Slot: osint
The OSINT (Open Source Intelligence) object contains details related to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.
URI: ocsf:osint Alias: osint
Applicable Classes
| Name | Description | Modifies Slot |
|---|---|---|
| DiscoveryResult | Discovery Result events report the results of a discovery request | no |
| HttpActivity | HTTP Activity events report HTTP connection and traffic information | no |
| FileActivity | File System Activity events report when a process performs an action on a fil... | no |
| UnmannedSystemsEvent | The Unmanned Systems event is a generic event that defines a set of attribute... | no |
| WindowsServiceActivity | Windows Service Activity events report when a process interacts with the | no |
| UserAccess | User Access Management events report management updates to a user's privilege... | no |
| ProcessRemediationActivity | Process Remediation Activity events report on attempts at remediating | no |
| ApplicationEvent | no | |
| NetworkActivity | Network Activity events report network connection and traffic activity | no |
| ModuleActivity | Module Activity events report when an endpoint process acts on a | no |
| ServiceQuery | Service Query events report information about running services | no |
| SessionQuery | User Session Query events report information about existing user sessions | no |
| SoftwareInfo | Software Inventory Info events report device software inventory data that is | no |
| Authentication | Authentication events report authentication session activities, including use... | no |
| AuthorizeSession | Authorize Session events report privileges or groups assigned to a new user | no |
| EmailFileActivity | Email File Activity events report files within emails | no |
| FolderQuery | Folder Query events report information about folders that are present on the | no |
| NetworkConnectionQuery | Network Connection Query events report information about active network | no |
| FileRemediationActivity | File Remediation Activity events report on attempts at remediating files | no |
| ComplianceFinding | Compliance Finding events describe results of evaluations performed against | no |
| ProcessActivity | Process Activity events report when a process launches, injects, opens or | no |
| DatastoreActivity | Datastore events describe general activities (Read, Update, Query, Delete, | no |
| DnsActivity | DNS Activity events report DNS queries and answers as seen on the network | no |
| OsintInventoryInfo | OSINT Inventory Info events report open source intelligence or threat | yes |
| SecurityFinding | Security Finding events describe findings, detections, anomalies, alerts and/... | no |
| IamEvent | The Identity & Access Management event is a generic event that defines a set ... | no |
| NetworkEvent | Network event is a generic event that defines a set of attributes available i... | no |
| FtpActivity | File Transfer Protocol (FTP) Activity events report file transfers between a | no |
| NetworksQuery | Networks Query events report information about network adapters | no |
| DataSecurityFinding | A Data Security Finding describes detections or alerts generated by various | no |
| UserQuery | User Query events report user data that have been discovered, queried, polled | no |
| BaseEvent | The base event is a generic and concrete event | no |
| ScriptActivity | Script Activity events report when a process executes a script | no |
| Finding | The Finding event is a generic event that defines a set of attributes availab... | no |
| WebResourceAccessActivity | Web Resource Access Activity events describe successful/failed attempts to | no |
| UserInventory | User Inventory Info events report user inventory data that is either logged o... | no |
| PeripheralDeviceQuery | Peripheral Device Query events report information about peripheral devices | no |
| PeripheralActivity | Peripheral Activity events log a system's interactions with external, | no |
| WindowsResourceActivity | Windows Resource Activity events report when a process accesses a Windows | no |
| PatchState | Operating System Patch State reports the installation of an OS patch to a | no |
| RegistryKeyActivity | Registry Key Activity events report when a process performs an action on a | no |
| ApiActivity | API events describe general CRUD (Create, Read, Update, Delete) API activitie... | no |
| EventLogActvity | Event Log Activity events report actions pertaining to the system's event | no |
| NetworkRemediationActivity | Network Remediation Activity events report on attempts at remediating compute... | no |
| KernelExtensionActivity | Kernel Extension events report when a driver/extension is loaded or unloaded | no |
| DhcpActivity | DHCP Activity events report MAC to IP assignment via DHCP from a client or | no |
| InventoryInfo | Device Inventory Info events report device inventory data that is either logg... | no |
| ApplicationError | Application Error events describe issues with an applications | no |
| KernelObjectQuery | Kernel Object Query events report information about discovered kernel | no |
| RemediationActivity | Remediation Activity events report on attempts at remediating a compromised | no |
| ProcessQuery | Process Query events report information about running processes | no |
| DiscoveryEvent | The Discovery event is a generic event that defines a set of attributes | no |
| OsintProfile | The OSINT (Open Source Intelligence) profile contains one or more indicators | yes |
| VulnerabilityFinding | The Vulnerability Finding event is a notification about weakness in an | no |
| ModuleQuery | Module Query events report information about loaded modules | no |
| AirborneBroadcastActivity | Airborne Broadcast Activity events report the activity of any aircraft or | no |
| NetworkFileActivity | Network File Activity events report file activities traversing the network, | no |
| SmbActivity | Server Message Block (SMB) Protocol Activity events report client/server | no |
| RdpActivity | Remote Desktop Protocol (RDP) Activity events report post-authentication remo... | no |
| RegistryKeyQuery | Registry Key Query events report information about discovered Windows registr... | no |
| MemoryActivity | Memory Activity events report when a process has memory allocated, | no |
| CloudResourcesInventoryInfo | Cloud Resources Inventory Info events report cloud asset inventory data | no |
| SshActivity | SSH Activity events report remote client connections to a server using the | no |
| AccountChange | Account Change events report when specific user account management tasks are | no |
| TunnelActivity | Tunnel Activity events report secure tunnel establishment (such as VPN), | no |
| DroneFlightsActivity | Drone Flights Activity events report the activity of Unmanned Aerial Systems | no |
| IamAnalysisFinding | This finding represents an IAM analysis result, which evaluates IAM policies, | no |
| EmailUrlActivity | Email URL Activity events report URLs within an email | no |
| StartupItemQuery | Startup Item Query events report information about discovered items, e | no |
| DetectionFinding | A Detection Finding describes detections or alerts generated by security | no |
| EntityManagement | Entity Management events report activity by a managed client, a micro service... | no |
| EmailActivity | Email Activity events report SMTP protocol and email activities including tho... | no |
| RegistryValueQuery | Registry Value Query events report information about discovered Windows | no |
| SystemEvent | The System Activity event is a generic event that defines a set of attributes | no |
| JobQuery | Job Query events report information about scheduled jobs | no |
| FileHosting | File Hosting Activity events report the actions taken by file management | no |
| EvidenceInfo | Data collected directly from devices that represents forensic information | no |
| IncidentFinding | An Incident Finding reports the creation, update, or closure of security | no |
| NtpActivity | The Network Time Protocol (NTP) Activity events report instances of remote | no |
| WebResourcesActivity | Web Resources Activity events describe actions executed on a set of Web | no |
| ScheduledJobActivity | Scheduled Job Activity events report activities related to scheduled jobs or | no |
| KernelActivity | Kernel Activity events report when an process creates, reads, or deletes a | no |
| DeviceConfigStateChange | Device Config State Change events report state changes that impact the securi... | no |
| ScanActivity | Scan events report the start, completion, and results of a scan job | no |
| AdminGroupQuery | Admin Group Query events report information about administrative groups | no |
| ApplicationSecurityPostureFinding | The Application Security Posture Finding event is a notification about any bu... | no |
| RegistryValueActivity | Registry Value Activity events reports when a process performs an action on a | no |
| ConfigState | Device Config State events report device configuration data, device | no |
| GroupManagement | Group Management events report management updates to a group, including updat... | no |
| ApplicationLifecycle | Application Lifecycle events report installation, removal, start, stop of an | no |
| PrefetchQuery | Prefetch Query events report information about Windows prefetch files | no |
| FileQuery | File Query events report information about files that are present on the | no |
Properties
Type and Range
| Property | Value |
|---|---|
| Range | Osint |
| Domain Of | OsintProfile, OsintInventoryInfo |
Cardinality and Requirements
| Property | Value |
|---|---|
| Multivalued | Yes |
Aliases
- OSINT
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:osint |
| native | ocsf:osint |
LinkML Source
name: osint
description: 'The OSINT (Open Source Intelligence) object contains details related
to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OSINT
rank: 1000
alias: osint
domain_of:
- OsintProfile
- OsintInventoryInfo
range: Osint
multivalued: true