privilege Attack Info object groups privileges by the potential attack th... |
| PrivilegeInfo | The Privilege Info object describes information about a specific privilege, |
| Process | The Process object describes a running instance of a launched program |
| ProcessEntity | The Process Entity object provides critical fields for referencing a process |
| Product | The Product object describes characteristics of a software product |
| ProgrammaticCredential | The Programmatic Credential object describes service-specific credentials use... |
| QueryEvidence | The specific resulting evidence information that was queried or discovered |
| QueryInfo | The query info object holds information related to data access within a |
| RelatedEvent | The Related Event object describes an event or another finding related to a |
| Remediation | The Remediation object describes the recommended remediation steps to address |
| Reporter | The entity from which an event or finding was reported |
| Reputation | The Reputation object describes the reputation/risk score of an entity (e |
| Request | The Request Elements object describes characteristics of an API request |
| Resource | The Resource object contains attributes that provide information about a |
| ResourceDetails | The Resource Details object describes details about resources that were |
| Response | The Response Elements object describes characteristics of an API response |
| RpcInterface | The RPC Interface represents the remote procedure call interface used in the |
| Rule | The Rule object describes characteristics of a rule associated with a policy ... |
| San | The Subject Alternative name (SAN) object describes a SAN secured by a digita... |
| Sbom | The Software Bill of Materials object describes characteristics of a generate... |
| Scan | The Scan object describes characteristics of a proactive scan |
| Scim | The System for Cross-domain Identity Management (SCIM) Configuration object |
| Script | The Script object describes a script or command that can be executed by a |
| SecurityState | The Security State object describes the security related state of a managed |
| Service | The Service object describes characteristics of a service, e |
| ServicePrivilegeAnalysis | The Service Privilege Analysis object describes privilege analysis results fo... |
| Session | The Session object describes details about an authenticated session |
| SoftwareComponent | The Software Component object describes characteristics of a software compone... |
| Span | Represents a single unit of work or operation within a distributed trace |
| Sso | The Single Sign-On (SSO) object provides a structure for normalizing SSO |
| StartupItem | The startup item object describes an application component that has associate... |
| SubTechnique | The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ... |
| Table | The table object represents a table within a structured relational database o... |
| Tactic | The MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name |
| Technique | The MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/o... |
| ThreatActor | Threat actor is responsible for the observed malicious activity |
| Ticket | The Ticket object represents ticket in the customer's IT Service Management |
| Timespan | The Time Span object represents different time period durations |
| Tls | The Transport Layer Security (TLS) object describes the negotiated TLS protoc... |
| TlsExtension | The TLS Extension object describes additional attributes that extend the base |
| Token | The Token object is the base object for representing tokens, API keys, and |
| Trace | The trace object contains information about a distributed trace, which is |
| Trait | Describes a characteristic or feature of an entity that was observed |
| TransformationInfo | The transformation_info object represents the mapping or transformation used |
| UnmannedAerialSystem | The Unmanned Aerial System object describes the characteristics, Position |
| UnmannedSystemOperatingArea | The Unmanned System Operating Area object describes details about a precise |
| Url | The Uniform Resource Locator (URL) object describes the characteristics of a |
| User | The User object describes the characteristics of a user/person or a security |
| VendorAttributes | The Vendor Attributes object can be used to represent values of attributes |
| Vulnerability | The vulnerability is an unintended characteristic of a computing component or |
| WebResource | The Web Resource object describes characteristics of a web resource that was |
| Whois | The resources of a WHOIS record for a given domain |