Slot: status_code
The event status code, as reported by the event source.
For example,
in a Windows Failed Authentication event, this would be the value of 'Failure
Code', e.g. 0x18.
URI: ocsf:status_code Alias: status_code
Applicable Classes
| Name | Description | Modifies Slot |
|---|---|---|
| DiscoveryResult | Discovery Result events report the results of a discovery request | no |
| HttpActivity | HTTP Activity events report HTTP connection and traffic information | no |
| FileActivity | File System Activity events report when a process performs an action on a fil... | no |
| UnmannedSystemsEvent | The Unmanned Systems event is a generic event that defines a set of attribute... | no |
| WindowsServiceActivity | Windows Service Activity events report when a process interacts with the | no |
| UserAccess | User Access Management events report management updates to a user's privilege... | no |
| ProcessRemediationActivity | Process Remediation Activity events report on attempts at remediating | no |
| ApplicationEvent | no | |
| NetworkActivity | Network Activity events report network connection and traffic activity | no |
| ModuleActivity | Module Activity events report when an endpoint process acts on a | no |
| ServiceQuery | Service Query events report information about running services | no |
| SessionQuery | User Session Query events report information about existing user sessions | no |
| SoftwareInfo | Software Inventory Info events report device software inventory data that is | no |
| Authentication | Authentication events report authentication session activities, including use... | no |
| AuthorizeSession | Authorize Session events report privileges or groups assigned to a new user | no |
| EmailFileActivity | Email File Activity events report files within emails | no |
| FolderQuery | Folder Query events report information about folders that are present on the | no |
| NetworkConnectionQuery | Network Connection Query events report information about active network | no |
| FileRemediationActivity | File Remediation Activity events report on attempts at remediating files | no |
| ComplianceFinding | Compliance Finding events describe results of evaluations performed against | no |
| ProcessActivity | Process Activity events report when a process launches, injects, opens or | no |
| DatastoreActivity | Datastore events describe general activities (Read, Update, Query, Delete, | no |
| DnsActivity | DNS Activity events report DNS queries and answers as seen on the network | no |
| OsintInventoryInfo | OSINT Inventory Info events report open source intelligence or threat | no |
| SecurityFinding | Security Finding events describe findings, detections, anomalies, alerts and/... | no |
| IamEvent | The Identity & Access Management event is a generic event that defines a set ... | no |
| NetworkEvent | Network event is a generic event that defines a set of attributes available i... | no |
| FtpActivity | File Transfer Protocol (FTP) Activity events report file transfers between a | no |
| NetworksQuery | Networks Query events report information about network adapters | no |
| DataSecurityFinding | A Data Security Finding describes detections or alerts generated by various | no |
| UserQuery | User Query events report user data that have been discovered, queried, polled | no |
| BaseEvent | The base event is a generic and concrete event | yes |
| ScriptActivity | Script Activity events report when a process executes a script | no |
| Finding | The Finding event is a generic event that defines a set of attributes availab... | no |
| WebResourceAccessActivity | Web Resource Access Activity events describe successful/failed attempts to | no |
| UserInventory | User Inventory Info events report user inventory data that is either logged o... | no |
| PeripheralDeviceQuery | Peripheral Device Query events report information about peripheral devices | no |
| PeripheralActivity | Peripheral Activity events log a system's interactions with external, | no |
| WindowsResourceActivity | Windows Resource Activity events report when a process accesses a Windows | no |
| PatchState | Operating System Patch State reports the installation of an OS patch to a | no |
| RegistryKeyActivity | Registry Key Activity events report when a process performs an action on a | no |
| EventLogActvity | Event Log Activity events report actions pertaining to the system's event | yes |
| ApiActivity | API events describe general CRUD (Create, Read, Update, Delete) API activitie... | no |
| NetworkRemediationActivity | Network Remediation Activity events report on attempts at remediating compute... | no |
| KernelExtensionActivity | Kernel Extension events report when a driver/extension is loaded or unloaded | no |
| DhcpActivity | DHCP Activity events report MAC to IP assignment via DHCP from a client or | no |
| InventoryInfo | Device Inventory Info events report device inventory data that is either logg... | no |
| ApplicationError | Application Error events describe issues with an applications | no |
| KernelObjectQuery | Kernel Object Query events report information about discovered kernel | no |
| RemediationActivity | Remediation Activity events report on attempts at remediating a compromised | no |
| ProcessQuery | Process Query events report information about running processes | no |
| DiscoveryEvent | The Discovery event is a generic event that defines a set of attributes | no |
| VulnerabilityFinding | The Vulnerability Finding event is a notification about weakness in an | no |
| ModuleQuery | Module Query events report information about loaded modules | no |
| AirborneBroadcastActivity | Airborne Broadcast Activity events report the activity of any aircraft or | no |
| NetworkFileActivity | Network File Activity events report file activities traversing the network, | no |
| SmbActivity | Server Message Block (SMB) Protocol Activity events report client/server | no |
| RdpActivity | Remote Desktop Protocol (RDP) Activity events report post-authentication remo... | no |
| RegistryKeyQuery | Registry Key Query events report information about discovered Windows registr... | no |
| MemoryActivity | Memory Activity events report when a process has memory allocated, | no |
| CloudResourcesInventoryInfo | Cloud Resources Inventory Info events report cloud asset inventory data | no |
| SshActivity | SSH Activity events report remote client connections to a server using the | no |
| AccountChange | Account Change events report when specific user account management tasks are | no |
| TunnelActivity | Tunnel Activity events report secure tunnel establishment (such as VPN), | no |
| DroneFlightsActivity | Drone Flights Activity events report the activity of Unmanned Aerial Systems | no |
| IamAnalysisFinding | This finding represents an IAM analysis result, which evaluates IAM policies, | no |
| EmailUrlActivity | Email URL Activity events report URLs within an email | no |
| StartupItemQuery | Startup Item Query events report information about discovered items, e | no |
| DetectionFinding | A Detection Finding describes detections or alerts generated by security | no |
| EntityManagement | Entity Management events report activity by a managed client, a micro service... | no |
| EmailActivity | Email Activity events report SMTP protocol and email activities including tho... | no |
| RegistryValueQuery | Registry Value Query events report information about discovered Windows | no |
| SystemEvent | The System Activity event is a generic event that defines a set of attributes | no |
| JobQuery | Job Query events report information about scheduled jobs | no |
| FileHosting | File Hosting Activity events report the actions taken by file management | no |
| EvidenceInfo | Data collected directly from devices that represents forensic information | no |
| IncidentFinding | An Incident Finding reports the creation, update, or closure of security | no |
| NtpActivity | The Network Time Protocol (NTP) Activity events report instances of remote | no |
| WebResourcesActivity | Web Resources Activity events describe actions executed on a set of Web | no |
| ScheduledJobActivity | Scheduled Job Activity events report activities related to scheduled jobs or | no |
| KernelActivity | Kernel Activity events report when an process creates, reads, or deletes a | no |
| DeviceConfigStateChange | Device Config State Change events report state changes that impact the securi... | no |
| Span | Represents a single unit of work or operation within a distributed trace | yes |
| ScanActivity | Scan events report the start, completion, and results of a scan job | no |
| AdminGroupQuery | Admin Group Query events report information about administrative groups | no |
| ApplicationSecurityPostureFinding | The Application Security Posture Finding event is a notification about any bu... | no |
| RegistryValueActivity | Registry Value Activity events reports when a process performs an action on a | no |
| ConfigState | Device Config State events report device configuration data, device | no |
| GroupManagement | Group Management events report management updates to a group, including updat... | no |
| ApplicationLifecycle | Application Lifecycle events report installation, removal, start, stop of an | no |
| Compliance | The Compliance object contains information about Industry and Regulatory | yes |
| PrefetchQuery | Prefetch Query events report information about Windows prefetch files | no |
| FileQuery | File Query events report information about files that are present on the | no |
Properties
Type and Range
| Property | Value |
|---|---|
| Range | String |
| Domain Of | Span, Compliance, BaseEvent, EventLogActvity |
Cardinality and Requirements
| Property | Value |
|---|---|
Aliases
- Status Code
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:status_code |
| native | ocsf:status_code |
LinkML Source
name: status_code
description: 'The event status code, as reported by the event source.<br /><br />For
example,
in a Windows Failed Authentication event, this would be the value of ''Failure
Code'', e.g. 0x18.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Code
rank: 1000
alias: status_code
domain_of:
- Span
- Compliance
- BaseEvent
- EventLogActvity
range: string