diff --git a/export/qdm-1.2.3.json b/export/qdm-1.2.3.json new file mode 100644 index 000000000..2c05008ef --- /dev/null +++ b/export/qdm-1.2.3.json @@ -0,0 +1,49120 @@ +{ + "base_event": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "0": { + "caption": "Uncategorized" + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Base Event", + "category": "other", + "description": "The base event is a generic concrete event and it also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.", + "extends": null, + "name": "base_event", + "profiles": [ + "cloud", + "datetime" + ] + }, + "categories": { + "application": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services.", + "uid": 6 + }, + "discovery": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.", + "uid": 5 + }, + "findings": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.", + "is_array": true, + "type": "finding", + "uid": 2 + }, + "iam": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.", + "uid": 3 + }, + "network": { + "caption": "Network Activity", + "description": "Network Activity events.", + "uid": 4 + }, + "system": { + "caption": "System Activity", + "description": "System Activity events.", + "uid": 1 + } + }, + "classes": { + "account_change": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A user/role was created." + }, + "10": { + "caption": "MFA Factor Enable", + "description": "An authentication factor was enabled for an account." + }, + "11": { + "caption": "MFA Factor Disable", + "description": "An authentication factor was disabled for an account." + }, + "2": { + "caption": "Enable", + "description": "A user/role was enabled." + }, + "3": { + "caption": "Password Change", + "description": "An attempt was made to change an account's password." + }, + "4": { + "caption": "Password Reset", + "description": "An attempt was made to reset an account's password." + }, + "5": { + "caption": "Disable", + "description": "A user/role was disabled." + }, + "6": { + "caption": "Delete", + "description": "A user/role was deleted." + }, + "7": { + "caption": "Attach Policy", + "description": "An IAM Policy was attached to a user/role." + }, + "8": { + "caption": "Detach Policy", + "description": "An IAM Policy was detached from a user/role." + }, + "9": { + "caption": "Lock", + "description": "A user account was locked out." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "context", + "profile": null, + "requirement": "recommended", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "3001": { + "caption": "Account Change", + "description": "Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "policy": { + "caption": "Policy", + "description": "Details about the IAM policy associated to the Attach/Detach Policy activities.", + "group": "context", + "requirement": "optional", + "type": "policy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "300100": { + "caption": "Account Change: Unknown" + }, + "300101": { + "caption": "Account Change: Create" + }, + "300102": { + "caption": "Account Change: Enable" + }, + "300103": { + "caption": "Account Change: Password Change" + }, + "300104": { + "caption": "Account Change: Password Reset" + }, + "300105": { + "caption": "Account Change: Disable" + }, + "300106": { + "caption": "Account Change: Delete" + }, + "300107": { + "caption": "Account Change: Attach Policy" + }, + "300108": { + "caption": "Account Change: Detach Policy" + }, + "300109": { + "caption": "Account Change: Lock" + }, + "300110": { + "caption": "Account Change: MFA Factor Enable" + }, + "300111": { + "caption": "Account Change: MFA Factor Disable" + }, + "300199": { + "caption": "Account Change: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user that was a target of an activity.", + "group": "primary", + "observable": 21, + "requirement": "required", + "type": "user" + }, + "user_result": { + "caption": "User Result", + "description": "The result of the user account change. It should contain the new values of the changed attributes.", + "group": "primary", + "observable": 21, + "requirement": "recommended", + "type": "user" + } + }, + "caption": "Account Change", + "category": "iam", + "description": "Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.", + "extends": "iam", + "name": "account_change", + "profiles": [ + "host" + ], + "uid": 1 + }, + "api_activity": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "The API call in the event pertains to a 'create' activity." + }, + "2": { + "caption": "Read", + "description": "The API call in the event pertains to a 'read' activity." + }, + "3": { + "caption": "Update", + "description": "The API call in the event pertains to a 'update' activity." + }, + "4": { + "caption": "Delete", + "description": "The API call in the event pertains to a 'delete' activity." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Actor", + "description": "The actor that performed the operation or the action.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "primary", + "profile": null, + "requirement": "required", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6003": { + "caption": "API Activity", + "description": "API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Device", + "description": "The device that reported the event.", + "requirement": "recommended", + "type": "device" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The network destination endpoint.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying http request.", + "group": "primary", + "requirement": "recommended", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resources": { + "caption": "Resources Array", + "description": "Details about resources that were affected by the activity/event.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "resource_details" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the activity.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600300": { + "caption": "API Activity: Unknown" + }, + "600301": { + "caption": "API Activity: Create" + }, + "600302": { + "caption": "API Activity: Read" + }, + "600303": { + "caption": "API Activity: Update" + }, + "600304": { + "caption": "API Activity: Delete" + }, + "600399": { + "caption": "API Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "API Activity", + "category": "application", + "description": "API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)", + "extends": "application", + "name": "api_activity", + "profiles": [ + "cloud", + "datetime" + ], + "uid": 3 + }, + "application": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Actor", + "description": "The actor that performed the operation or the action.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Device", + "description": "The device that reported the event.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Application Activity", + "category": "application", + "description": "The base event is a generic concrete event and it also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.", + "extends": "base_event", + "name": "application", + "profiles": [ + "cloud", + "datetime" + ] + }, + "application_lifecycle": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Install" + }, + "2": { + "caption": "Remove" + }, + "3": { + "caption": "Start" + }, + "4": { + "caption": "Stop" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app": { + "caption": "Application", + "description": "The application that was affected by the lifecycle event. This also applies to self-updating application systems.", + "group": "primary", + "requirement": "required", + "type": "product" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6002": { + "caption": "Application Lifecycle", + "description": "Application Lifecycle events report installation, removal, start, stop of an application or service." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600200": { + "caption": "Application Lifecycle: Unknown" + }, + "600201": { + "caption": "Application Lifecycle: Install" + }, + "600202": { + "caption": "Application Lifecycle: Remove" + }, + "600203": { + "caption": "Application Lifecycle: Start" + }, + "600204": { + "caption": "Application Lifecycle: Stop" + }, + "600299": { + "caption": "Application Lifecycle: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Application Lifecycle", + "category": "application", + "description": "Application Lifecycle events report installation, removal, start, stop of an application or service.", + "extends": "application", + "name": "application_lifecycle", + "profiles": [ + "host" + ], + "uid": 2 + }, + "authentication": { + "associations": { + "actor.user": [ + "src_endpoint" + ], + "dst_endpoint": [ + "user" + ], + "src_endpoint": [ + "actor.user" + ], + "user": [ + "dst_endpoint" + ] + }, + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Logon", + "description": "A new logon session was requested." + }, + "2": { + "caption": "Logoff", + "description": "A logon session was terminated and no longer exists." + }, + "3": { + "caption": "Authentication Ticket", + "description": "A Kerberos authentication ticket (TGT) was requested." + }, + "4": { + "caption": "Service Ticket Request", + "description": "A Kerberos service ticket was requested." + }, + "5": { + "caption": "Service Ticket Renew", + "description": "A Kerberos service ticket was renewed." + }, + "6": { + "caption": "Preauth", + "description": "A preauthentication stage was engaged." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that requested the authentication.", + "group": "context", + "profile": null, + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "auth_factors": { + "caption": "Authentication Factors", + "description": "Describes a category of methods used for identity verification in an authentication attempt.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "auth_factor" + }, + "auth_protocol": { + "caption": "Auth Protocol", + "description": "The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "auth_protocol_id": { + "caption": "Auth Protocol ID", + "description": "The normalized identifier of the authentication protocol used to create the user session.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The authentication protocol is unknown." + }, + "1": { + "caption": "NTLM" + }, + "10": { + "caption": "RADIUS" + }, + "2": { + "caption": "Kerberos" + }, + "3": { + "caption": "Digest" + }, + "4": { + "caption": "OpenID" + }, + "5": { + "caption": "SAML" + }, + "6": { + "caption": "OAUTH 2.0" + }, + "7": { + "caption": "PAP" + }, + "8": { + "caption": "CHAP" + }, + "9": { + "caption": "EAP" + }, + "99": { + "caption": "Other", + "description": "The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "auth_protocol", + "type": "integer_t" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "certificate": { + "caption": "Certificate", + "description": "The certificate associated with the authentication or pre-authentication (Kerberos).", + "group": "primary", + "requirement": "recommended", + "type": "certificate" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "3002": { + "caption": "Authentication", + "description": "Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The endpoint to which the authentication was targeted.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "is_cleartext": { + "caption": "Cleartext Credentials", + "description": "Indicates whether the credentials were passed in clear text.

Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.

", + "group": "primary", + "requirement": "optional", + "type": "boolean_t" + }, + "is_mfa": { + "caption": "Multi Factor Authentication", + "description": "Indicates whether Multi Factor Authentication was used during authentication.", + "group": "primary", + "requirement": "recommended", + "type": "boolean_t" + }, + "is_new_logon": { + "caption": "New Logon", + "description": "Indicates logon is from a device not seen before or a first time account logon.", + "group": "context", + "requirement": "optional", + "type": "boolean_t" + }, + "is_remote": { + "caption": "Remote", + "description": "The attempted authentication is over a remote connection.", + "group": "primary", + "requirement": "recommended", + "type": "boolean_t" + }, + "logon_process": { + "caption": "Logon Process", + "description": "The trusted process that validated the authentication credentials.", + "group": "context", + "observable": 25, + "requirement": "optional", + "type": "process" + }, + "logon_type": { + "caption": "Logon Type", + "description": "The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "logon_type_id": { + "caption": "Logon Type ID", + "description": "The normalized logon type identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "Used only by the System account, for example at system startup." + }, + "1": { + "caption": "System", + "description": "Used only by the System account, for example at system startup." + }, + "10": { + "caption": "Remote Interactive", + "description": "A remote logon using Terminal Services or remote desktop application." + }, + "11": { + "caption": "Cached Interactive", + "description": "A user logged on to this device with network credentials that were stored locally on the device and the domain controller was not contacted to verify the credentials." + }, + "12": { + "caption": "Cached Remote Interactive", + "description": "Same as Remote Interactive. This is used for internal auditing." + }, + "13": { + "caption": "Cached Unlock", + "description": "Workstation logon." + }, + "2": { + "caption": "Interactive", + "description": "A local logon to device console." + }, + "3": { + "caption": "Network", + "description": "A user or device logged onto this device from the network." + }, + "4": { + "caption": "Batch", + "description": "A batch server logon, where processes may be executing on behalf of a user without their direct intervention." + }, + "5": { + "caption": "OS Service", + "description": "A logon by a service or daemon that was started by the OS." + }, + "7": { + "caption": "Unlock", + "description": "A user unlocked the device." + }, + "8": { + "caption": "Network Cleartext", + "description": "A user logged on to this device from the network. The user's password in the authentication package was not hashed." + }, + "9": { + "caption": "New Credentials", + "description": "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections." + }, + "99": { + "caption": "Other", + "description": "The logon type is not mapped. See the logon_type attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "logon_type", + "type": "integer_t" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "service": { + "caption": "Service", + "description": "The service or gateway to which the user or process is being authenticated", + "group": "primary", + "requirement": "recommended", + "type": "service" + }, + "session": { + "caption": "Session", + "description": "The authenticated user or service session.", + "group": "primary", + "requirement": "recommended", + "type": "session" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The details about the authentication request. For example, possible details for Windows logon or logoff events are:", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "300200": { + "caption": "Authentication: Unknown" + }, + "300201": { + "caption": "Authentication: Logon" + }, + "300202": { + "caption": "Authentication: Logoff" + }, + "300203": { + "caption": "Authentication: Authentication Ticket" + }, + "300204": { + "caption": "Authentication: Service Ticket Request" + }, + "300205": { + "caption": "Authentication: Service Ticket Renew" + }, + "300206": { + "caption": "Authentication: Preauth" + }, + "300299": { + "caption": "Authentication: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The subject (user/role or account) to authenticate.", + "group": "primary", + "observable": 21, + "requirement": "required", + "type": "user" + } + }, + "caption": "Authentication", + "category": "iam", + "constraints": { + "at_least_one": [ + "service", + "dst_endpoint" + ] + }, + "description": "Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.", + "extends": "iam", + "name": "authentication", + "profiles": [ + "host" + ], + "uid": 2 + }, + "authorize_session": { + "associations": { + "session": [ + "user" + ], + "user": [ + "session" + ] + }, + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Assign Privileges", + "description": "Assign special privileges to a new logon." + }, + "2": { + "caption": "Assign Groups", + "description": "Assign special groups to a new logon." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "3003": { + "caption": "Authorize Session", + "description": "Authorize Session events report privileges or groups assigned to a new user session, usually at login time." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The Endpoint for which the user session was targeted.", + "group": "context", + "requirement": "optional", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "group": { + "caption": "Group", + "description": "Group that was assigned to the new user session.", + "group": "primary", + "requirement": "recommended", + "type": "group" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "privileges": { + "caption": "Privileges", + "description": "The list of sensitive privileges, assigned to the new user session.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "session": { + "caption": "Session", + "description": "The user session with the assigned privileges.", + "group": "primary", + "requirement": "recommended", + "type": "session" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "300300": { + "caption": "Authorize Session: Unknown" + }, + "300301": { + "caption": "Authorize Session: Assign Privileges" + }, + "300302": { + "caption": "Authorize Session: Assign Groups" + }, + "300399": { + "caption": "Authorize Session: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user to which new privileges were assigned.", + "group": "primary", + "observable": 21, + "requirement": "required", + "type": "user" + } + }, + "caption": "Authorize Session", + "category": "iam", + "constraints": { + "just_one": [ + "privileges", + "group" + ] + }, + "description": "Authorize Session events report privileges or groups assigned to a new user session, usually at login time.", + "extends": "iam", + "name": "authorize_session", + "profiles": [ + "host" + ], + "uid": 3 + }, + "base_event": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "0": { + "caption": "Uncategorized" + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Base Event", + "category": "other", + "description": "The base event is a generic concrete event and it also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.", + "extends": null, + "name": "base_event", + "profiles": [ + "cloud", + "datetime" + ] + }, + "compliance_finding": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the finding activity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A finding was created." + }, + "2": { + "caption": "Update", + "description": "A finding was updated." + }, + "3": { + "caption": "Close", + "description": "A finding was closed." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The finding activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "2003": { + "caption": "Compliance Finding", + "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "A user provided comment about the finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "compliance": { + "caption": "Compliance", + "description": "The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.", + "group": "primary", + "requirement": "required", + "type": "compliance" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The time of the most recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "finding_info": { + "caption": "Finding Information", + "description": "Describes the supporting information about a generated finding.", + "group": "primary", + "requirement": "required", + "type": "finding_info" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "Describes the recommended remediation steps to address identified issue(s).", + "group": "context", + "requirement": "recommended", + "type": "remediation" + }, + "resource": { + "caption": "Resource", + "description": "Describes details about the resource that is the subject of the compliance check.", + "group": "primary", + "requirement": "recommended", + "type": "resource_details" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The time of the least recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the Finding, set by the consumer.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "New", + "description": "The Finding is new and yet to be reviewed." + }, + "2": { + "caption": "In Progress", + "description": "The Finding is under review." + }, + "3": { + "caption": "Suppressed", + "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed." + }, + "4": { + "caption": "Resolved", + "description": "The Finding was reviewed, remediated and is now considered resolved." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "200300": { + "caption": "Compliance Finding: Unknown" + }, + "200301": { + "caption": "Compliance Finding: Create" + }, + "200302": { + "caption": "Compliance Finding: Update" + }, + "200303": { + "caption": "Compliance Finding: Close" + }, + "200399": { + "caption": "Compliance Finding: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Compliance Finding", + "category": "findings", + "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.", + "extends": "finding", + "name": "compliance_finding", + "profiles": [ + "host" + ], + "uid": 3 + }, + "config_state": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Log", + "description": "The discovered information is via a log." + }, + "2": { + "caption": "Collect", + "description": "The discovered information is via a collection process." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "context", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "cis_benchmark_result": { + "caption": "CIS Benchmark Result", + "description": "The CIS benchmark result.", + "group": "primary", + "requirement": "recommended", + "type": "cis_benchmark_result" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5002": { + "caption": "Device Config State", + "description": "Device Config State events report device configuration data and CIS Benchmark results." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "500200": { + "caption": "Device Config State: Unknown" + }, + "500201": { + "caption": "Device Config State: Log" + }, + "500202": { + "caption": "Device Config State: Collect" + }, + "500299": { + "caption": "Device Config State: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Device Config State", + "category": "discovery", + "description": "Device Config State events report device configuration data and CIS Benchmark results.", + "extends": "discovery", + "name": "config_state", + "profiles": [ + "host" + ], + "uid": 2 + }, + "data_security_finding": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the Data Security Finding activity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A new Data Security finding is created." + }, + "2": { + "caption": "Update", + "description": "An existing Data Security finding is updated with more information." + }, + "3": { + "caption": "Close", + "description": "An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.)." + }, + "4": { + "caption": "Suppressed", + "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The Data Security finding activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "Describes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.", + "group": "context", + "requirement": "recommended", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "2006": { + "caption": "Data Security Finding", + "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "A user provided comment about the finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "data_security": { + "caption": "Data Security", + "description": "The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).", + "group": "context", + "requirement": "recommended", + "type": "data_security" + }, + "database": { + "caption": "Database", + "description": "Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.", + "group": "context", + "requirement": "recommended", + "type": "database" + }, + "databucket": { + "caption": "Databucket", + "description": "Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.", + "group": "context", + "requirement": "recommended", + "type": "databucket" + }, + "device": { + "caption": "Device", + "description": "Describes the device where classified or sensitive data is stored in, or was accessed from.", + "group": "context", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "Describes the endpoint where classified or sensitive data is stored in, or was accessed from.", + "group": "context", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The time of the most recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "Describes a file that contains classified or sensitive data.", + "group": "context", + "observable": 24, + "requirement": "recommended", + "type": "file" + }, + "finding_info": { + "caption": "Finding Information", + "description": "Describes the supporting information about a generated finding.", + "group": "primary", + "requirement": "required", + "type": "finding_info" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "impact": { + "caption": "Impact", + "description": "The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "impact_id": { + "caption": "Impact ID", + "description": "The normalized impact of the finding.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized impact is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + }, + "99": { + "caption": "Other", + "description": "The impact is not mapped. See the impact attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "optional", + "sibling": "impact", + "type": "integer_t" + }, + "impact_score": { + "caption": "Impact", + "description": "The impact of the finding, valid range 0-100.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resources": { + "caption": "Affected Resources", + "description": "Describes details about resources twhere classified or sensitive data is stored in, or was accessed from.", + "group": "context", + "is_array": true, + "requirement": "recommended", + "type": "resource_details" + }, + "risk_level": { + "caption": "Risk Level", + "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "risk_level_id": { + "caption": "Risk Level ID", + "description": "The normalized risk level id.", + "enum": { + "0": { + "caption": "Info" + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + } + }, + "group": "context", + "requirement": "optional", + "sibling": "risk_level", + "type": "integer_t" + }, + "risk_score": { + "caption": "Risk Score", + "description": "The risk score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Affected Resources", + "description": "Details about the source endpoint where classified or sensitive data was accessed from.", + "group": "context", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The time of the least recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the Finding, set by the consumer.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "New", + "description": "The Finding is new and yet to be reviewed." + }, + "2": { + "caption": "In Progress", + "description": "The Finding is under review." + }, + "3": { + "caption": "Suppressed", + "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed." + }, + "4": { + "caption": "Resolved", + "description": "The Finding was reviewed, remediated and is now considered resolved." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "table": { + "caption": "Table", + "description": "Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.", + "group": "context", + "requirement": "recommended", + "type": "table" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "200600": { + "caption": "Data Security Finding: Unknown" + }, + "200601": { + "caption": "Data Security Finding: Create" + }, + "200602": { + "caption": "Data Security Finding: Update" + }, + "200603": { + "caption": "Data Security Finding: Close" + }, + "200604": { + "caption": "Data Security Finding: Suppressed" + }, + "200699": { + "caption": "Data Security Finding: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Data Security Finding", + "category": "findings", + "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data.", + "extends": "finding", + "name": "data_security_finding", + "profiles": [ + "security_control" + ], + "uid": 6 + }, + "datastore_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Read", + "description": "The datastore activity in the event pertains to a 'Read' operation." + }, + "10": { + "caption": "Decrypt", + "description": "The 'Decrypt' activity involves converting encrypted data back to its original format." + }, + "2": { + "caption": "Update", + "description": "The datastore activity in the event pertains to a 'Update' operation." + }, + "3": { + "caption": "Connect", + "description": "The datastore activity in the event pertains to a 'Connect' operation." + }, + "4": { + "caption": "Query", + "description": "The datastore activity in the event pertains to a 'Query' operation." + }, + "5": { + "caption": "Write", + "description": "The datastore activity in the event pertains to a 'Write' operation." + }, + "6": { + "caption": "Create", + "description": "The datastore activity in the event pertains to a 'Create' operation." + }, + "7": { + "caption": "Delete", + "description": "The datastore activity in the event pertains to a 'Delete' operation." + }, + "8": { + "caption": "List", + "description": "The 'List' activity provides an overview of existing data records." + }, + "9": { + "caption": "Encrypt", + "description": "The 'Encrypt' activity involves securing data by encrypting a specific data record." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Actor", + "description": "The actor that performed the operation or the action.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6005": { + "caption": "Datastore Activity", + "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3)." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "database": { + "caption": "Database", + "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.", + "group": "primary", + "requirement": "recommended", + "type": "database" + }, + "databucket": { + "caption": "Databucket", + "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.", + "group": "primary", + "requirement": "recommended", + "type": "databucket" + }, + "device": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Device", + "description": "The device that reported the event.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "Details about the endpoint hosting the datastore application or service.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying http request.", + "group": "primary", + "requirement": "recommended", + "type": "http_request" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the activity.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "table": { + "caption": "Table", + "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.", + "group": "primary", + "requirement": "recommended", + "type": "table" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type": { + "caption": "Datastore Type", + "description": "The datastore resource type (e.g. database, datastore, or table).", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Datastore Type ID", + "description": "The normalized datastore resource type identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The datastore resource type is unknown." + }, + "1": { + "caption": "Database" + }, + "2": { + "caption": "Databucket" + }, + "3": { + "caption": "Table" + }, + "99": { + "caption": "Other", + "description": "The datastore resource type is not mapped." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600500": { + "caption": "Datastore Activity: Unknown" + }, + "600501": { + "caption": "Datastore Activity: Read" + }, + "600502": { + "caption": "Datastore Activity: Update" + }, + "600503": { + "caption": "Datastore Activity: Connect" + }, + "600504": { + "caption": "Datastore Activity: Query" + }, + "600505": { + "caption": "Datastore Activity: Write" + }, + "600506": { + "caption": "Datastore Activity: Create" + }, + "600507": { + "caption": "Datastore Activity: Delete" + }, + "600508": { + "caption": "Datastore Activity: List" + }, + "600509": { + "caption": "Datastore Activity: Encrypt" + }, + "600510": { + "caption": "Datastore Activity: Decrypt" + }, + "600599": { + "caption": "Datastore Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Datastore Activity", + "category": "application", + "constraints": { + "at_least_one": [ + "database", + "databucket", + "table" + ] + }, + "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).", + "extends": "application", + "name": "datastore_activity", + "profiles": [ + "security_control" + ], + "uid": 5 + }, + "detection_finding": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the finding activity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A finding was created." + }, + "2": { + "caption": "Update", + "description": "A finding was updated." + }, + "3": { + "caption": "Close", + "description": "A finding was closed." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The finding activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "2004": { + "caption": "Detection Finding", + "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the product is a security control, the security_control profile should be applied and its attacks information should be duplicated into the finding_info object." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "A user provided comment about the finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The time of the most recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "evidences": { + "caption": "Evidence Artifacts", + "description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "evidences" + }, + "finding_info": { + "caption": "Finding Information", + "description": "Describes the supporting information about a generated finding.", + "group": "primary", + "requirement": "required", + "type": "finding_info" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "impact": { + "caption": "Impact", + "description": "The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "impact_id": { + "caption": "Impact ID", + "description": "The normalized impact of the finding.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized impact is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + }, + "99": { + "caption": "Other", + "description": "The impact is not mapped. See the impact attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "optional", + "sibling": "impact", + "type": "integer_t" + }, + "impact_score": { + "caption": "Impact", + "description": "The impact of the finding, valid range 0-100.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "Describes the recommended remediation steps to address identified issue(s).", + "group": "context", + "requirement": "optional", + "type": "remediation" + }, + "resources": { + "caption": "Affected Resources", + "description": "Describes details about resources that were the target of the activity that triggered the finding.", + "group": "context", + "is_array": true, + "requirement": "recommended", + "type": "resource_details" + }, + "risk_details": { + "caption": "Risk Details", + "description": "Describes the risk associated with the finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "risk_level": { + "caption": "Risk Level", + "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "risk_level_id": { + "caption": "Risk Level ID", + "description": "The normalized risk level id.", + "enum": { + "0": { + "caption": "Info" + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + } + }, + "group": "context", + "requirement": "optional", + "sibling": "risk_level", + "type": "integer_t" + }, + "risk_score": { + "caption": "Risk Score", + "description": "The risk score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The time of the least recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the Finding, set by the consumer.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "New", + "description": "The Finding is new and yet to be reviewed." + }, + "2": { + "caption": "In Progress", + "description": "The Finding is under review." + }, + "3": { + "caption": "Suppressed", + "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed." + }, + "4": { + "caption": "Resolved", + "description": "The Finding was reviewed, remediated and is now considered resolved." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "200400": { + "caption": "Detection Finding: Unknown" + }, + "200401": { + "caption": "Detection Finding: Create" + }, + "200402": { + "caption": "Detection Finding: Update" + }, + "200403": { + "caption": "Detection Finding: Close" + }, + "200499": { + "caption": "Detection Finding: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vulnerabilities": { + "caption": "Vulnerabilities", + "description": "Describes vulnerabilities reported in a Detection Finding.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "vulnerability" + } + }, + "caption": "Detection Finding", + "category": "findings", + "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the product is a security control, the security_control profile should be applied and its attacks information should be duplicated into the finding_info object.", + "extends": "finding", + "name": "detection_finding", + "profiles": [ + "security_control" + ], + "uid": 4 + }, + "device_config_state_change": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Log", + "description": "The discovered information is via a log." + }, + "2": { + "caption": "Collect", + "description": "The discovered information is via a collection process." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "context", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5019": { + "caption": "Device Config State Change", + "description": "Device Config State Change events report state changes that impact the security of the device." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "prev_security_level": { + "caption": "Previous Security Level", + "description": "The previous security level of the entity", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "prev_security_level_id": { + "caption": "Previous Security Level ID", + "description": "The previous security level of the entity", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Secure" + }, + "2": { + "caption": "At Risk" + }, + "3": { + "caption": "Compromised" + }, + "99": { + "caption": "Other", + "description": "The security level is not mapped. See the prev_security_level attribute, which contains data source specific values." + } + }, + "group": "primary", + "requirement": "optional", + "sibling": "prev_security_level", + "type": "integer_t" + }, + "prev_security_states": { + "caption": "Previous Security States", + "description": "The previous security states of the device.", + "group": "primary", + "is_array": true, + "requirement": "optional", + "type": "security_state" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "security_level": { + "caption": "Security Level", + "description": "The current security level of the entity", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "security_level_id": { + "caption": "Security Level ID", + "description": "The current security level of the entity", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Secure" + }, + "2": { + "caption": "At Risk" + }, + "3": { + "caption": "Compromised" + }, + "99": { + "caption": "Other", + "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values." + } + }, + "group": "primary", + "requirement": "optional", + "sibling": "security_level", + "type": "integer_t" + }, + "security_states": { + "caption": "Security States", + "description": "The current security states of the device.", + "group": "primary", + "is_array": true, + "requirement": "optional", + "type": "security_state" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "501900": { + "caption": "Device Config State Change: Unknown" + }, + "501901": { + "caption": "Device Config State Change: Log" + }, + "501902": { + "caption": "Device Config State Change: Collect" + }, + "501999": { + "caption": "Device Config State Change: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Device Config State Change", + "category": "discovery", + "description": "Device Config State Change events report state changes that impact the security of the device.", + "extends": "discovery", + "name": "device_config_state_change", + "profiles": [ + "host" + ], + "uid": 19 + }, + "dhcp_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Discover", + "description": "DHCPDISCOVER" + }, + "2": { + "caption": "Offer", + "description": "DHCPOFFER" + }, + "3": { + "caption": "Request", + "description": "DHCPREQUEST" + }, + "4": { + "caption": "Decline", + "description": "DHCPDECLINE" + }, + "5": { + "caption": "Ack", + "description": "DHCPACK: The server accepts the request by sending the client a DHCP Acknowledgment message." + }, + "6": { + "caption": "Nak", + "description": "DHCPNAK" + }, + "7": { + "caption": "Release", + "description": "DHCPRELEASE: A DHCP client sends a DHCPRELEASE packet to the server to release the IP address and cancel any remaining lease." + }, + "8": { + "caption": "Inform", + "description": "DHCPINFORM" + }, + "9": { + "caption": "Expire", + "description": "DHCPEXPIRE: A DHCP lease expired." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4004": { + "caption": "DHCP Activity", + "description": "DHCP Activity events report MAC to IP assignment via DHCP from a client or server." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) of the DHCP connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "is_renewal": { + "caption": "Renewal", + "description": "The indication of whether this is a lease/session renewal event.", + "group": "primary", + "requirement": "recommended", + "type": "boolean_t" + }, + "lease_dur": { + "caption": "Lease Duration", + "description": "This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "network_interface": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Network Interface", + "description": "The network interface that is associated with the device.", + "group": "primary", + "requirement": "required", + "type": "network_interface" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "relay": { + "caption": "Relay", + "description": "The network relay that is associated with the event.", + "group": "primary", + "requirement": "recommended", + "type": "network_interface" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the DHCP connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "transaction_uid": { + "caption": "Transaction UID", + "description": "The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400400": { + "caption": "DHCP Activity: Unknown" + }, + "400401": { + "caption": "DHCP Activity: Discover" + }, + "400402": { + "caption": "DHCP Activity: Offer" + }, + "400403": { + "caption": "DHCP Activity: Request" + }, + "400404": { + "caption": "DHCP Activity: Decline" + }, + "400405": { + "caption": "DHCP Activity: Ack" + }, + "400406": { + "caption": "DHCP Activity: Nak" + }, + "400407": { + "caption": "DHCP Activity: Release" + }, + "400408": { + "caption": "DHCP Activity: Inform" + }, + "400409": { + "caption": "DHCP Activity: Expire" + }, + "400499": { + "caption": "DHCP Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "DHCP Activity", + "category": "network", + "description": "DHCP Activity events report MAC to IP assignment via DHCP from a client or server.", + "extends": "network", + "name": "dhcp_activity", + "profiles": [ + "host" + ], + "uid": 4 + }, + "discovery": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Log", + "description": "The discovered information is via a log." + }, + "2": { + "caption": "Collect", + "description": "The discovered information is via a collection process." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Discovery", + "category": "discovery", + "description": "The Discovery event is a generic event that defines a set of attributes available in Discovery category events. As a generic event, it could be used to log events that are not otherwise defined by the Discovery specific event classes.", + "extends": "base_event", + "name": "discovery", + "profiles": [ + "cloud", + "datetime" + ] + }, + "discovery_result": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Discovery Result", + "category": "discovery", + "description": "Discovery Result events report the results of a discovery request.", + "extends": "base_event", + "name": "discovery_result", + "profiles": [ + "host" + ] + }, + "dns_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The DNS query request." + }, + "2": { + "caption": "Response", + "description": "The DNS query response." + }, + "6": { + "caption": "Traffic", + "description": "Bidirectional DNS request and response traffic." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "answers": { + "caption": "DNS Answer", + "description": "The Domain Name System (DNS) answers.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "dns_answer" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4003": { + "caption": "DNS Activity", + "description": "DNS Activity events report DNS queries and answers as seen on the network." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "context", + "requirement": "optional", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "query": { + "caption": "DNS Query", + "description": "The Domain Name System (DNS) query.", + "group": "primary", + "requirement": "recommended", + "type": "dns_query" + }, + "query_time": { + "caption": "Query Time", + "description": "The Domain Name System (DNS) query time.", + "group": "occurrence", + "requirement": "recommended", + "type": "timestamp_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "rcode": { + "caption": "Response Code", + "description": "The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "rcode_id": { + "caption": "Response Code ID", + "description": "The normalized identifier of the DNS server response code. See RFC-6895.", + "enum": { + "0": { + "caption": "NoError", + "description": "No Error." + }, + "1": { + "caption": "FormError", + "description": "Format Error." + }, + "10": { + "caption": "NotZone", + "description": "Name not contained in zone." + }, + "11": { + "caption": "DSOTYPENI", + "description": "DSO-TYPE Not Implemented." + }, + "16": { + "caption": "BADSIG_VERS", + "description": "TSIG Signature Failure or Bad OPT Version." + }, + "17": { + "caption": "BADKEY", + "description": "Key not recognized." + }, + "18": { + "caption": "BADTIME", + "description": "Signature out of time window." + }, + "19": { + "caption": "BADMODE", + "description": "Bad TKEY Mode." + }, + "2": { + "caption": "ServError", + "description": "Server Failure." + }, + "20": { + "caption": "BADNAME", + "description": "Duplicate key name." + }, + "21": { + "caption": "BADALG", + "description": "Algorithm not supported." + }, + "22": { + "caption": "BADTRUNC", + "description": "Bad Truncation." + }, + "23": { + "caption": "BADCOOKIE", + "description": "Bad/missing Server Cookie." + }, + "24": { + "caption": "Unassigned", + "description": "The codes deemed to be unassigned by the RFC (unassigned codes: 12-15, 24-3840, 4096-65534)." + }, + "25": { + "caption": "Reserved", + "description": "The codes deemed to be reserved by the RFC (codes: 3841-4095, 65535)." + }, + "3": { + "caption": "NXDomain", + "description": "Non-Existent Domain." + }, + "4": { + "caption": "NotImp", + "description": "Not Implemented." + }, + "5": { + "caption": "Refused", + "description": "Query Refused." + }, + "6": { + "caption": "YXDomain", + "description": "Name Exists when it should not." + }, + "7": { + "caption": "YXRRSet", + "description": "RR Set Exists when it should not." + }, + "8": { + "caption": "NXRRSet", + "description": "RR Set that should exist does not." + }, + "9": { + "caption": "NotAuth", + "description": "Not Authorized or Server Not Authoritative for zone." + }, + "99": { + "caption": "Other", + "description": "The dns response code is not defined by the RFC." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "rcode", + "type": "integer_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "response_time": { + "caption": "Response Time", + "description": "The Domain Name System (DNS) response time.", + "group": "occurrence", + "requirement": "recommended", + "type": "timestamp_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "context", + "requirement": "optional", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400300": { + "caption": "DNS Activity: Unknown" + }, + "400301": { + "caption": "DNS Activity: Query" + }, + "400302": { + "caption": "DNS Activity: Response" + }, + "400306": { + "caption": "DNS Activity: Traffic" + }, + "400399": { + "caption": "DNS Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "DNS Activity", + "category": "network", + "description": "DNS Activity events report DNS queries and answers as seen on the network.", + "extends": "network", + "name": "dns_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 3 + }, + "email_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Send" + }, + "2": { + "caption": "Receive" + }, + "3": { + "caption": "Scan", + "description": "Email being scanned (example: security scanning)" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "attempt": { + "caption": "Attempt", + "description": "The attempt number for attempting to deliver the email.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "banner": { + "caption": "SMTP Banner", + "description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4009": { + "caption": "Email Activity", + "description": "Email events report activities of emails." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Connection Identifier", + "description": "The network connection identifier.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "direction": { + "caption": "Direction", + "description": "The direction of the email, as defined by the direction_id value.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "direction_id": { + "caption": "Direction ID", + "description": "

The direction of the email relative to the scanning host or organization.

Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The email direction is unknown." + }, + "1": { + "caption": "Inbound", + "description": "Email Inbound, from the Internet or outside network destined for an entity inside network." + }, + "2": { + "caption": "Outbound", + "description": "Email Outbound, from inside the network destined for an entity outside network." + }, + "3": { + "caption": "Internal", + "description": "Email Internal, from inside the network destined for an entity inside network." + }, + "99": { + "caption": "Other", + "description": "The direction is not mapped. See the direction attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "required", + "sibling": "direction", + "type": "integer_t" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) receiving the email.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "email": { + "caption": "Email", + "description": "The email object.", + "group": "primary", + "observable": 22, + "requirement": "required", + "type": "email" + }, + "email_auth": { + "caption": "Email Authentication", + "description": "The SPF, DKIM and DMARC attributes of an email.", + "group": "primary", + "requirement": "recommended", + "type": "email_auth" + }, + "email_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Email UID", + "description": "The unique identifier of the email, used to correlate related email alert and activity events.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "smtp_hello": { + "caption": "SMTP Hello", + "description": "The value of the SMTP HELO or EHLO command sent by the initiator (client).", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) sending the email.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400900": { + "caption": "Email Activity: Unknown" + }, + "400901": { + "caption": "Email Activity: Send" + }, + "400902": { + "caption": "Email Activity: Receive" + }, + "400903": { + "caption": "Email Activity: Scan" + }, + "400999": { + "caption": "Email Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Email Activity", + "category": "network", + "description": "Email events report activities of emails.", + "extends": "base_event", + "name": "email_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 9 + }, + "email_delivery_activity": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Delivered" + }, + "2": { + "caption": "Failed" + }, + "3": { + "caption": "Temporary Failure" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "Attacks", + "description": "An array of attacks associated with an event.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "attempt": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Attempt", + "description": "The delivery attempt.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "banner": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "SMTP Banner", + "description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "category_name": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "10104030": { + "caption": "Email Delivery Activity", + "description": "Email Delivery events report the delivery status of emails." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud enviroment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Connection Identifier", + "description": "The network connection identifier.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The event disposition name, as defined by the disposition_id.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition is unknown." + }, + "1": { + "caption": "Blocked" + }, + "10": { + "caption": "Delayed", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Detected" + }, + "12": { + "caption": "Quarantined" + }, + "13": { + "caption": "Restored" + }, + "14": { + "caption": "Exonerated", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Tagged", + "description": "Marked with extended attributes." + }, + "2": { + "caption": "Allowed" + }, + "3": { + "caption": "No Action" + }, + "4": { + "caption": "Logged" + }, + "5": { + "caption": "Command Script Run" + }, + "6": { + "caption": "Corrected" + }, + "7": { + "caption": "Partially Corrected" + }, + "8": { + "caption": "Uncorrected" + }, + "99": { + "caption": "Other", + "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "disposition", + "type": "integer_t" + }, + "dkim_signature": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "DKIM Signature", + "description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.", + "group": "context", + "requirement": "recommended", + "type": "string_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "email": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Email", + "description": "The email object.", + "group": "primary", + "observable": 22, + "requirement": "required", + "type": "email" + }, + "email_auth": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Email Authentication", + "description": "The SPF, DKIM and DMARC attributes of an email.", + "group": "primary", + "requirement": "recommended", + "type": "email_auth" + }, + "email_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Email UID", + "description": "The unique identifier of the email, used to correlate related email alert and activity events.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The email file attachment.", + "group": "primary", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "malware": { + "caption": "Malware", + "description": "The list of malware identified by a finding.", + "is_array": true, + "requirement": "recommended", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event, as defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event.", + "group": "primary", + "is_array": true, + "requirement": "optional", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "receiver_hostname": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Sender Host Name", + "description": "The host name of the receiving email server.", + "group": "context", + "observable": 1, + "requirement": "optional", + "type": "hostname_t" + }, + "receiver_ip": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Sender IP Address", + "description": "The IP address of the receiving email server, in either IPv4 or IPv6 format.", + "group": "context", + "observable": 2, + "requirement": "optional", + "type": "ip_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sender_hostname": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Sender Host Name", + "description": "The host name of the sending email server.", + "group": "context", + "observable": 1, + "requirement": "optional", + "type": "hostname_t" + }, + "sender_ip": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Sender IP Address", + "description": "The IP address of the sending email server, in either IPv4 or IPv6 format.", + "group": "context", + "observable": 2, + "requirement": "optional", + "type": "ip_t" + }, + "severity": { + "caption": "Severity", + "description": "The event severity, as defined by the event source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "The normalized identifier of the event severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, as reported by the event source.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "1010403000": { + "caption": "Email Delivery Activity: Unknown" + }, + "1010403001": { + "caption": "Email Delivery Activity: Delivered" + }, + "1010403002": { + "caption": "Email Delivery Activity: Failed" + }, + "1010403003": { + "caption": "Email Delivery Activity: Temporary Failure" + }, + "1010403099": { + "caption": "Email Delivery Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "object" + }, + "url": { + "caption": "URL", + "description": "The URL included in the email content.", + "group": "primary", + "observable": 23, + "requirement": "required", + "type": "url" + } + }, + "caption": "Email Delivery Activity", + "category": "network", + "description": "Email Delivery events report the delivery status of emails.", + "extends": "base_event", + "extension": "query", + "name": "email_delivery_activity", + "profiles": [ + "host", + "malware" + ], + "uid": 30 + }, + "email_file_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Send" + }, + "2": { + "caption": "Receive" + }, + "3": { + "caption": "Scan", + "description": "Email file being scanned (example: security scanning)." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4011": { + "caption": "Email File Activity", + "description": "Email File Activity events report files within emails." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Connection Identifier", + "description": "The network connection identifier.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "email_uid": { + "caption": "Email UID", + "description": "The unique identifier of the email, used to correlate related email alert and activity events.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The email file attachment.", + "group": "primary", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "401100": { + "caption": "Email File Activity: Unknown" + }, + "401101": { + "caption": "Email File Activity: Send" + }, + "401102": { + "caption": "Email File Activity: Receive" + }, + "401103": { + "caption": "Email File Activity: Scan" + }, + "401199": { + "caption": "Email File Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Email File Activity", + "category": "network", + "description": "Email File Activity events report files within emails.", + "extends": "base_event", + "name": "email_file_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 11 + }, + "email_url_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Send" + }, + "2": { + "caption": "Receive" + }, + "3": { + "caption": "Scan", + "description": "Email URL being scanned (example: security scanning)." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4012": { + "caption": "Email URL Activity", + "description": "Email URL Activity events report URLs within an email." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Connection Identifier", + "description": "The network connection identifier.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "email_uid": { + "caption": "Email UID", + "description": "The unique identifier of the email, used to correlate related email alert and activity events.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "401200": { + "caption": "Email URL Activity: Unknown" + }, + "401201": { + "caption": "Email URL Activity: Send" + }, + "401202": { + "caption": "Email URL Activity: Receive" + }, + "401203": { + "caption": "Email URL Activity: Scan" + }, + "401299": { + "caption": "Email URL Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url": { + "caption": "URL", + "description": "The URL included in the email content.", + "group": "primary", + "observable": 23, + "requirement": "required", + "type": "url" + } + }, + "caption": "Email URL Activity", + "category": "network", + "description": "Email URL Activity events report URLs within an email.", + "extends": "base_event", + "name": "email_url_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 12 + }, + "entity_management": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create" + }, + "2": { + "caption": "Read" + }, + "3": { + "caption": "Update" + }, + "4": { + "caption": "Delete" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "Use for when the entity acting upon another entity is a process or user.", + "group": "context", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "3004": { + "caption": "Entity Management", + "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "The user provided comment about why the entity was changed.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "entity": { + "caption": "Entity", + "description": "The managed entity that is being acted upon.", + "group": "primary", + "requirement": "required", + "type": "managed_entity" + }, + "entity_result": { + "caption": "Entity Result", + "description": "The updated managed entity.", + "group": "primary", + "requirement": "recommended", + "type": "managed_entity" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "300400": { + "caption": "Entity Management: Unknown" + }, + "300401": { + "caption": "Entity Management: Create" + }, + "300402": { + "caption": "Entity Management: Read" + }, + "300403": { + "caption": "Entity Management: Update" + }, + "300404": { + "caption": "Entity Management: Delete" + }, + "300499": { + "caption": "Entity Management: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Entity Management", + "category": "iam", + "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.", + "extends": "iam", + "name": "entity_management", + "profiles": [ + "host" + ], + "uid": 4 + }, + "file_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "access_mask": { + "caption": "Access Mask", + "description": "The access mask in a platform-native format.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A request to create a new file on a file system." + }, + "10": { + "caption": "Encrypt", + "description": "A request to encrypt a file on a file system." + }, + "11": { + "caption": "Decrypt", + "description": "A request to decrypt a file on a file system." + }, + "12": { + "caption": "Mount", + "description": "A request to mount a file on a file system." + }, + "13": { + "caption": "Unmount", + "description": "A request to unmount a file from a file system." + }, + "14": { + "caption": "Open", + "description": "A request to create a file handle." + }, + "2": { + "caption": "Read", + "description": "A request to read data from a file on a file system." + }, + "3": { + "caption": "Update", + "description": "A request to write data to a file on a file system." + }, + "4": { + "caption": "Delete", + "description": "A request to delete a file on a file system." + }, + "5": { + "caption": "Rename", + "description": "A request to rename a file on a file system." + }, + "6": { + "caption": "Set Attributes", + "description": "A request to set attributes for a file on a file system." + }, + "7": { + "caption": "Set Security", + "description": "A request to set security for a file on a file system." + }, + "8": { + "caption": "Get Attributes", + "description": "A request to get attributes for a file on a file system." + }, + "9": { + "caption": "Get Security", + "description": "A request to get security for a file on a file system." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that performed the activity on the file object", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1001": { + "caption": "File System Activity", + "description": "File System Activity events report when a process performs an action on a file or folder." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "component": { + "caption": "Component", + "description": "

The name or relative pathname of a sub-component of the data object, if applicable.

For example: attachment.doc, attachment.zip/bad.doc, or part.mime/part.cab/part.uue/part.doc.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_uid": { + "caption": "Connection Identifier", + "description": "The network connection identifier.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "create_mask": { + "caption": "Create Mask", + "description": "The original Windows mask that is required to create the object.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the activity.", + "group": "primary", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "file_diff": { + "caption": "File Diff", + "description": "File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "file_result": { + "caption": "File Result", + "description": "The resulting file object when the activity was allowed and successful.", + "group": "primary", + "observable": 24, + "requirement": "recommended", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100100": { + "caption": "File System Activity: Unknown" + }, + "100101": { + "caption": "File System Activity: Create" + }, + "100102": { + "caption": "File System Activity: Read" + }, + "100103": { + "caption": "File System Activity: Update" + }, + "100104": { + "caption": "File System Activity: Delete" + }, + "100105": { + "caption": "File System Activity: Rename" + }, + "100106": { + "caption": "File System Activity: Set Attributes" + }, + "100107": { + "caption": "File System Activity: Set Security" + }, + "100108": { + "caption": "File System Activity: Get Attributes" + }, + "100109": { + "caption": "File System Activity: Get Security" + }, + "100110": { + "caption": "File System Activity: Encrypt" + }, + "100111": { + "caption": "File System Activity: Decrypt" + }, + "100112": { + "caption": "File System Activity: Mount" + }, + "100113": { + "caption": "File System Activity: Unmount" + }, + "100114": { + "caption": "File System Activity: Open" + }, + "100199": { + "caption": "File System Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "File System Activity", + "category": "system", + "description": "File System Activity events report when a process performs an action on a file or folder.", + "extends": "system", + "name": "file_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 1 + }, + "file_hosting": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Upload", + "description": "Upload a file." + }, + "10": { + "caption": "Lock", + "description": "Lock a file." + }, + "11": { + "caption": "Unlock", + "description": "Unlock a file." + }, + "12": { + "caption": "Share", + "description": "Share a file." + }, + "13": { + "caption": "Unshare", + "description": "Unshare a file." + }, + "14": { + "caption": "Open", + "description": "Open a file." + }, + "15": { + "caption": "Sync", + "description": "Mark a file or folder to sync with a computer." + }, + "16": { + "caption": "Unsync", + "description": "Mark a file or folder to not sync with a computer." + }, + "2": { + "caption": "Download", + "description": "Download a file." + }, + "3": { + "caption": "Update", + "description": "Update a file." + }, + "4": { + "caption": "Delete", + "description": "Delete a file." + }, + "5": { + "caption": "Rename", + "description": "Rename a file." + }, + "6": { + "caption": "Copy", + "description": "Copy a file." + }, + "7": { + "caption": "Move", + "description": "Move a file." + }, + "8": { + "caption": "Restore", + "description": "Restore a file." + }, + "9": { + "caption": "Preview", + "description": "Preview a file." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Actor", + "description": "The actor that performed the activity on the target file.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6006": { + "caption": "File Hosting Activity", + "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "context", + "requirement": "optional", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Device", + "description": "The device that reported the event.", + "requirement": "recommended", + "type": "device" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The endpoint that received the activity on the target file.", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "expiration_time": { + "caption": "Expiration Time", + "description": "The share expiration time.", + "group": "context", + "requirement": "optional", + "type": "timestamp_t" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the activity.", + "group": "primary", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The endpoint that performed the activity on the target file.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600600": { + "caption": "File Hosting Activity: Unknown" + }, + "600601": { + "caption": "File Hosting Activity: Upload" + }, + "600602": { + "caption": "File Hosting Activity: Download" + }, + "600603": { + "caption": "File Hosting Activity: Update" + }, + "600604": { + "caption": "File Hosting Activity: Delete" + }, + "600605": { + "caption": "File Hosting Activity: Rename" + }, + "600606": { + "caption": "File Hosting Activity: Copy" + }, + "600607": { + "caption": "File Hosting Activity: Move" + }, + "600608": { + "caption": "File Hosting Activity: Restore" + }, + "600609": { + "caption": "File Hosting Activity: Preview" + }, + "600610": { + "caption": "File Hosting Activity: Lock" + }, + "600611": { + "caption": "File Hosting Activity: Unlock" + }, + "600612": { + "caption": "File Hosting Activity: Share" + }, + "600613": { + "caption": "File Hosting Activity: Unshare" + }, + "600614": { + "caption": "File Hosting Activity: Open" + }, + "600615": { + "caption": "File Hosting Activity: Sync" + }, + "600616": { + "caption": "File Hosting Activity: Unsync" + }, + "600699": { + "caption": "File Hosting Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "File Hosting Activity", + "category": "application", + "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.", + "extends": "application", + "name": "file_hosting", + "profiles": [ + "cloud", + "datetime" + ], + "uid": 6 + }, + "finding": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the finding activity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A finding was created." + }, + "2": { + "caption": "Update", + "description": "A finding was updated." + }, + "3": { + "caption": "Close", + "description": "A finding was closed." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The finding activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "A user provided comment about the finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The time of the most recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "finding_info": { + "caption": "Finding Information", + "description": "Describes the supporting information about a generated finding.", + "group": "primary", + "requirement": "required", + "type": "finding_info" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The time of the least recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the Finding, set by the consumer.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "New", + "description": "The Finding is new and yet to be reviewed." + }, + "2": { + "caption": "In Progress", + "description": "The Finding is under review." + }, + "3": { + "caption": "Suppressed", + "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed." + }, + "4": { + "caption": "Resolved", + "description": "The Finding was reviewed, remediated and is now considered resolved." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Finding", + "category": "findings", + "description": "The Finding event is a generic event that defines a set of attributes available in the Findings category.", + "extends": "base_event", + "name": "finding", + "profiles": [ + "host" + ] + }, + "ftp_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Put", + "description": "File upload to the FTP or SFTP site." + }, + "2": { + "caption": "Get", + "description": "File download from the FTP or SFTP site." + }, + "3": { + "caption": "Poll", + "description": "Poll directory for specific file(s) or folder(s) at the FTP or SFTP site location." + }, + "4": { + "caption": "Delete", + "description": "Delete file(s) from the FTP or SFTP site." + }, + "5": { + "caption": "Rename", + "description": "Rename the file(s) in the FTP or SFTP site." + }, + "6": { + "caption": "List", + "description": "List files in a specified directory." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4008": { + "caption": "FTP Activity", + "description": "File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "codes": { + "caption": "Response Codes", + "description": "The list of return codes to the FTP command.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "integer_t" + }, + "command": { + "caption": "Command", + "description": "The FTP command.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "command_responses": { + "caption": "Command Responses", + "description": "The list of responses to the FTP command.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the FTP activity.", + "group": "context", + "observable": 24, + "requirement": "optional", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "name": { + "caption": "Name", + "description": "The name of the data affiliated with the command.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "port": { + "caption": "Port", + "description": "The dynamic port established for impending data transfers.", + "group": "primary", + "observable": 11, + "requirement": "recommended", + "type": "port_t" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type": { + "caption": "Type", + "description": "The type of FTP network connection (e.g. active, passive).", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400800": { + "caption": "FTP Activity: Unknown" + }, + "400801": { + "caption": "FTP Activity: Put" + }, + "400802": { + "caption": "FTP Activity: Get" + }, + "400803": { + "caption": "FTP Activity: Poll" + }, + "400804": { + "caption": "FTP Activity: Delete" + }, + "400805": { + "caption": "FTP Activity: Rename" + }, + "400806": { + "caption": "FTP Activity: List" + }, + "400899": { + "caption": "FTP Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "FTP Activity", + "category": "network", + "description": "File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.", + "extends": "network", + "name": "ftp_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 8 + }, + "group_management": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Assign Privileges", + "description": "Assign privileges to a group." + }, + "2": { + "caption": "Revoke Privileges", + "description": "Revoke privileges from a group." + }, + "3": { + "caption": "Add User", + "description": "Add user to a group." + }, + "4": { + "caption": "Remove User", + "description": "Remove user from a group." + }, + "5": { + "caption": "Delete", + "description": "A group was deleted." + }, + "6": { + "caption": "Create", + "description": "A group was created." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "3006": { + "caption": "Group Management", + "description": "Group Management events report management updates to a group, including updates to membership and permissions." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "group": { + "caption": "Group", + "description": "Group that was the target of the event.", + "group": "primary", + "requirement": "required", + "type": "group" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "privileges": { + "caption": "Privileges", + "description": "A list of privileges assigned to the group.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resource": { + "caption": "Resource", + "description": "Resource that the privileges give access to.", + "group": "primary", + "requirement": "recommended", + "type": "resource_details" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "300600": { + "caption": "Group Management: Unknown" + }, + "300601": { + "caption": "Group Management: Assign Privileges" + }, + "300602": { + "caption": "Group Management: Revoke Privileges" + }, + "300603": { + "caption": "Group Management: Add User" + }, + "300604": { + "caption": "Group Management: Remove User" + }, + "300605": { + "caption": "Group Management: Delete" + }, + "300606": { + "caption": "Group Management: Create" + }, + "300699": { + "caption": "Group Management: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "A user that was added to or removed from the group.", + "group": "primary", + "observable": 21, + "requirement": "recommended", + "type": "user" + } + }, + "caption": "Group Management", + "category": "iam", + "constraints": { + "at_least_one": [ + "privileges", + "user" + ] + }, + "description": "Group Management events report management updates to a group, including updates to membership and permissions.", + "extends": "iam", + "name": "group_management", + "profiles": [ + "host" + ], + "uid": 6 + }, + "http_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Connect", + "description": "The CONNECT method establishes a tunnel to the server identified by the target resource." + }, + "2": { + "caption": "Delete", + "description": "The DELETE method deletes the specified resource." + }, + "3": { + "caption": "Get", + "description": "The GET method requests a representation of the specified resource. Requests using GET should only retrieve data." + }, + "4": { + "caption": "Head", + "description": "The HEAD method asks for a response identical to a GET request, but without the response body." + }, + "5": { + "caption": "Options", + "description": "The OPTIONS method describes the communication options for the target resource." + }, + "6": { + "caption": "Post", + "description": "The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server." + }, + "7": { + "caption": "Put", + "description": "The PUT method replaces all current representations of the target resource with the request payload." + }, + "8": { + "caption": "Trace", + "description": "The TRACE method performs a message loop-back test along the path to the target resource." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4002": { + "caption": "HTTP Activity", + "description": "HTTP Activity events report HTTP connection and traffic information." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the HTTP activity.", + "group": "context", + "observable": 24, + "requirement": "optional", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "http_cookies": { + "caption": "HTTP Cookies", + "description": "The cookies object describes details about HTTP cookies", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "http_cookie" + }, + "http_request": { + "caption": "HTTP Request", + "description": "The HTTP Request Object documents attributes of a request made to a web server.", + "group": "primary", + "requirement": "required", + "type": "http_request" + }, + "http_response": { + "caption": "HTTP Response", + "description": "The HTTP Response from a web server to a requester.", + "group": "primary", + "requirement": "required", + "type": "http_response" + }, + "http_status": { + "@deprecated": { + "message": "Use the http_response.code attribute instead.", + "since": "1.1.0" + }, + "caption": "HTTP Status", + "description": "The Hypertext Transfer Protocol (HTTP) status code returned to the client.", + "group": "primary", + "requirement": "optional", + "type": "integer_t" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400200": { + "caption": "HTTP Activity: Unknown" + }, + "400201": { + "caption": "HTTP Activity: Connect" + }, + "400202": { + "caption": "HTTP Activity: Delete" + }, + "400203": { + "caption": "HTTP Activity: Get" + }, + "400204": { + "caption": "HTTP Activity: Head" + }, + "400205": { + "caption": "HTTP Activity: Options" + }, + "400206": { + "caption": "HTTP Activity: Post" + }, + "400207": { + "caption": "HTTP Activity: Put" + }, + "400208": { + "caption": "HTTP Activity: Trace" + }, + "400299": { + "caption": "HTTP Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "HTTP Activity", + "category": "network", + "description": "HTTP Activity events report HTTP connection and traffic information.", + "extends": "network", + "name": "http_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 2 + }, + "iam": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Identity & Access Management", + "category": "iam", + "description": "The Identity & Access Management event is a generic event that defines a set of attributes available in the access control events. As a generic event, it could be used to log events that are not otherwise defined by the IAM category.", + "extends": "base_event", + "name": "iam", + "profiles": [ + "host" + ] + }, + "incident_finding": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the Incident activity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "Reports the creation of an Incident." + }, + "2": { + "caption": "Update", + "description": "Reports updates to an Incident." + }, + "3": { + "caption": "Close", + "description": "Reports closure of an Incident ." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The Incident activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "assignee": { + "caption": "Assignee", + "description": "The details of the user assigned to an Incident.", + "group": "context", + "observable": 21, + "requirement": "optional", + "type": "user" + }, + "assignee_group": { + "caption": "Assignee Group", + "description": "The details of the group assigned to an Incident.", + "group": "context", + "requirement": "optional", + "type": "group" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques associated to the Incident.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "2005": { + "caption": "Incident Finding", + "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "Additional user supplied details for updating or closing the incident.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "desc": { + "caption": "Description", + "description": "The short description of the Incident.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The time of the most recent event included in the incident.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "finding_info_list": { + "caption": "Finding Information List", + "description": "A list of finding_info objects associated to an incident.", + "group": "primary", + "is_array": true, + "requirement": "required", + "type": "finding_info" + }, + "impact": { + "caption": "Impact", + "description": "The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "impact_id": { + "caption": "Impact ID", + "description": "The normalized impact of the finding.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized impact is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + }, + "99": { + "caption": "Other", + "description": "The impact is not mapped. See the impact attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "impact", + "type": "integer_t" + }, + "impact_score": { + "caption": "Impact", + "description": "The impact of the finding, valid range 0-100.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "is_suspected_breach": { + "caption": "Suspected Breach", + "description": "A determination based on analytics as to whether a potential breach was found.", + "group": "context", + "requirement": "optional", + "type": "boolean_t" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "priority": { + "caption": "Priority", + "description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "priority_id": { + "caption": "Priority ID", + "description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.", + "enum": { + "0": { + "caption": "Unknown", + "description": "No priority is assigned." + }, + "1": { + "caption": "Low", + "description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible." + }, + "2": { + "caption": "Medium", + "description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available." + }, + "3": { + "caption": "High", + "description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible." + }, + "4": { + "caption": "Critical", + "description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative." + }, + "99": { + "caption": "Other", + "description": "The priority is not normalized." + } + }, + "group": "context", + "requirement": "recommended", + "sibling": "priority", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_url": { + "caption": "Source URL", + "description": "A Url link used to access the original incident.", + "group": "primary", + "observable": 6, + "requirement": "recommended", + "type": "url_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The time of the least recent event included in the incident.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The normalized status of the Incident normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the Incident.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "New", + "description": "The service desk has received the incident but has not assigned it to an agent." + }, + "2": { + "caption": "In Progress", + "description": "The incident has been assigned to an agent but has not been resolved. The agent is actively working with the user to diagnose and resolve the incident." + }, + "3": { + "caption": "On Hold", + "description": "The incident requires some information or response from the user or from a third party." + }, + "4": { + "caption": "Resolved", + "description": "The service desk has confirmed that the incident is resolved." + }, + "5": { + "caption": "Closed", + "description": "The incident is resolved and no further action is necessary." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "200500": { + "caption": "Incident Finding: Unknown" + }, + "200501": { + "caption": "Incident Finding: Create" + }, + "200502": { + "caption": "Incident Finding: Update" + }, + "200503": { + "caption": "Incident Finding: Close" + }, + "200599": { + "caption": "Incident Finding: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "verdict": { + "caption": "Verdict", + "description": "The verdict assigned to an Incident finding.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "verdict_id": { + "caption": "Verdict ID", + "description": "The normalized verdict of an Incident.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "False Positive", + "description": "The incident is a false positive." + }, + "10": { + "caption": "Duplicate", + "description": "The incident is a duplicate." + }, + "2": { + "caption": "True Positive", + "description": "The incident is a true positive." + }, + "3": { + "caption": "Disregard", + "description": "The incident can be disregarded as it is unimportant, an error or accident." + }, + "4": { + "caption": "Suspicious", + "description": "The incident is suspicious." + }, + "5": { + "caption": "Benign", + "description": "The incident is benign." + }, + "6": { + "caption": "Test", + "description": "The incident is a test." + }, + "7": { + "caption": "Insufficient Data", + "description": "The incident has insufficient data to make a verdict." + }, + "8": { + "caption": "Security Risk", + "description": "The incident is a security risk." + }, + "9": { + "caption": "Managed Externally", + "description": "The incident remediation or required actions are managed externally." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "verdict", + "type": "integer_t" + } + }, + "caption": "Incident Finding", + "category": "findings", + "constraints": { + "at_least_one": [ + "assignee", + "assignee_group" + ] + }, + "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.", + "extends": "base_event", + "name": "incident_finding", + "profiles": [ + "cloud", + "datetime" + ], + "uid": 5 + }, + "inventory_info": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Log", + "description": "The discovered information is via a log." + }, + "2": { + "caption": "Collect", + "description": "The discovered information is via a collection process." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "context", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5001": { + "caption": "Device Inventory Info", + "description": "Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "500100": { + "caption": "Device Inventory Info: Unknown" + }, + "500101": { + "caption": "Device Inventory Info: Log" + }, + "500102": { + "caption": "Device Inventory Info: Collect" + }, + "500199": { + "caption": "Device Inventory Info: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Device Inventory Info", + "category": "discovery", + "description": "Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.", + "extends": "discovery", + "name": "inventory_info", + "profiles": [ + "host" + ], + "uid": 1 + }, + "kernel_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create" + }, + "2": { + "caption": "Read" + }, + "3": { + "caption": "Delete" + }, + "4": { + "caption": "Invoke" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1003": { + "caption": "Kernel Activity", + "description": "Kernel Activity events report when an process creates, reads, or deletes a kernel resource." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "kernel": { + "caption": "Kernel", + "description": "The target kernel resource.", + "group": "primary", + "requirement": "required", + "type": "kernel" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100300": { + "caption": "Kernel Activity: Unknown" + }, + "100301": { + "caption": "Kernel Activity: Create" + }, + "100302": { + "caption": "Kernel Activity: Read" + }, + "100303": { + "caption": "Kernel Activity: Delete" + }, + "100304": { + "caption": "Kernel Activity: Invoke" + }, + "100399": { + "caption": "Kernel Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Kernel Activity", + "category": "system", + "description": "Kernel Activity events report when an process creates, reads, or deletes a kernel resource.", + "extends": "system", + "name": "kernel_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 3 + }, + "kernel_extension": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Load", + "description": "A driver/extension was loaded into the kernel" + }, + "2": { + "caption": "Unload", + "description": "A driver/extension was unloaded (removed) from the kernel" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor process that loaded or unloaded the driver/extension.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1002": { + "caption": "Kernel Extension Activity", + "description": "Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "driver": { + "caption": "Kernel Driver", + "description": "The driver that was loaded/unloaded into the kernel", + "group": "primary", + "requirement": "required", + "type": "kernel_driver" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100200": { + "caption": "Kernel Extension Activity: Unknown" + }, + "100201": { + "caption": "Kernel Extension Activity: Load" + }, + "100202": { + "caption": "Kernel Extension Activity: Unload" + }, + "100299": { + "caption": "Kernel Extension Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Kernel Extension Activity", + "category": "system", + "description": "Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel", + "extends": "system", + "name": "kernel_extension", + "profiles": [ + "host", + "security_control" + ], + "uid": 2 + }, + "memory_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Allocate Page" + }, + "2": { + "caption": "Modify Page" + }, + "3": { + "caption": "Delete Page" + }, + "4": { + "caption": "Buffer Overflow" + }, + "5": { + "caption": "Disable DEP", + "description": "Data Execution Permission" + }, + "6": { + "caption": "Enable DEP", + "description": "Data Execution Permission" + }, + "7": { + "caption": "Read", + "description": "Read (Example: ReadProcessMemory)" + }, + "8": { + "caption": "Write", + "description": "Write (Example: WriteProcessMemory)" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "actual_permissions": { + "caption": "Actual Permissions", + "description": "The permissions that were granted to the in a platform-native format.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "base_address": { + "caption": "Base Address", + "description": "The memory address that was access or requested.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1004": { + "caption": "Memory Activity", + "description": "Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP)." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "process": { + "caption": "Process", + "description": "The process that had memory allocated, read/written, or had other manipulation activities performed on it.", + "group": "primary", + "observable": 25, + "requirement": "required", + "type": "process" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "requested_permissions": { + "caption": "Requested Permissions", + "description": "The permissions mask that were requested by the process.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "size": { + "caption": "Size", + "description": "The memory size that was access or requested.", + "group": "primary", + "requirement": "optional", + "type": "long_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100400": { + "caption": "Memory Activity: Unknown" + }, + "100401": { + "caption": "Memory Activity: Allocate Page" + }, + "100402": { + "caption": "Memory Activity: Modify Page" + }, + "100403": { + "caption": "Memory Activity: Delete Page" + }, + "100404": { + "caption": "Memory Activity: Buffer Overflow" + }, + "100405": { + "caption": "Memory Activity: Disable DEP" + }, + "100406": { + "caption": "Memory Activity: Enable DEP" + }, + "100407": { + "caption": "Memory Activity: Read" + }, + "100408": { + "caption": "Memory Activity: Write" + }, + "100499": { + "caption": "Memory Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Memory Activity", + "category": "system", + "description": "Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).", + "extends": "system", + "name": "memory_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 4 + }, + "module_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Load" + }, + "2": { + "caption": "Unload" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that loaded or unloaded the module.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1005": { + "caption": "Module Activity", + "description": "Module Activity events report when a process loads or unloads the module." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "module": { + "caption": "Module", + "description": "The module that was loaded or unloaded.", + "group": "primary", + "requirement": "required", + "type": "module" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100500": { + "caption": "Module Activity: Unknown" + }, + "100501": { + "caption": "Module Activity: Load" + }, + "100502": { + "caption": "Module Activity: Unload" + }, + "100599": { + "caption": "Module Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Module Activity", + "category": "system", + "description": "Module Activity events report when a process loads or unloads the module.", + "extends": "system", + "name": "module_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 5 + }, + "network": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Network", + "category": "network", + "description": "Network event is a generic event that defines a set of attributes available in the Network category.", + "extends": "base_event", + "name": "network", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ] + }, + "network_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Open", + "description": "A new network connection was opened." + }, + "2": { + "caption": "Close", + "description": "The network connection was closed." + }, + "3": { + "caption": "Reset", + "description": "The network connection was abnormally terminated or closed by a middle device like firewalls." + }, + "4": { + "caption": "Fail", + "description": "The network connection failed. For example a connection timeout or no route to host." + }, + "5": { + "caption": "Refuse", + "description": "The network connection was refused. For example an attempt to connect to a server port which is not open." + }, + "6": { + "caption": "Traffic", + "description": "Network traffic report." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4001": { + "caption": "Network Activity", + "description": "Network Activity events report network connection and traffic activity." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400100": { + "caption": "Network Activity: Unknown" + }, + "400101": { + "caption": "Network Activity: Open" + }, + "400102": { + "caption": "Network Activity: Close" + }, + "400103": { + "caption": "Network Activity: Reset" + }, + "400104": { + "caption": "Network Activity: Fail" + }, + "400105": { + "caption": "Network Activity: Refuse" + }, + "400106": { + "caption": "Network Activity: Traffic" + }, + "400199": { + "caption": "Network Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url": { + "caption": "URL", + "description": "The URL details relevant to the network traffic.", + "group": "primary", + "observable": 23, + "requirement": "recommended", + "type": "url" + } + }, + "caption": "Network Activity", + "category": "network", + "description": "Network Activity events report network connection and traffic activity.", + "extends": "network", + "name": "network_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 1 + }, + "network_file_activity": { + "@deprecated": { + "message": "Use the new class: 'File Hosting Activity' in the 'Application' category.", + "since": "1.1.0" + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Upload", + "description": "Upload a file." + }, + "10": { + "caption": "Lock", + "description": "Lock a file." + }, + "11": { + "caption": "Unlock", + "description": "Unlock a file." + }, + "12": { + "caption": "Share", + "description": "Share a file." + }, + "13": { + "caption": "Unshare", + "description": "Unshare a file." + }, + "14": { + "caption": "Open", + "description": "Open a file." + }, + "15": { + "caption": "Sync", + "description": "Mark a file or folder to sync with a computer." + }, + "16": { + "caption": "Unsync", + "description": "Mark a file or folder to not sync with a computer." + }, + "2": { + "caption": "Download", + "description": "Download a file." + }, + "3": { + "caption": "Update", + "description": "Update a file." + }, + "4": { + "caption": "Delete", + "description": "Delete a file." + }, + "5": { + "caption": "Rename", + "description": "Rename a file." + }, + "6": { + "caption": "Copy", + "description": "Copy a file." + }, + "7": { + "caption": "Move", + "description": "Move a file." + }, + "8": { + "caption": "Restore", + "description": "Restore a file." + }, + "9": { + "caption": "Preview", + "description": "Preview a file." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that performed the activity on the target file.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4010": { + "caption": "Network File Activity", + "description": "Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "optional", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The endpoint that received the activity on the target file.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "expiration_time": { + "caption": "Expiration Time", + "description": "The share expiration time.", + "group": "context", + "requirement": "optional", + "type": "timestamp_t" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the activity.", + "group": "primary", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The endpoint that performed the activity on the target file.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "401000": { + "caption": "Network File Activity: Unknown" + }, + "401001": { + "caption": "Network File Activity: Upload" + }, + "401002": { + "caption": "Network File Activity: Download" + }, + "401003": { + "caption": "Network File Activity: Update" + }, + "401004": { + "caption": "Network File Activity: Delete" + }, + "401005": { + "caption": "Network File Activity: Rename" + }, + "401006": { + "caption": "Network File Activity: Copy" + }, + "401007": { + "caption": "Network File Activity: Move" + }, + "401008": { + "caption": "Network File Activity: Restore" + }, + "401009": { + "caption": "Network File Activity: Preview" + }, + "401010": { + "caption": "Network File Activity: Lock" + }, + "401011": { + "caption": "Network File Activity: Unlock" + }, + "401012": { + "caption": "Network File Activity: Share" + }, + "401013": { + "caption": "Network File Activity: Unshare" + }, + "401014": { + "caption": "Network File Activity: Open" + }, + "401015": { + "caption": "Network File Activity: Sync" + }, + "401016": { + "caption": "Network File Activity: Unsync" + }, + "401099": { + "caption": "Network File Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Network File Activity", + "category": "network", + "description": "Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.", + "extends": "network", + "name": "network_file_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 10 + }, + "ntp_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "Not used in standard NTP implementations." + }, + "1": { + "caption": "Symmetric Active Exchange", + "description": "Bidirectional time exchange between devices." + }, + "2": { + "caption": "Symmetric Passive Response", + "description": "Device responds as a server to peers in symmetric active mode." + }, + "3": { + "caption": "Client Synchronization", + "description": "NTP client, syncs with servers." + }, + "4": { + "caption": "Server Response", + "description": "Dedicated NTP time server, responds to clients." + }, + "5": { + "caption": "Broadcast", + "description": "Broadcast time info to network devices." + }, + "6": { + "caption": "Control", + "description": "Monitoring and control messaging." + }, + "7": { + "caption": "Private Use Case", + "description": "Reserved - Not defined in standard NTP specifications." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4013": { + "caption": "NTP Activity", + "description": "The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "delay": { + "caption": "Root Delay", + "description": "The total round-trip delay to the reference clock in milliseconds.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "dispersion": { + "caption": "Root Dispersion", + "description": "The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "precision": { + "caption": "Precision", + "description": "The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "stratum": { + "caption": "Stratum", + "description": "The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "stratum_id": { + "caption": "Stratum ID", + "description": "The normalized identifier of the stratum level, as defined in RFC-5905.", + "enum": { + "0": { + "caption": "Unknown", + "description": "Unspecified or invalid." + }, + "1": { + "caption": "Primary Server", + "description": "The highest precision primary server (e.g atomic clock or GPS)." + }, + "16": { + "caption": "Unsynchronized" + }, + "17": { + "caption": "Reserved", + "description": "Reserved stratum (possible values: 17-255)." + }, + "2": { + "caption": "Secondary Server", + "description": "A secondary level server (possible values: 2-15)." + }, + "99": { + "caption": "Other", + "description": "The stratum level is not mapped. See the stratum attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "stratum", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "401300": { + "caption": "NTP Activity: Unknown" + }, + "401301": { + "caption": "NTP Activity: Symmetric Active Exchange" + }, + "401302": { + "caption": "NTP Activity: Symmetric Passive Response" + }, + "401303": { + "caption": "NTP Activity: Client Synchronization" + }, + "401304": { + "caption": "NTP Activity: Server Response" + }, + "401305": { + "caption": "NTP Activity: Broadcast" + }, + "401306": { + "caption": "NTP Activity: Control" + }, + "401307": { + "caption": "NTP Activity: Private Use Case" + }, + "401399": { + "caption": "NTP Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version number of the NTP protocol.", + "group": "context", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "NTP Activity", + "category": "network", + "description": "The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.", + "extends": "network", + "name": "ntp_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 13 + }, + "patch_state": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Log", + "description": "The discovered information is via a log." + }, + "2": { + "caption": "Collect", + "description": "The discovered information is via a collection process." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5004": { + "caption": "Operating System Patch State", + "description": "Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "kb_article_list": { + "caption": "Knowledgebase Articles", + "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "kb_article" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "500400": { + "caption": "Operating System Patch State: Unknown" + }, + "500401": { + "caption": "Operating System Patch State: Log" + }, + "500402": { + "caption": "Operating System Patch State: Collect" + }, + "500499": { + "caption": "Operating System Patch State: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Operating System Patch State", + "category": "discovery", + "constraints": { + "at_least_one": [ + "device.os.sp_name", + "device.os.sp_ver", + "device.os.version" + ] + }, + "description": "Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.", + "extends": "discovery", + "name": "patch_state", + "profiles": [ + "host" + ], + "uid": 4 + }, + "peripheral_device_query": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5014": { + "caption": "Peripheral Device Query", + "description": "Peripheral Device Query events report information about peripheral devices." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "peripheral_device": { + "caption": "Peripheral Device", + "description": "The peripheral device that triggered the event.", + "group": "primary", + "requirement": "required", + "type": "peripheral_device" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "501400": { + "caption": "Peripheral Device Query: Unknown" + }, + "501401": { + "caption": "Peripheral Device Query: Query" + }, + "501402": { + "caption": "Peripheral Device Query: Partial" + }, + "501403": { + "caption": "Peripheral Device Query: Does not exist" + }, + "501404": { + "caption": "Peripheral Device Query: Error" + }, + "501405": { + "caption": "Peripheral Device Query: Unsupported" + }, + "501499": { + "caption": "Peripheral Device Query: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Peripheral Device Query", + "category": "discovery", + "description": "Peripheral Device Query events report information about peripheral devices.", + "extends": "discovery_result", + "name": "peripheral_device_query", + "profiles": [ + "host" + ], + "uid": 14 + }, + "prefetch_query": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "205019": { + "caption": "Prefetch Query", + "description": "Prefetch Query events report information about Windows prefetch files." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "last_run_time": { + "caption": "Last Run", + "description": "The prefetch file last run time.", + "group": "occurrence", + "requirement": "recommended", + "type": "timestamp_t" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "name": { + "caption": "Name", + "description": "The name of the prefetch file that is the target of the query.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "run_count": { + "caption": "Run Count", + "description": "The prefetch file run count.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "20501900": { + "caption": "Prefetch Query: Unknown" + }, + "20501901": { + "caption": "Prefetch Query: Query" + }, + "20501902": { + "caption": "Prefetch Query: Partial" + }, + "20501903": { + "caption": "Prefetch Query: Does not exist" + }, + "20501904": { + "caption": "Prefetch Query: Error" + }, + "20501905": { + "caption": "Prefetch Query: Unsupported" + }, + "20501999": { + "caption": "Prefetch Query: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Prefetch Query", + "category": "discovery", + "description": "Prefetch Query events report information about Windows prefetch files.", + "extends": "discovery_result", + "extension": "windows", + "name": "prefetch_query", + "profiles": [ + "host" + ], + "uid": 19 + }, + "process_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Launch" + }, + "2": { + "caption": "Terminate" + }, + "3": { + "caption": "Open" + }, + "4": { + "caption": "Inject" + }, + "5": { + "caption": "Set User ID" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that performed the activity on the target process. For example, the process that started a new process or injected code into another process.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "actual_permissions": { + "caption": "Actual Permissions", + "description": "The permissions that were granted to the in a platform-native format.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1007": { + "caption": "Process Activity", + "description": "Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "exit_code": { + "caption": "Exit Code", + "description": "The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "injection_type": { + "caption": "Injection Type", + "description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "injection_type_id": { + "caption": "Injection Type ID", + "description": "The normalized identifier of the process injection method.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The injection type is unknown." + }, + "1": { + "caption": "Remote Thread" + }, + "2": { + "caption": "Load Library" + }, + "99": { + "caption": "Other", + "description": "The injection type is not mapped. See the injection_type attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "injection_type", + "type": "integer_t" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "module": { + "caption": "Module", + "description": "The module that was injected by the actor process.", + "group": "primary", + "requirement": "recommended", + "type": "module" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "process": { + "caption": "Process", + "description": "The process that was launched, injected into, opened, or terminated.", + "group": "primary", + "observable": 25, + "requirement": "required", + "type": "process" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "requested_permissions": { + "caption": "Requested Permissions", + "description": "The permissions mask that were requested by the process.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100700": { + "caption": "Process Activity: Unknown" + }, + "100701": { + "caption": "Process Activity: Launch" + }, + "100702": { + "caption": "Process Activity: Terminate" + }, + "100703": { + "caption": "Process Activity: Open" + }, + "100704": { + "caption": "Process Activity: Inject" + }, + "100705": { + "caption": "Process Activity: Set User ID" + }, + "100799": { + "caption": "Process Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Process Activity", + "category": "system", + "description": "Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.", + "extends": "system", + "name": "process_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 7 + }, + "rdp_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Initial Request", + "description": "The initial RDP request." + }, + "2": { + "caption": "Initial Response", + "description": "The initial RDP response." + }, + "3": { + "caption": "Connect Request", + "description": "An RDP connection request." + }, + "4": { + "caption": "Connect Response", + "description": "An RDP connection response." + }, + "5": { + "caption": "TLS Handshake", + "description": "The TLS handshake." + }, + "6": { + "caption": "Traffic", + "description": "Network traffic report." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "capabilities": { + "caption": "Capabilities", + "description": "A list of RDP capabilities.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "certificate_chain": { + "caption": "Certificate Chain", + "description": "The list of observed certificates in an RDP TLS connection.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4005": { + "caption": "RDP Activity", + "description": "Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "The device instigating the RDP connection.", + "requirement": "optional", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the RDP activity.", + "group": "context", + "observable": 24, + "requirement": "optional", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "identifier_cookie": { + "caption": "Identifier Cookie", + "description": "The client identifier cookie during client/server exchange.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "protocol_ver": { + "caption": "RDP Version", + "description": "The Remote Desktop Protocol version.", + "group": "context", + "requirement": "recommended", + "type": "string_t" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "remote_display": { + "caption": "Remote Display", + "description": "The remote display affiliated with the event", + "requirement": "optional", + "type": "display" + }, + "request": { + "caption": "API Request Details", + "description": "The client request in an RDP network connection.", + "group": "primary", + "requirement": "recommended", + "type": "request" + }, + "response": { + "caption": "API Response Details", + "description": "The server response in an RDP network connection.", + "group": "primary", + "requirement": "recommended", + "type": "response" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400500": { + "caption": "RDP Activity: Unknown" + }, + "400501": { + "caption": "RDP Activity: Initial Request" + }, + "400502": { + "caption": "RDP Activity: Initial Response" + }, + "400503": { + "caption": "RDP Activity: Connect Request" + }, + "400504": { + "caption": "RDP Activity: Connect Response" + }, + "400505": { + "caption": "RDP Activity: TLS Handshake" + }, + "400506": { + "caption": "RDP Activity: Traffic" + }, + "400599": { + "caption": "RDP Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "RDP Activity", + "category": "network", + "description": "Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network.", + "extends": "network", + "name": "rdp_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 5 + }, + "registry_key_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "access_mask": { + "caption": "Access Mask", + "description": "The access mask in a platform-native format.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create" + }, + "2": { + "caption": "Read" + }, + "3": { + "caption": "Modify" + }, + "4": { + "caption": "Delete" + }, + "5": { + "caption": "Rename" + }, + "6": { + "caption": "Set Security" + }, + "7": { + "caption": "Restore" + }, + "8": { + "caption": "Import" + }, + "9": { + "caption": "Export" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that performed the activity on the reg_key object.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "201001": { + "caption": "Registry Key Activity", + "description": "Registry Key Activity events report when a process performs an action on a Windows registry key." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "create_mask": { + "caption": "Create Mask", + "description": "The original Windows mask that is required to create the object.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition is unknown." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "open_mask": { + "caption": "Open Mask", + "description": "The Windows options needed to open a registry key.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "prev_reg_key": { + "caption": "Previous Registry Key", + "description": "The registry key before the mutation", + "group": "primary", + "observable": 28, + "requirement": "recommended", + "type": "reg_key" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reg_key": { + "caption": "Registry Key", + "description": "The registry key.", + "group": "primary", + "requirement": "required", + "type": "registry_key" + }, + "reg_key_result": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Registry Key Result", + "description": "The result of the registry key change. It should contain the new values of the changed attributes.", + "group": "primary", + "requirement": "optional", + "type": "registry_key" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "20100100": { + "caption": "Registry Key Activity: Unknown" + }, + "20100101": { + "caption": "Registry Key Activity: Create" + }, + "20100102": { + "caption": "Registry Key Activity: Read" + }, + "20100103": { + "caption": "Registry Key Activity: Modify" + }, + "20100104": { + "caption": "Registry Key Activity: Delete" + }, + "20100105": { + "caption": "Registry Key Activity: Rename" + }, + "20100106": { + "caption": "Registry Key Activity: Set Security" + }, + "20100107": { + "caption": "Registry Key Activity: Restore" + }, + "20100108": { + "caption": "Registry Key Activity: Import" + }, + "20100109": { + "caption": "Registry Key Activity: Export" + }, + "20100199": { + "caption": "Registry Key Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Registry Key Activity", + "category": "system", + "description": "Registry Key Activity events report when a process performs an action on a Windows registry key.", + "extends": "system", + "extension": "windows", + "name": "registry_key_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 1 + }, + "registry_key_query": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "205004": { + "caption": "Registry Key Query", + "description": "Registry Key Query events report information about discovered Windows registry keys." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reg_key": { + "caption": "Registry Key", + "description": "The registry key that pertains to the event.", + "group": "primary", + "observable": 28, + "requirement": "required", + "type": "reg_key" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "20500400": { + "caption": "Registry Key Query: Unknown" + }, + "20500401": { + "caption": "Registry Key Query: Query" + }, + "20500402": { + "caption": "Registry Key Query: Partial" + }, + "20500403": { + "caption": "Registry Key Query: Does not exist" + }, + "20500404": { + "caption": "Registry Key Query: Error" + }, + "20500405": { + "caption": "Registry Key Query: Unsupported" + }, + "20500499": { + "caption": "Registry Key Query: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Registry Key Query", + "category": "discovery", + "description": "Registry Key Query events report information about discovered Windows registry keys.", + "extends": "discovery_result", + "extension": "windows", + "name": "registry_key_query", + "profiles": [ + "host" + ], + "uid": 4 + }, + "registry_value_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Get" + }, + "2": { + "caption": "Set" + }, + "3": { + "caption": "Modify" + }, + "4": { + "caption": "Delete" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that performed the activity on the reg_value object.", + "group": "primary", + "requirement": "required", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "201002": { + "caption": "Registry Value Activity", + "description": "Registry Value Activity events reports when a process performs an action on a Windows registry value." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition is unknown." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "prev_reg_value": { + "caption": "Previous Registry Value", + "description": "The registry value before the mutation", + "observable": 29, + "requirement": "optional", + "type": "reg_value" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reg_value": { + "caption": "Registry Value", + "description": "The registry value.", + "requirement": "required", + "type": "registry_value" + }, + "reg_value_result": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Registry Value Result", + "description": "The result of the registry value change. It should contain the new values of the changed attributes.", + "requirement": "optional", + "type": "registry_value" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "20100200": { + "caption": "Registry Value Activity: Unknown" + }, + "20100201": { + "caption": "Registry Value Activity: Get" + }, + "20100202": { + "caption": "Registry Value Activity: Set" + }, + "20100203": { + "caption": "Registry Value Activity: Modify" + }, + "20100204": { + "caption": "Registry Value Activity: Delete" + }, + "20100299": { + "caption": "Registry Value Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Registry Value Activity", + "category": "system", + "description": "Registry Value Activity events reports when a process performs an action on a Windows registry value.", + "extends": "system", + "extension": "windows", + "name": "registry_value_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 2 + }, + "registry_value_query": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "205005": { + "caption": "Registry Value Query", + "description": "Registry Value Query events report information about discovered Windows registry values." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reg_value": { + "caption": "Registry Value", + "description": "The registry value that pertains to the event.", + "group": "primary", + "observable": 29, + "requirement": "required", + "type": "reg_value" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "20500500": { + "caption": "Registry Value Query: Unknown" + }, + "20500501": { + "caption": "Registry Value Query: Query" + }, + "20500502": { + "caption": "Registry Value Query: Partial" + }, + "20500503": { + "caption": "Registry Value Query: Does not exist" + }, + "20500504": { + "caption": "Registry Value Query: Error" + }, + "20500505": { + "caption": "Registry Value Query: Unsupported" + }, + "20500599": { + "caption": "Registry Value Query: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Registry Value Query", + "category": "discovery", + "description": "Registry Value Query events report information about discovered Windows registry values.", + "extends": "discovery_result", + "extension": "windows", + "name": "registry_value_query", + "profiles": [ + "host" + ], + "uid": 5 + }, + "resource_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Access" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "201003": { + "caption": "Windows Resource Activity", + "description": "Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition is unknown." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resource": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Resource", + "description": "The resource that was accessed.", + "group": "primary", + "requirement": "required", + "type": "resource" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "20100300": { + "caption": "Windows Resource Activity: Unknown" + }, + "20100301": { + "caption": "Windows Resource Activity: Access" + }, + "20100399": { + "caption": "Windows Resource Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "win_resource": { + "caption": "Windows Resource", + "description": "The Windows resource object that was accessed, such as a mutant or timer.", + "group": "primary", + "requirement": "required", + "type": "win_resource" + } + }, + "caption": "Windows Resource Activity", + "category": "system", + "description": "Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.", + "extends": "system", + "extension": "windows", + "name": "resource_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 3 + }, + "scan_activity": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Started", + "description": "The scan was started." + }, + "10": { + "caption": "Delayed", + "description": "The user delayed the scan." + }, + "2": { + "caption": "Completed", + "description": "The scan was completed." + }, + "3": { + "caption": "Cancelled", + "description": "The scan was cancelled." + }, + "4": { + "caption": "Duration Violation", + "description": "The allocated scan time was insufficient to complete the requested scan." + }, + "5": { + "caption": "Pause Violation", + "description": "The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time." + }, + "6": { + "caption": "Error", + "description": "The scan could not be completed due to an internal error." + }, + "7": { + "caption": "Paused", + "description": "The scan was paused." + }, + "8": { + "caption": "Resumed", + "description": "The scan was resumed from the pause point." + }, + "9": { + "caption": "Restarted", + "description": "The scan restarted from the beginning of the file enumeration." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6007": { + "caption": "Scan Activity", + "description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "caption": "Command UID", + "description": "The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The duration of the scan", + "requirement": "recommended", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of the scan job.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "num_detections": { + "caption": "Detections", + "description": "The number of detections.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_files": { + "caption": "Scanned Files", + "description": "The number of files scanned.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_folders": { + "caption": "Scanned Folders", + "description": "The number of folders scanned.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_network_items": { + "caption": "Scanned Network Items", + "description": "The number of network items scanned.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_processes": { + "caption": "Scanned Processes", + "description": "The number of processes scanned.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_registry_items": { + "caption": "Scanned Registry Items", + "description": "The number of registry items scanned.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_resolutions": { + "caption": "Resolutions", + "description": "The number of items that were resolved.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_skipped_items": { + "caption": "Skipped", + "description": "The number of skipped items.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "num_trusted_items": { + "caption": "Trusted", + "description": "The number of trusted items.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "policy": { + "caption": "Policy", + "description": "The policy associated with this Scan event; required if the scan was initiated by a policy.", + "group": "primary", + "requirement": "recommended", + "type": "policy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan": { + "caption": "Scan", + "description": "The Scan object describes characteristics of the scan job.", + "group": "primary", + "requirement": "required", + "type": "scan" + }, + "schedule_uid": { + "caption": "Schedule UID", + "description": "The unique identifier of the schedule associated with a scan job.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of the scan job.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "total": { + "caption": "Total", + "description": "The total number of items that were scanned; zero if no items were scanned.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600700": { + "caption": "Scan Activity: Unknown" + }, + "600701": { + "caption": "Scan Activity: Started" + }, + "600702": { + "caption": "Scan Activity: Completed" + }, + "600703": { + "caption": "Scan Activity: Cancelled" + }, + "600704": { + "caption": "Scan Activity: Duration Violation" + }, + "600705": { + "caption": "Scan Activity: Pause Violation" + }, + "600706": { + "caption": "Scan Activity: Error" + }, + "600707": { + "caption": "Scan Activity: Paused" + }, + "600708": { + "caption": "Scan Activity: Resumed" + }, + "600709": { + "caption": "Scan Activity: Restarted" + }, + "600710": { + "caption": "Scan Activity: Delayed" + }, + "600799": { + "caption": "Scan Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Scan Activity", + "category": "application", + "description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.", + "extends": "base_event", + "name": "scan_activity", + "profiles": [ + "host" + ], + "uid": 7 + }, + "scheduled_job_activity": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create" + }, + "2": { + "caption": "Update" + }, + "3": { + "caption": "Delete" + }, + "4": { + "caption": "Enable" + }, + "5": { + "caption": "Disable" + }, + "6": { + "caption": "Start" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor that performed the activity on the job object.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "1006": { + "caption": "Scheduled Job Activity", + "description": "Scheduled Job Activity events report activities related to scheduled jobs or tasks." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "job": { + "caption": "Job", + "description": "The job object that pertains to the event.", + "group": "primary", + "requirement": "required", + "type": "job" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "100600": { + "caption": "Scheduled Job Activity: Unknown" + }, + "100601": { + "caption": "Scheduled Job Activity: Create" + }, + "100602": { + "caption": "Scheduled Job Activity: Update" + }, + "100603": { + "caption": "Scheduled Job Activity: Delete" + }, + "100604": { + "caption": "Scheduled Job Activity: Enable" + }, + "100605": { + "caption": "Scheduled Job Activity: Disable" + }, + "100606": { + "caption": "Scheduled Job Activity: Start" + }, + "100699": { + "caption": "Scheduled Job Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Scheduled Job Activity", + "category": "system", + "description": "Scheduled Job Activity events report activities related to scheduled jobs or tasks.", + "extends": "system", + "name": "scheduled_job_activity", + "profiles": [ + "host", + "security_control" + ], + "uid": 6 + }, + "security_finding": { + "@deprecated": { + "message": "Use the new specific classes according to the use-case: Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding.", + "since": "1.1.0" + }, + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A security finding was created." + }, + "2": { + "caption": "Update", + "description": "A security finding was updated." + }, + "3": { + "caption": "Close", + "description": "A security finding was closed." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "analytic": { + "caption": "Analytic", + "description": "The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.", + "group": "primary", + "requirement": "recommended", + "type": "analytic" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "The attack object describes the technique and associated tactics as defined by ATT&CK MatrixTM.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "cis_csc": { + "caption": "CIS CSC", + "description": "The CIS Critical Security Controls is a list of top 20 actions and practices an organization\u2019s security team can take on such that cyber attacks or malware, are minimized and prevented.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "cis_csc" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "2001": { + "caption": "Security Finding", + "description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "compliance": { + "caption": "Compliance", + "description": "The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.", + "group": "context", + "requirement": "optional", + "type": "compliance" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "confidence", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "data_sources": { + "caption": "Data Sources", + "description": "A list of data sources utilized in generation of the finding.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "optional", + "type": "device" + }, + "disposition": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Disposition", + "description": "The event disposition name, as defined by the disposition_id.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Disposition ID", + "description": "When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.", + "enum": { + "-1": { + "caption": "Other" + }, + "0": { + "caption": "Unknown", + "description": "The disposition is unknown." + }, + "1": { + "caption": "Blocked" + }, + "10": { + "caption": "Delayed", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Detected" + }, + "12": { + "caption": "Quarantined" + }, + "13": { + "caption": "Restored" + }, + "14": { + "caption": "Exonerated", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Tagged", + "description": "Marked with extended attributes." + }, + "2": { + "caption": "Allowed" + }, + "3": { + "caption": "No Action" + }, + "4": { + "caption": "Logged" + }, + "5": { + "caption": "Command Script Run" + }, + "6": { + "caption": "Corrected" + }, + "7": { + "caption": "Partially Corrected" + }, + "8": { + "caption": "Uncorrected" + }, + "99": { + "caption": "Other", + "description": "The disposition is not mapped. See the disposition attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "evidence": { + "@deprecated": { + "message": "Use the evidences attribute instead.", + "since": "1.1.0" + }, + "caption": "Evidence", + "description": "The data the finding exposes to the analyst.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "finding": { + "caption": "Finding", + "description": "The Finding object provides details about a finding/detection generated by a security tool.", + "group": "primary", + "requirement": "required", + "type": "finding" + }, + "impact": { + "caption": "Impact", + "description": "The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "impact_id": { + "caption": "Impact ID", + "description": "The normalized impact of the finding.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized impact is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + }, + "99": { + "caption": "Other", + "description": "The impact is not mapped. See the impact attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "impact", + "type": "integer_t" + }, + "impact_score": { + "caption": "Impact", + "description": "The impact of the finding, valid range 0-100.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "kill_chain": { + "caption": "Kill Chain", + "description": "The Cyber Kill Chain\u00ae provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "kill_chain_phase" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "nist": { + "caption": "NIST List", + "description": "The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "process": { + "caption": "Process", + "description": "The process object.", + "group": "context", + "observable": 25, + "requirement": "optional", + "type": "process" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resources": { + "caption": "Resources Array", + "description": "A list of resources associated to an event.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "resource" + }, + "risk_level": { + "caption": "Risk Level", + "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "risk_level_id": { + "caption": "Risk Level ID", + "description": "The normalized risk level id.", + "enum": { + "0": { + "caption": "Info" + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "risk_level", + "type": "integer_t" + }, + "risk_score": { + "caption": "Risk Score", + "description": "The risk score as reported by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "integer_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "state": { + "caption": "State", + "description": "The normalized state of a security finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "state_id": { + "caption": "State ID", + "description": "The normalized state identifier of a security finding.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The state is unknown." + }, + "1": { + "caption": "New", + "description": "The finding is new and yet to be reviewed." + }, + "2": { + "caption": "In Progress", + "description": "The finding is under review." + }, + "3": { + "caption": "Suppressed", + "description": "The finding was reviewed, considered as a false positive and is now suppressed." + }, + "4": { + "caption": "Resolved", + "description": "The finding was reviewed and remediated and is now considered resolved." + }, + "99": { + "caption": "Other", + "description": "The state is not mapped. See the state attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "required", + "sibling": "state", + "type": "integer_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "200100": { + "caption": "Security Finding: Unknown" + }, + "200101": { + "caption": "Security Finding: Create" + }, + "200102": { + "caption": "Security Finding: Update" + }, + "200103": { + "caption": "Security Finding: Close" + }, + "200199": { + "caption": "Security Finding: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vulnerabilities": { + "caption": "Vulnerabilities", + "description": "This object describes vulnerabilities reported in a security finding.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "vulnerability" + } + }, + "caption": "Security Finding", + "category": "findings", + "description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products", + "extends": null, + "name": "security_finding", + "profiles": [ + "cloud", + "datetime" + ], + "uid": 1 + }, + "session_query": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5017": { + "caption": "User Session Query", + "description": "User Session Query events report information about existing user sessions." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "session": { + "caption": "Session", + "description": "The authenticated user or service session.", + "group": "primary", + "requirement": "required", + "type": "session" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "501700": { + "caption": "User Session Query: Unknown" + }, + "501701": { + "caption": "User Session Query: Query" + }, + "501702": { + "caption": "User Session Query: Partial" + }, + "501703": { + "caption": "User Session Query: Does not exist" + }, + "501704": { + "caption": "User Session Query: Error" + }, + "501705": { + "caption": "User Session Query: Unsupported" + }, + "501799": { + "caption": "User Session Query: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "User Session Query", + "category": "discovery", + "description": "User Session Query events report information about existing user sessions.", + "extends": "discovery_result", + "name": "session_query", + "profiles": [ + "host" + ], + "uid": 17 + }, + "smb_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "File Supersede", + "description": "The event pertains to file superseded activity (overwritten if it exists and created if not)." + }, + "2": { + "caption": "File Open", + "description": "The event pertains to file open activity (the file is opened if it exists and fails to open if it doesn't)." + }, + "3": { + "caption": "File Create", + "description": "The event pertains to file creation activity (a file is created if it does not exist and fails if it does)." + }, + "4": { + "caption": "File Open If", + "description": "The event pertains to file open activity (the file is opened if it exists and is created if it doesn't)." + }, + "5": { + "caption": "File Overwrite", + "description": "The event pertains to file overwrite activity (the file is opened in a truncated form if it exists and fails if it doesn't)." + }, + "6": { + "caption": "File Overwrite If", + "description": "The event pertains to file overwrite activity (the file is opened in a truncated form if it exists and created otherwise)" + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4006": { + "caption": "SMB Activity", + "description": "Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "client_dialects": { + "caption": "Client Dialects", + "description": "The list of SMB dialects that the client speaks.", + "group": "context", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command": { + "caption": "Command", + "description": "The command name (e.g. SMB2_COMMAND_CREATE, SMB1_COMMAND_WRITE_ANDX).", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "dce_rpc": { + "caption": "Distributed Computing Environment/Remote Procedure Call (DCE/RPC)", + "description": "The DCE/RPC object describes the remote procedure call system for distributed computing environments.", + "group": "context", + "requirement": "optional", + "type": "dce_rpc" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "dialect": { + "caption": "Dialect", + "description": "The negotiated protocol dialect.", + "group": "context", + "requirement": "recommended", + "type": "string_t" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the SMB activity.", + "group": "primary", + "observable": 24, + "requirement": "recommended", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "open_type": { + "caption": "Open Type", + "description": "Indicates how the file was opened (e.g. normal, delete on close).", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "response": { + "caption": "API Response Details", + "description": "The server response in an SMB network connection.", + "group": "primary", + "requirement": "recommended", + "type": "response" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "share": { + "caption": "Share", + "description": "The SMB share name.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "share_type": { + "caption": "Share Type", + "description": "The SMB share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "share_type_id": { + "caption": "Share Type Id", + "description": "The normalized identifier of the SMB share type.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The share type is unknown." + }, + "1": { + "caption": "File" + }, + "2": { + "caption": "Pipe" + }, + "3": { + "caption": "Print" + }, + "99": { + "caption": "Other", + "description": "The share type is not mapped. See the share_type attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "share_type", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "tree_uid": { + "caption": "Tree UID", + "description": "The tree id is a unique SMB identifier which represents an open connection to a share.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400600": { + "caption": "SMB Activity: Unknown" + }, + "400601": { + "caption": "SMB Activity: File Supersede" + }, + "400602": { + "caption": "SMB Activity: File Open" + }, + "400603": { + "caption": "SMB Activity: File Create" + }, + "400604": { + "caption": "SMB Activity: File Open If" + }, + "400605": { + "caption": "SMB Activity: File Overwrite" + }, + "400606": { + "caption": "SMB Activity: File Overwrite If" + }, + "400699": { + "caption": "SMB Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "SMB Activity", + "category": "network", + "description": "Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.", + "extends": "network", + "name": "smb_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 6 + }, + "ssh_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Open", + "description": "A new network connection was opened." + }, + "2": { + "caption": "Close", + "description": "The network connection was closed." + }, + "3": { + "caption": "Reset", + "description": "The network connection was abnormally terminated or closed by a middle device like firewalls." + }, + "4": { + "caption": "Fail", + "description": "The network connection failed. For example a connection timeout or no route to host." + }, + "5": { + "caption": "Refuse", + "description": "The network connection was refused. For example an attempt to connect to a server port which is not open." + }, + "6": { + "caption": "Traffic", + "description": "Network traffic report." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "auth_type": { + "caption": "Authentication Type", + "description": "The SSH authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "auth_type_id": { + "caption": "Authentication Type ID", + "description": "The normalized identifier of the SSH authentication type.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The authentication type is unknown." + }, + "1": { + "caption": "Certificate Based", + "description": "Authentication using digital certificates." + }, + "2": { + "caption": "GSSAPI", + "description": "GSSAPI for centralized authentication." + }, + "3": { + "caption": "Host Based", + "description": "Authentication based on the client host's identity." + }, + "4": { + "caption": "Keyboard Interactive", + "description": "Multi-step, interactive authentication." + }, + "5": { + "caption": "Password", + "description": "Password Authentication." + }, + "6": { + "caption": "Public Key", + "description": "Paired public key authentication." + }, + "99": { + "caption": "Other", + "description": "The authentication type is not mapped. See the auth_type attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "auth_type", + "type": "integer_t" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4007": { + "caption": "SSH Activity", + "description": "SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "client_hassh": { + "caption": "Client HASSH", + "description": "The Client HASSH fingerprinting object.", + "group": "primary", + "requirement": "recommended", + "type": "hassh" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The network connection information.", + "group": "primary", + "requirement": "recommended", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The responder (server) in a network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "file": { + "caption": "File", + "description": "The file that is the target of the SSH activity.", + "group": "context", + "observable": 24, + "requirement": "optional", + "type": "file" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "protocol_ver": { + "caption": "SSH Version", + "description": "The Secure Shell Protocol version.", + "group": "context", + "requirement": "recommended", + "type": "string_t" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "server_hassh": { + "caption": "Server HASSH", + "description": "The Server HASSH fingerprinting object.", + "group": "primary", + "requirement": "recommended", + "type": "hassh" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the network connection.", + "group": "primary", + "requirement": "required", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_traffic" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "400700": { + "caption": "SSH Activity: Unknown" + }, + "400701": { + "caption": "SSH Activity: Open" + }, + "400702": { + "caption": "SSH Activity: Close" + }, + "400703": { + "caption": "SSH Activity: Reset" + }, + "400704": { + "caption": "SSH Activity: Fail" + }, + "400705": { + "caption": "SSH Activity: Refuse" + }, + "400706": { + "caption": "SSH Activity: Traffic" + }, + "400799": { + "caption": "SSH Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "SSH Activity", + "category": "network", + "description": "SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.", + "extends": "network", + "name": "ssh_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 7 + }, + "system": { + "associations": { + "actor.user": [ + "device" + ], + "device": [ + "actor.user" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "group": "primary", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "1": { + "caption": "System Activity", + "description": "System Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "0": { + "caption": "Base Event" + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "Requires reboot to finish the operation." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "No longer suspicious (re-scored)." + }, + "15": { + "caption": "Detected", + "description": "Marked with extended attributes." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "System Activity", + "category": "system", + "description": "The System Activity event is a generic event that defines a set of attributes available in the system activity events. As a generic event, it could be used to log events that are not otherwise defined by the System Activity category.", + "extends": "base_event", + "name": "system", + "profiles": [ + "host", + "security_control" + ] + }, + "tunnel_activity": { + "associations": { + "src_endpoint": [ + "user" + ], + "user": [ + "src_endpoint" + ] + }, + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Open", + "description": "Open a tunnel." + }, + "2": { + "caption": "Close", + "description": "Close a tunnel." + }, + "3": { + "caption": "Renew", + "description": "Renew a tunnel." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "app_name": { + "caption": "Application Name", + "description": "The name of the application associated with the event or object.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "4": { + "caption": "Network Activity", + "description": "Network Activity events." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "4014": { + "caption": "Tunnel Activity", + "description": "Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "connection_info": { + "caption": "Connection Info", + "description": "The tunnel connection information.", + "group": "context", + "requirement": "optional", + "type": "network_connection_info" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "The device that reported the event.", + "group": "primary", + "profile": null, + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The server responding to the tunnel connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "load_balancer": { + "caption": "Load Balancer", + "description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.", + "requirement": "recommended", + "type": "load_balancer" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "protocol_name": { + "caption": "Tunnel Protocol", + "description": "The networking protocol associated with the tunnel. E.g. IPSec, SSL, GRE.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "The proxy (server) in a network connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "session": { + "caption": "Tunnel Session", + "description": "The session associated with the tunnel.", + "group": "primary", + "requirement": "recommended", + "type": "session" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "The initiator (client) of the tunnel connection.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes.", + "group": "primary", + "requirement": "optional", + "type": "tls" + }, + "traffic": { + "caption": "Traffic", + "description": "Traffic refers to the amount of data moving across the tunnel at a given point of time. Ex: bytes_in and bytes_out.", + "group": "context", + "requirement": "optional", + "type": "network_traffic" + }, + "tunnel_interface": { + "caption": "Tunnel Interface", + "description": "The information about the virtual tunnel interface, e.g. utun0. This is usually associated with the private (rfc-1918) ip of the tunnel.", + "group": "primary", + "requirement": "recommended", + "type": "network_interface" + }, + "tunnel_type": { + "caption": "Type", + "description": "The tunnel type. Example: Split or Full.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "tunnel_type_id": { + "caption": "Type", + "description": "The normalized tunnel type ID.", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Split Tunnel" + }, + "2": { + "caption": "Full Tunnel" + }, + "99": { + "caption": "Other" + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "tunnel_type", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "401400": { + "caption": "Tunnel Activity: Unknown" + }, + "401401": { + "caption": "Tunnel Activity: Open" + }, + "401402": { + "caption": "Tunnel Activity: Close" + }, + "401403": { + "caption": "Tunnel Activity: Renew" + }, + "401499": { + "caption": "Tunnel Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user associated with the tunnel activity.", + "group": "primary", + "observable": 21, + "requirement": "recommended", + "type": "user" + } + }, + "caption": "Tunnel Activity", + "category": "network", + "constraints": { + "at_least_one": [ + "connection_info", + "session", + "src_endpoint", + "traffic", + "tunnel_interface", + "tunnel_type_id" + ] + }, + "description": "Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.", + "extends": "network", + "name": "tunnel_activity", + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ], + "uid": 14 + }, + "user_access": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Assign Privileges", + "description": "Assign privileges to a user." + }, + "2": { + "caption": "Revoke Privileges", + "description": "Revoke privileges from a user." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "3": { + "caption": "Identity & Access Management", + "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "3005": { + "caption": "User Access Management", + "description": "User Access Management events report management updates to a user's privileges." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "optional", + "type": "http_request" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "privileges": { + "caption": "Privileges", + "description": "List of privileges assigned to a user.", + "group": "primary", + "is_array": true, + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resource": { + "caption": "Resource", + "description": "Resource that the privileges give access to.", + "group": "primary", + "requirement": "recommended", + "type": "resource_details" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source of the IAM activity.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "300500": { + "caption": "User Access Management: Unknown" + }, + "300501": { + "caption": "User Access Management: Assign Privileges" + }, + "300502": { + "caption": "User Access Management: Revoke Privileges" + }, + "300599": { + "caption": "User Access Management: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "User to which privileges were assigned.", + "group": "primary", + "observable": 21, + "requirement": "required", + "type": "user" + } + }, + "caption": "User Access Management", + "category": "iam", + "description": "User Access Management events report management updates to a user's privileges.", + "extends": "iam", + "name": "user_access", + "profiles": [ + "host" + ], + "uid": 5 + }, + "user_inventory": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Log", + "description": "The discovered information is via a log." + }, + "2": { + "caption": "Collect", + "description": "The discovered information is via a collection process." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.", + "group": "context", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5003": { + "caption": "User Inventory Info", + "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "500300": { + "caption": "User Inventory Info: Unknown" + }, + "500301": { + "caption": "User Inventory Info: Log" + }, + "500302": { + "caption": "User Inventory Info: Collect" + }, + "500399": { + "caption": "User Inventory Info: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user that is being discovered by an inventory process.", + "group": "primary", + "observable": 21, + "requirement": "required", + "type": "user" + } + }, + "caption": "User Inventory Info", + "category": "discovery", + "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.", + "extends": "discovery", + "name": "user_inventory", + "profiles": [ + "cloud", + "datetime" + ], + "uid": 3 + }, + "user_query": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Query", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "5": { + "caption": "Discovery", + "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "5018": { + "caption": "User Query", + "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "command_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command UID", + "description": "The unique identifier of the discovery command that pertains to this event.", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "query_info": { + "caption": "Query Info", + "description": "The search details associated with the query request.", + "group": "primary", + "requirement": "recommended", + "type": "query_info" + }, + "query_result": { + "caption": "Query Result", + "description": "The result of the query.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "query_result_id": { + "caption": "Query Result ID", + "description": "The normalized identifier of the query result.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The query result is unknown." + }, + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + }, + "99": { + "caption": "Other", + "description": "The query result is not mapped. See the query_result attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "required", + "sibling": "query_result", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scan_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scan UID", + "description": "The unique identifier of the discovery scan request that pertains to this event.", + "group": "primary", + "requirement": "optional", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "501800": { + "caption": "User Query: Unknown" + }, + "501801": { + "caption": "User Query: Query" + }, + "501802": { + "caption": "User Query: Partial" + }, + "501803": { + "caption": "User Query: Does not exist" + }, + "501804": { + "caption": "User Query: Error" + }, + "501805": { + "caption": "User Query: Unsupported" + }, + "501899": { + "caption": "User Query: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user that pertains to the event or object.", + "group": "primary", + "observable": 21, + "requirement": "required", + "type": "user" + } + }, + "caption": "User Query", + "category": "discovery", + "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.", + "extends": "discovery_result", + "name": "user_query", + "profiles": [ + "host" + ], + "uid": 18 + }, + "vulnerability_finding": { + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the finding activity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "A finding was created." + }, + "2": { + "caption": "Update", + "description": "A finding was updated." + }, + "3": { + "caption": "Close", + "description": "A finding was closed." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The finding activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "2": { + "caption": "Findings", + "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "2002": { + "caption": "Vulnerability Finding", + "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "comment": { + "caption": "Comment", + "description": "A user provided comment about the finding.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "confidence_id": { + "caption": "Confidence Id", + "description": "The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The normalized confidence is unknown." + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "99": { + "caption": "Other", + "description": "The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "confidence_score": { + "caption": "Confidence Score", + "description": "The confidence score as reported by the event source.", + "group": "context", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The time of the most recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "finding_info": { + "caption": "Finding Information", + "description": "Describes the supporting information about a generated finding.", + "group": "primary", + "requirement": "required", + "type": "finding_info" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "resource": { + "caption": "Resource", + "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.", + "group": "primary", + "requirement": "recommended", + "type": "resource_details" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "start_time": { + "caption": "Start Time", + "description": "The time of the least recent event included in the finding.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the Finding, set by the consumer.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "New", + "description": "The Finding is new and yet to be reviewed." + }, + "2": { + "caption": "In Progress", + "description": "The Finding is under review." + }, + "3": { + "caption": "Suppressed", + "description": "The Finding was reviewed, determined to be benign or a false positive and is now suppressed." + }, + "4": { + "caption": "Resolved", + "description": "The Finding was reviewed, remediated and is now considered resolved." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "context", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "200200": { + "caption": "Vulnerability Finding: Unknown" + }, + "200201": { + "caption": "Vulnerability Finding: Create" + }, + "200202": { + "caption": "Vulnerability Finding: Update" + }, + "200203": { + "caption": "Vulnerability Finding: Close" + }, + "200299": { + "caption": "Vulnerability Finding: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vulnerabilities": { + "caption": "Vulnerabilities", + "description": "This object describes vulnerabilities reported in a security finding.", + "group": "primary", + "is_array": true, + "requirement": "required", + "type": "vulnerability" + } + }, + "caption": "Vulnerability Finding", + "category": "findings", + "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.", + "extends": "finding", + "name": "vulnerability_finding", + "profiles": [ + "host" + ], + "uid": 2 + }, + "web_resource_access_activity": { + "@deprecated": { + "message": "Use the Web Resources Activity class with the Security Control and/or Network Proxy profile instead.", + "since": "1.0.0" + }, + "attributes": { + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Access Grant", + "description": "The incoming request has permission to the web resource." + }, + "2": { + "caption": "Access Deny", + "description": "The incoming request does not have permission to the web resource." + }, + "3": { + "caption": "Access Revoke", + "description": "The incoming request's access has been revoked due to security policy enforcements." + }, + "4": { + "caption": "Access Error", + "description": "An error occurred during processing the request." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6004": { + "caption": "Web Resource Access Activity", + "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "required", + "type": "http_request" + }, + "http_response": { + "caption": "HTTP Response", + "description": "Details about the HTTP response, if available.", + "group": "context", + "requirement": "optional", + "type": "http_response" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy": { + "@deprecated": { + "message": "Use the proxy_endpoint attribute instead.", + "since": "1.1.0" + }, + "caption": "Proxy", + "description": "Details about the proxy service, if available.", + "group": "context", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the source endpoint of the request.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes, if available.", + "group": "context", + "requirement": "optional", + "type": "tls" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600400": { + "caption": "Web Resource Access Activity: Unknown" + }, + "600401": { + "caption": "Web Resource Access Activity: Access Grant" + }, + "600402": { + "caption": "Web Resource Access Activity: Access Deny" + }, + "600403": { + "caption": "Web Resource Access Activity: Access Revoke" + }, + "600404": { + "caption": "Web Resource Access Activity: Access Error" + }, + "600499": { + "caption": "Web Resource Access Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "web_resources": { + "caption": "Web Resources", + "description": "Details about the resource that is the target of the activity.", + "group": "primary", + "is_array": true, + "requirement": "required", + "type": "web_resource" + } + }, + "caption": "Web Resource Access Activity", + "category": "application", + "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.", + "extends": "application", + "name": "web_resource_access_activity", + "profiles": [ + "host", + "network_proxy" + ], + "uid": 4 + }, + "web_resources_activity": { + "attributes": { + "action": { + "caption": "Action", + "description": "The normalized caption of action_id.", + "requirement": "optional", + "type": "string_t" + }, + "action_id": { + "caption": "Action ID", + "description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'." + }, + "1": { + "caption": "Allowed", + "description": "The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc." + }, + "2": { + "caption": "Denied", + "description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc." + }, + "99": { + "caption": "Other", + "description": "The action was not mapped. See the action attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "action", + "type": "integer_t" + }, + "activity_id": { + "caption": "Activity ID", + "description": "The normalized identifier of the activity that triggered the event.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event activity is unknown." + }, + "1": { + "caption": "Create", + "description": "One or more web resources were created." + }, + "2": { + "caption": "Read", + "description": "One or more web resources were read / viewed." + }, + "3": { + "caption": "Update", + "description": "One or more web resources were updated." + }, + "4": { + "caption": "Delete", + "description": "One or more web resources were deleted." + }, + "5": { + "caption": "Search", + "description": "A search was performed on one or more web resources." + }, + "6": { + "caption": "Import", + "description": "One or more web resources were imported into an Application." + }, + "7": { + "caption": "Export", + "description": "One or more web resources were exported from an Application." + }, + "8": { + "caption": "Share", + "description": "One or more web resources were shared." + }, + "99": { + "caption": "Other", + "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "activity_name", + "type": "integer_t" + }, + "activity_name": { + "caption": "Activity", + "description": "The event activity name, as defined by the activity_id.", + "requirement": "optional", + "type": "string_t" + }, + "actor": { + "caption": "Actor", + "description": "The actor object describes details about the user/role/process that was the source of the activity.", + "requirement": "optional", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "category_name": { + "caption": "Category", + "description": "The event category name, as defined by category_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "category_uid": { + "caption": "Category ID", + "description": "The category unique identifier of the event.", + "enum": { + "6": { + "caption": "Application Activity", + "description": "Application Activity events report detailed information about the behavior of applications and services." + } + }, + "requirement": "required", + "sibling": "category_name", + "type": "integer_t" + }, + "class_name": { + "caption": "Class", + "description": "The event class name, as defined by class_uid value.", + "requirement": "optional", + "type": "string_t" + }, + "class_uid": { + "caption": "Class ID", + "description": "The unique identifier of a class. A class describes the attributes available in an event.", + "enum": { + "6001": { + "caption": "Web Resources Activity", + "description": "Web Resources Activity events describe actions executed on a set of Web Resources." + } + }, + "requirement": "required", + "sibling": "class_name", + "type": "integer_t" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "confidence": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidence", + "description": "The confidence of the reported event severity as a percentage: 0%-100%.", + "group": "classification", + "requirement": "optional", + "type": "integer_t" + }, + "count": { + "caption": "Count", + "default": 1, + "description": "The number of times that events in the same logical group occurred during the event Start Time to End Time period.", + "requirement": "optional", + "type": "integer_t" + }, + "data": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Data", + "description": "Additional data that is associated with the event.", + "requirement": "optional", + "type": "json_t" + }, + "device": { + "caption": "Device", + "description": "An addressable device, computer system or host.", + "requirement": "recommended", + "type": "device" + }, + "disposition": { + "caption": "Disposition", + "description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "disposition_id": { + "caption": "Disposition ID", + "description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The disposition was not known." + }, + "1": { + "caption": "Allowed", + "description": "Granted access or allowed the action to the protected resource." + }, + "10": { + "caption": "Exonerated", + "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)." + }, + "11": { + "caption": "Corrected", + "description": "A corrupt file or configuration was corrected." + }, + "12": { + "caption": "Partially Corrected", + "description": "A corrupt file or configuration was partially corrected." + }, + "13": { + "caption": "Uncorrected", + "description": "A corrupt file or configuration was not corrected." + }, + "14": { + "caption": "Delayed", + "description": "An operation was delayed, for example if a restart was required to finish the operation." + }, + "15": { + "caption": "Detected", + "description": "Suspicious activity or a policy violation was detected without further action." + }, + "16": { + "caption": "No Action", + "description": "The outcome of an operation had no action taken." + }, + "17": { + "caption": "Logged", + "description": "The operation or action was logged without further action." + }, + "18": { + "caption": "Tagged", + "description": "A file or other entity was marked with extended attributes." + }, + "19": { + "caption": "Alert", + "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked." + }, + "2": { + "caption": "Blocked", + "description": "Denied access or blocked the action to the protected resource." + }, + "20": { + "caption": "Count", + "description": "Counted the request or activity but did not determine whether to allow it or block it." + }, + "21": { + "caption": "Reset", + "description": "The request was detected as a threat and resulted in the connection being reset." + }, + "22": { + "caption": "Captcha", + "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request." + }, + "23": { + "caption": "Challenge", + "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot." + }, + "24": { + "caption": "Access Revoked", + "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class." + }, + "25": { + "caption": "Rejected", + "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'." + }, + "26": { + "caption": "Unauthorized", + "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail." + }, + "27": { + "caption": "Error", + "description": "An error occurred during the processing of the activity or request. Use the message attribute of the base class for details." + }, + "3": { + "caption": "Quarantined", + "description": "A suspicious file or other content was moved to a benign location." + }, + "4": { + "caption": "Isolated", + "description": "A session was isolated on the network or within a browser." + }, + "5": { + "caption": "Deleted", + "description": "A file or other content was deleted." + }, + "6": { + "caption": "Dropped", + "description": "The request was detected as a threat and resulted in the connection being dropped." + }, + "7": { + "caption": "Custom Action", + "description": "A custom action was executed such as running of a command script. Use the message attribute of the base class for details." + }, + "8": { + "caption": "Approved", + "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'." + }, + "9": { + "caption": "Restored", + "description": "A quarantined file or other content was restored to its original location." + }, + "99": { + "caption": "Other", + "description": "The disposition is not listed. The disposition attribute should be populated with a source specific caption." + } + }, + "requirement": "recommended", + "sibling": "disposition", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "Details about server providing the web resources.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "duration": { + "caption": "Duration", + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "end_time": { + "caption": "End Time", + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "enrichments": { + "caption": "Enrichments", + "description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "enrichment" + }, + "firewall_rule": { + "caption": "Firewall Rule", + "description": "The firewall rule that triggered the event.", + "requirement": "optional", + "type": "firewall_rule" + }, + "http_request": { + "caption": "HTTP Request", + "description": "Details about the underlying HTTP request.", + "group": "context", + "requirement": "recommended", + "type": "http_request" + }, + "http_response": { + "caption": "HTTP Response", + "description": "Details about the HTTP response, if available.", + "group": "context", + "requirement": "optional", + "type": "http_response" + }, + "malware": { + "caption": "Malware", + "description": "A list of Malware objects, describing details about the identified malware.", + "is_array": true, + "requirement": "optional", + "type": "malware" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "metadata": { + "caption": "Metadata", + "description": "The metadata associated with the event or a finding.", + "group": "context", + "requirement": "required", + "type": "metadata" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "observable" + }, + "proxy_connection_info": { + "caption": "Proxy Connection Info", + "description": "The connection information from the proxy server to the remote server.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The proxy (server) in a network connection.", + "requirement": "optional", + "type": "network_proxy" + }, + "proxy_http_request": { + "caption": "Proxy HTTP Request", + "description": "The HTTP Request from the proxy server to the remote server.", + "requirement": "optional", + "type": "http_request" + }, + "proxy_http_response": { + "caption": "Proxy HTTP Response", + "description": "The HTTP Response from the remote server to the proxy server.", + "requirement": "optional", + "type": "http_response" + }, + "proxy_tls": { + "caption": "Proxy TLS", + "description": "The TLS protocol negotiated between the proxy server and the remote server.", + "requirement": "recommended", + "type": "tls" + }, + "proxy_traffic": { + "caption": "Proxy Traffic", + "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.", + "requirement": "recommended", + "type": "network_traffic" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique idenifier for the event", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.", + "group": "classification", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "caption": "Severity ID", + "description": "

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The event severity is not known." + }, + "1": { + "caption": "Informational", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Low", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "Medium", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "High", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "group": "classification", + "requirement": "required", + "sibling": "severity", + "type": "integer_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Details about the endpoint from which the request originated.", + "group": "primary", + "requirement": "recommended", + "type": "network_endpoint" + }, + "start_time": { + "caption": "Start Time", + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "requirement": "optional", + "type": "timestamp_t" + }, + "status": { + "caption": "Status", + "description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The status details contains additional information about the event/finding outcome.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized identifier of the event status.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Success" + }, + "2": { + "caption": "Failure" + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "group": "primary", + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "time": { + "caption": "Event Time", + "description": "The normalized event occurrence time or the finding creation time.", + "requirement": "required", + "type": "timestamp_t" + }, + "timezone_offset": { + "caption": "Timezone Offset", + "description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.", + "requirement": "recommended", + "type": "integer_t" + }, + "tls": { + "caption": "TLS", + "description": "The Transport Layer Security (TLS) attributes, if available.", + "group": "context", + "requirement": "optional", + "type": "tls" + }, + "type_name": { + "caption": "Type Name", + "description": "The event/finding type name, as defined by the type_uid.", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.", + "enum": { + "600100": { + "caption": "Web Resources Activity: Unknown" + }, + "600101": { + "caption": "Web Resources Activity: Create" + }, + "600102": { + "caption": "Web Resources Activity: Read" + }, + "600103": { + "caption": "Web Resources Activity: Update" + }, + "600104": { + "caption": "Web Resources Activity: Delete" + }, + "600105": { + "caption": "Web Resources Activity: Search" + }, + "600106": { + "caption": "Web Resources Activity: Import" + }, + "600107": { + "caption": "Web Resources Activity: Export" + }, + "600108": { + "caption": "Web Resources Activity: Share" + }, + "600199": { + "caption": "Web Resources Activity: Other" + } + }, + "requirement": "required", + "sibling": "type_name", + "type": "long_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "web_resources": { + "caption": "Web Resources", + "description": "Describes details about web resources that were affected by an activity/event.", + "group": "primary", + "is_array": true, + "requirement": "required", + "type": "web_resource" + }, + "web_resources_result": { + "caption": "Web Resources Result", + "description": "The results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.", + "group": "primary", + "is_array": true, + "requirement": "recommended", + "type": "web_resource" + } + }, + "caption": "Web Resources Activity", + "category": "application", + "description": "Web Resources Activity events describe actions executed on a set of Web Resources.", + "extends": "base_event", + "name": "web_resources_activity", + "profiles": [ + "host", + "network_proxy", + "security_control" + ], + "uid": 1 + } + }, + "objects": { + "_base_threat_intelligence": { + "attributes": { + "details": { + "caption": "Details", + "description": "Details about the IP address.", + "requirement": "optional", + "type": "string_t" + }, + "findings": { + "caption": "Findings", + "description": "The findings from threat intelligence platforms", + "is_array": true, + "requirement": "optional", + "type": "finding" + }, + "labels": { + "caption": "Labels", + "description": "The labels or tags in the intelligence.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "Additional references for more information.", + "description": "A list of reference URLs supporting the finding/detection.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "reputations": { + "caption": "Reputations", + "description": "Reputation score as reported by provider", + "is_array": true, + "requirement": "optional", + "type": "reputation" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The vendor that provided the intelligence.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Base Threat Intelligence", + "description": "Base object for threat intelligence data", + "extends": "object", + "extension": "query", + "name": "_base_threat_intelligence" + }, + "_dns": { + "attributes": { + "class": { + "caption": "Resource Record Class", + "description": "The class of resource records being queried. See RFC1035. For example: IN.", + "requirement": "recommended", + "type": "string_t" + }, + "packet_uid": { + "caption": "Packet UID", + "description": "The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.", + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Resource Record Type", + "description": "The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "DNS", + "description": "The Domain Name System (DNS) object represents the shared information associated with the DNS query and answer objects.", + "extends": "object", + "name": "_dns" + }, + "_entity": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the entity.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the entity.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Entity", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Entity object is an unordered collection of attributes, with a name and unique identifier. It serves as a base object that defines a set of attributes and default constraints available in all objects that extend it.", + "extends": "object", + "name": "_entity" + }, + "_resource": { + "attributes": { + "data": { + "caption": "Data", + "description": "Additional data describing the resource.", + "requirement": "optional", + "type": "json_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "labels": { + "caption": "Labels", + "description": "The list of labels/tags associated to a resource.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The resource type as defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Resource", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Resource object contains attributes that provide information about a particular resource. It serves as a base object, offering attributes that help identify and classify the resource effectively.", + "extends": "_entity", + "name": "_resource", + "profiles": [ + "data_classification" + ] + }, + "account": { + "attributes": { + "labels": { + "caption": "Labels", + "description": "The list of labels/tags associated to the account.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the account (e.g. GCP Account Name).", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The normalized account type identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The account type is unknown." + }, + "1": { + "caption": "LDAP Account" + }, + "10": { + "caption": "AWS Account" + }, + "2": { + "caption": "Windows Account" + }, + "3": { + "caption": "AWS IAM User" + }, + "4": { + "caption": "AWS IAM Role" + }, + "5": { + "caption": "GCP Account" + }, + "6": { + "caption": "Azure AD Account" + }, + "7": { + "caption": "Mac OS Account" + }, + "8": { + "caption": "Apple Account" + }, + "9": { + "caption": "Linux Account" + }, + "99": { + "caption": "Other", + "description": "The account type is not mapped." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the account (e.g. AWS Account ID).", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Account", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Account object contains details about the account that initiated or performed a specific activity within a system or application.", + "extends": "_entity", + "name": "account" + }, + "actor": { + "attributes": { + "app_name": { + "caption": "Application Name", + "description": "The client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present.", + "requirement": "optional", + "type": "string_t" + }, + "app_uid": { + "caption": "Application ID", + "description": "The unique identifier of the client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process.pid or process.uid if present.", + "requirement": "optional", + "type": "string_t" + }, + "authorizations": { + "caption": "Authorization Information", + "description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.", + "is_array": true, + "requirement": "optional", + "type": "authorization" + }, + "idp": { + "caption": "Identity Provider", + "description": "This object describes details about the Identity Provider used.", + "requirement": "optional", + "type": "idp" + }, + "invoked_by": { + "@deprecated": { + "message": "Use app_name, app_uid attributes instead.", + "since": "1.2.0" + }, + "caption": "Invoked by", + "description": "The name of the service that invoked the activity as described in the event.", + "requirement": "optional", + "type": "string_t" + }, + "process": { + "caption": "Process", + "description": "The process that initiated the activity.", + "observable": 25, + "requirement": "recommended", + "type": "process" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "session": { + "caption": "Session", + "description": "The user session from which the activity was initiated.", + "requirement": "optional", + "type": "session" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user that initiated the activity or the user context from which the activity was initiated.", + "observable": 21, + "requirement": "recommended", + "type": "user" + } + }, + "caption": "Actor", + "constraints": { + "at_least_one": [ + "process", + "user", + "invoked_by", + "session", + "app_name", + "app_uid" + ] + }, + "description": "The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.", + "extends": "object", + "name": "actor" + }, + "affected_code": { + "attributes": { + "end_line": { + "caption": "End Line", + "description": "The line number of the last line of code block identified as vulnerable.", + "requirement": "recommended", + "type": "integer_t" + }, + "file": { + "caption": "File", + "description": "Details about the file that contains the affected code block.", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "owner": { + "caption": "Owner", + "description": "Details about the user that owns the affected file.", + "observable": 21, + "requirement": "optional", + "type": "user" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "Describes the recommended remediation steps to address identified issue(s).", + "requirement": "optional", + "type": "remediation" + }, + "start_line": { + "caption": "Start Line", + "description": "The line number of the first line of code block identified as vulnerable.", + "requirement": "recommended", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Affected Code", + "description": "The Affected Code object describes details about a code block identified as vulnerable.", + "extends": "object", + "name": "affected_code" + }, + "affected_package": { + "attributes": { + "architecture": { + "caption": "Architecture", + "description": "Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.", + "requirement": "recommended", + "type": "string_t" + }, + "epoch": { + "caption": "Epoch", + "description": "The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.", + "requirement": "optional", + "type": "integer_t" + }, + "fixed_in_version": { + "caption": "Fixed In Version", + "description": "The software package version in which a reported vulnerability was patched/fixed.", + "requirement": "optional", + "type": "string_t" + }, + "license": { + "caption": "Software License", + "description": "The software license applied to this package.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The software package name.", + "requirement": "required", + "type": "string_t" + }, + "package_manager": { + "caption": "Package Manager", + "description": "The software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.", + "requirement": "optional", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The installation path of the affected package.", + "requirement": "optional", + "type": "string_t" + }, + "purl": { + "caption": "Package URL", + "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "release": { + "caption": "Software Release Details", + "description": "Release is the number of times a version of the software has been packaged.", + "requirement": "optional", + "type": "string_t" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "Describes the recommended remediation steps to address identified issue(s).", + "requirement": "optional", + "type": "remediation" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The software package version.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Affected Software Package", + "description": "The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.", + "extends": "package", + "name": "affected_package" + }, + "agent": { + "attributes": { + "name": { + "caption": "Agent Name", + "description": "The name of the agent or sensor. For example: AWS SSM Agent.", + "requirement": "recommended", + "type": "string_t" + }, + "policies": { + "caption": "Agent Policies", + "description": "Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.", + "is_array": true, + "requirement": "optional", + "type": "policy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Agent Type", + "description": "The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Endpoint Detection and Response", + "description": "Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh." + }, + "2": { + "caption": "Data Loss Prevention", + "description": "Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP." + }, + "3": { + "caption": "Backup & Recovery", + "description": "Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent." + }, + "4": { + "caption": "Performance Monitoring & Observability", + "description": "Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent." + }, + "5": { + "caption": "Vulnerability Management", + "description": "Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent." + }, + "6": { + "caption": "Log Forwarding", + "description": "Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent." + }, + "7": { + "caption": "Mobile Device Management", + "description": "Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary." + }, + "8": { + "caption": "Configuration Management", + "description": "Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server." + }, + "9": { + "caption": "Remote Access", + "description": "Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Agent ID", + "description": "The UID of the agent or sensor, sometimes known as a Sensor ID or aid.", + "requirement": "recommended", + "type": "string_t" + }, + "uid_alt": { + "caption": "Alternate Agent ID", + "description": "An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The company or author who created the agent or sensor. For example: Crowdstrike.", + "requirement": "optional", + "type": "string_t" + }, + "version": { + "caption": "Agent Version", + "description": "The semantic version of the agent or sensor, e.g., 7.101.50.0.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Agent", + "constraints": { + "at_least_one": [ + "uid", + "name" + ] + }, + "description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.", + "extends": "object", + "name": "agent" + }, + "analytic": { + "attributes": { + "category": { + "caption": "Category", + "description": "The analytic category.", + "requirement": "optional", + "type": "string_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the analytic that generated the finding.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the analytic that generated the finding.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "related_analytics": { + "@deprecated": { + "message": "Related Analytics has been decoupled from this object, instead use finding_info.related_analytics.", + "since": "1.0.0" + }, + "caption": "Related Analytics", + "description": "Other analytics related to this analytic.", + "is_array": true, + "requirement": "optional", + "type": "analytic" + }, + "type": { + "caption": "Type", + "description": "The analytic type.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The analytic type ID.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Rule", + "description": "A Rule in security analytics refers to predefined criteria or conditions set to monitor, alert, or enforce policies, playing a crucial role in access control, threat detection, and regulatory compliance across security systems." + }, + "10": { + "caption": "Partial Data Match", + "description": "Partial Data Match involves identifying instances where segments of sensitive information or patterns match, facilitating nuanced DLP and threat detection without requiring complete data conformity." + }, + "11": { + "caption": "Indexed Data Match", + "description": "Indexed Data Match refers to comparing content against a pre-compiled index of sensitive information to efficiently detect and prevent unauthorized access or breaches, streamlining DLP and compliance efforts." + }, + "2": { + "caption": "Behavioral", + "description": "Behavioral analytics focus on monitoring and analyzing user or system actions to identify deviations from established patterns, aiding in the detection of insider threats, fraud, and advanced persistent threats (APTs)." + }, + "3": { + "caption": "Statistical", + "description": "Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making." + }, + "5": { + "caption": "Fingerprinting", + "description": "Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities." + }, + "6": { + "caption": "Tagging", + "description": "Tagging refers to the practice of assigning labels or identifiers to data, users, assets, or activities to monitor, control access, and facilitate incident response across various security domains such as DLP and EDR." + }, + "7": { + "caption": "Keyword Match", + "description": "Keyword Match involves scanning content for specific terms to identify sensitive information, potential threats, or policy violations, aiding in DLP and compliance monitoring." + }, + "8": { + "caption": "Regular Expressions", + "description": "Regular Expressions are used to define complex search patterns for identifying, validating, and extracting specific data sets or threats within digital content, enhancing DLP, EDR, and threat detection mechanisms." + }, + "9": { + "caption": "Exact Data Match", + "description": "Exact Data Match is a precise comparison technique used to detect the unauthorized use or exposure of specific, sensitive information, crucial for enforcing DLP policies and protecting against data breaches." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the analytic that generated the finding.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The analytic version. For example: 1.1.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Analytic", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.", + "extends": "_entity", + "name": "analytic" + }, + "api": { + "attributes": { + "group": { + "caption": "Group", + "description": "The information pertaining to the API group.", + "requirement": "optional", + "type": "group" + }, + "operation": { + "caption": "Operation", + "description": "Verb/Operation associated with the request", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "request": { + "caption": "API Request Details", + "description": "Details pertaining to the API request.", + "requirement": "recommended", + "type": "request" + }, + "response": { + "caption": "API Response Details", + "description": "Details pertaining to the API response.", + "requirement": "recommended", + "type": "response" + }, + "service": { + "caption": "Service", + "description": "The information pertaining to the API service.", + "requirement": "optional", + "type": "service" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the API service.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "API", + "description": "The API, or Application Programming Interface, object represents information pertaining to an API request and response.", + "extends": "object", + "name": "api" + }, + "attack": { + "attributes": { + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sub_technique": { + "caption": "Sub Technique", + "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.", + "requirement": "optional", + "type": "sub_technique" + }, + "tactic": { + "caption": "Tactic", + "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.", + "requirement": "optional", + "type": "tactic" + }, + "tactics": { + "@deprecated": { + "message": "Use the tactic attribute instead.", + "since": "1.1.0" + }, + "caption": "Tactics", + "description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK MatrixTM.", + "is_array": true, + "requirement": "optional", + "type": "tactic" + }, + "technique": { + "caption": "Technique", + "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.", + "requirement": "optional", + "type": "technique" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The ATT&CK MatrixTM version.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "MITRE ATT&CK\u00ae", + "constraints": { + "at_least_one": [ + "tactic", + "technique", + "sub_technique" + ] + }, + "description": "The MITRE ATT&CK\u00ae object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK MatrixTM.", + "extends": "object", + "name": "attack" + }, + "auth_factor": { + "attributes": { + "device": { + "caption": "Device", + "description": "Device used to complete an authentication request.", + "group": "primary", + "requirement": "recommended", + "type": "device" + }, + "email_addr": { + "caption": "Email Address", + "description": "The email address used in an email-based authentication factor.", + "group": "context", + "observable": 5, + "requirement": "optional", + "type": "email_t" + }, + "factor_type": { + "caption": "Factor Type", + "description": "The type of authentication factor used in an authentication attempt.", + "group": "primary", + "requirement": "recommended", + "type": "string_t" + }, + "factor_type_id": { + "caption": "Factor Type ID", + "description": "The normalized identifier for the authentication factor.", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "SMS", + "description": "User receives and inputs a code sent to their mobile device via SMS text message." + }, + "10": { + "caption": "WebAuthn", + "description": "Web-based API that enables users to register devices as authentication factors." + }, + "11": { + "caption": "Password", + "description": "The user enters a password that they have previously established." + }, + "2": { + "caption": "Security Question", + "description": "The user responds to a security question as part of a question-based authentication factor" + }, + "3": { + "caption": "Phone Call", + "description": "System calls the user's registered phone number and requires the user to answer and provide a response." + }, + "4": { + "caption": "Biometric", + "description": "Devices that verify identity-based on user's physical identifiers, such as fingerprint scanners or retina scanners." + }, + "5": { + "caption": "Push Notification", + "description": "Push notification is sent to user's registered device and requires the user to acknowledge." + }, + "6": { + "caption": "Hardware Token", + "description": "Physical device that generates a code to be used for authentication." + }, + "7": { + "caption": "OTP", + "description": "Application generates a one-time password (OTP) for use in authentication." + }, + "8": { + "caption": "Email", + "description": "A code or link is sent to a user's registered email address." + }, + "9": { + "caption": "U2F", + "description": "Typically involves a hardware token, which the user physically interacts with to authenticate." + }, + "99": { + "caption": "Other" + } + }, + "group": "primary", + "requirement": "required", + "sibling": "factor_type", + "type": "integer_t" + }, + "is_hotp": { + "caption": "HMAC-based One-time Password (HOTP)", + "description": "Whether the authentication factor is an HMAC-based One-time Password (HOTP).", + "group": "context", + "requirement": "recommended", + "type": "boolean_t" + }, + "is_totp": { + "caption": "Time-based One-time Password (TOTP)", + "description": "Whether the authentication factor is a Time-based One-time Password (TOTP).", + "group": "context", + "requirement": "recommended", + "type": "boolean_t" + }, + "phone_number": { + "caption": "Phone Number", + "description": "The phone number used for a telephony-based authentication request.", + "group": "context", + "requirement": "optional", + "type": "string_t" + }, + "provider": { + "caption": "Provider", + "description": "The name of provider for an authentication factor.", + "group": "context", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "security_questions": { + "caption": "Security Questions", + "description": "The question(s) provided to user for a question-based authentication factor.", + "group": "context", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Authentication Factor", + "constraints": { + "just_one": [ + "email_addr", + "phone_number", + "security_questions" + ] + }, + "description": "An Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.", + "extends": "object", + "name": "auth_factor" + }, + "authorization": { + "attributes": { + "decision": { + "caption": "Authorization Decision/Outcome", + "description": "Authorization Result/outcome, e.g. allowed, denied.", + "requirement": "optional", + "type": "string_t" + }, + "policy": { + "caption": "Policy", + "description": "Details about the Identity/Access management policies that are applicable.", + "requirement": "optional", + "type": "policy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Authorization Result", + "description": "The Authorization Result object provides details about the authorization outcome and associated policies related to activity.", + "extends": "object", + "name": "authorization" + }, + "autonomous_system": { + "attributes": { + "name": { + "caption": "Name", + "description": "Organization name for the Autonomous System.", + "group": "context", + "requirement": "recommended", + "type": "string_t" + }, + "number": { + "caption": "Number", + "description": "Unique number that the AS is identified by.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Autonomous System", + "constraints": { + "at_least_one": [ + "number", + "name" + ] + }, + "description": "An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.", + "extends": "object", + "name": "autonomous_system" + }, + "certificate": { + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The time when the certificate was created.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "expiration_time": { + "caption": "Expiration Time", + "description": "The expiration time of the certificate.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "fingerprint": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Fingerprint", + "description": "The fingerprint of the certificate.", + "observable": 30, + "requirement": "required", + "type": "fingerprint" + }, + "fingerprints": { + "caption": "Fingerprints", + "description": "The fingerprint list of the certificate.", + "is_array": true, + "observable": 30, + "requirement": "required", + "type": "fingerprint" + }, + "issuer": { + "caption": "Issuer Distinguished Name", + "description": "The certificate issuer distinguished name.", + "requirement": "required", + "type": "string_t" + }, + "issuer_dn": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Issuer Distinguished Name", + "description": "The certificate issuer distinguished name.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "serial_number": { + "caption": "Certificate Serial Number", + "description": "The serial number of the certificate used to create the digital signature.", + "requirement": "required", + "type": "string_t" + }, + "subject": { + "caption": "Subject Distinguished Name", + "description": "The certificate subject distinguished name.", + "requirement": "recommended", + "type": "string_t" + }, + "subject_dn": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Subject Distinguished Name", + "description": "The certificate subject distinguished name.", + "requirement": "recommended", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the certificate.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The certificate version.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Digital Certificate", + "description": "The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. Defined by D3FEND d3f:Certificate.", + "extends": "object", + "name": "certificate" + }, + "cis_benchmark": { + "attributes": { + "cis_controls": { + "caption": "CIS Controls", + "description": "The CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.", + "is_array": true, + "requirement": "recommended", + "type": "cis_control" + }, + "desc": { + "caption": "Description", + "description": "The CIS Benchmark description. For example: The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The CIS Benchmark name. For example: Ensure mounting of cramfs filesystems is disabled.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "CIS Benchmark", + "description": "The CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security. See also Getting to Know the CIS Benchmarks.", + "extends": "object", + "name": "cis_benchmark" + }, + "cis_benchmark_result": { + "attributes": { + "desc": { + "caption": "Description", + "description": "The CIS benchmark description.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The CIS benchmark name.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "Describes the recommended remediation steps to address identified issue(s).", + "requirement": "optional", + "type": "remediation" + }, + "rule": { + "caption": "Rule", + "description": "The CIS benchmark rule.", + "requirement": "optional", + "type": "rule" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "CIS Benchmark Result", + "description": "The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result. CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.", + "extends": "object", + "name": "cis_benchmark_result" + }, + "cis_control": { + "attributes": { + "desc": { + "caption": "Description", + "description": "The CIS Control description. For example: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The CIS Control name. For example: 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The CIS Control version. For example: v8.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "CIS Control", + "description": "The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The CIS Controls are defined by the Center for Internet Security.", + "extends": "object", + "name": "cis_control" + }, + "cis_csc": { + "attributes": { + "control": { + "caption": "Security Control", + "description": "A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The CIS critical security control version.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "CIS CSC", + "description": "The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC). Prioritized set of actions to protect your organization and data from cyber-attack vectors.", + "extends": "object", + "name": "cis_csc" + }, + "cloud": { + "attributes": { + "account": { + "caption": "Account", + "description": "The account object describes details about the account that was the source or target of the activity.", + "requirement": "optional", + "type": "account" + }, + "account_type": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Account Type", + "description": "The user account type, as defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "account_type_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Account Type ID", + "description": "The normalized user account type identifier.", + "enum": { + "-1": { + "caption": "Other", + "description": "The user account type is not mapped." + }, + "0": { + "caption": "Unknown", + "description": "The user account type is unknown." + }, + "1": { + "caption": "LDAP Account" + }, + "2": { + "caption": "Windows Account" + }, + "3": { + "caption": "AWS IAM Account" + }, + "4": { + "caption": "GCP Account" + }, + "5": { + "caption": "Azure AD Account" + } + }, + "requirement": "optional", + "sibling": "account_type", + "type": "integer_t" + }, + "account_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Account UID", + "description": "The unique identifier of the account(e.g. AWS Account ID).", + "requirement": "recommended", + "type": "string_t" + }, + "org": { + "caption": "Organization", + "description": "Organization and org unit relevant to the event or object.", + "requirement": "optional", + "type": "organization" + }, + "org_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Org ID", + "description": "The unique identifier of the organization to which the user belongs. For example, Active Directory or AWS Org ID.", + "requirement": "optional", + "type": "string_t" + }, + "project_uid": { + "caption": "Project ID", + "description": "The unique identifier of a Cloud project.", + "requirement": "optional", + "type": "string_t" + }, + "provider": { + "caption": "Provider", + "description": "The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "region": { + "caption": "Region", + "description": "The name of the cloud region, as defined by the cloud provider.", + "requirement": "recommended", + "type": "string_t" + }, + "resource_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Resource ID", + "description": "The unique identifier of a cloud resource. For example, S3 Bucket name, EC2 Instance Id.", + "observable": 10, + "requirement": "optional", + "type": "resource_uid_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "zone": { + "caption": "Network Zone", + "description": "The availability zone in the cloud region, as defined by the cloud provider.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Cloud", + "description": "The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.", + "extends": "object", + "name": "cloud" + }, + "compliance": { + "attributes": { + "control": { + "caption": "Security Control", + "description": "A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "requirements": { + "caption": "Compliance Requirements", + "description": "A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10 ", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "standards": { + "caption": "Security Standards", + "description": "Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001", + "is_array": true, + "requirement": "required", + "type": "string_t" + }, + "status": { + "caption": "Status", + "description": "The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "recommended", + "type": "string_t" + }, + "status_code": { + "caption": "Status Code", + "description": "The resultant status code of the compliance check.", + "requirement": "optional", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Details", + "description": "The contextual description of the status, status_code values.", + "requirement": "optional", + "type": "string_t" + }, + "status_id": { + "caption": "Status ID", + "description": "The normalized status identifier of the compliance check.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The status is unknown." + }, + "1": { + "caption": "Pass", + "description": "The compliance check passed for all the evaluated resources." + }, + "2": { + "caption": "Warning", + "description": "The compliance check did not yield a result due to missing information." + }, + "3": { + "caption": "Fail", + "description": "The compliance check failed for at least one of the evaluated resources." + }, + "99": { + "caption": "Other", + "description": "The event status is not mapped. See the status attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "status", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Compliance", + "description": "The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.", + "extends": "object", + "name": "compliance" + }, + "container": { + "attributes": { + "exposed_port": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Port", + "description": "The port exposed by container to allow access of run application remotely.", + "observable": 11, + "requirement": "optional", + "type": "port_t" + }, + "fingerprint": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Fingerprint", + "description": "The SHA256 hash of the container.", + "observable": 30, + "requirement": "recommemded", + "type": "fingerprint" + }, + "hash": { + "caption": "Hash", + "description": "Commit hash of image created for docker or the SHA256 hash of the container. For example: 13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de.", + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "image": { + "caption": "Image", + "description": "The container image used as a template to run the container.", + "requirement": "recommended", + "type": "image" + }, + "name": { + "caption": "Name", + "description": "The container name.", + "requirement": "recommended", + "type": "string_t" + }, + "network_driver": { + "caption": "Network Driver", + "description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.", + "requirement": "optional", + "type": "string_t" + }, + "orchestrator": { + "caption": "Orchestrator", + "description": "The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.", + "requirement": "optional", + "type": "string_t" + }, + "pod_uuid": { + "caption": "Pod UUID", + "description": "The unique identifier of the pod (or equivalent) that the container is executing on.", + "requirement": "optional", + "type": "uuid_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "runtime": { + "caption": "Runtime", + "description": "The backend running the container, such as containerd or cri-o.", + "requirement": "optional", + "type": "string_t" + }, + "size": { + "caption": "Size", + "description": "The size of the container image.", + "requirement": "recommended", + "type": "long_t" + }, + "tag": { + "caption": "Image Tag", + "description": "The tag used by the container. It can indicate version, format, OS.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Container", + "constraints": { + "at_least_one": [ + "uid", + "name" + ] + }, + "description": "The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", + "extends": "object", + "name": "container", + "observable": 27 + }, + "cve": { + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "cvss": { + "caption": "CVSS Score", + "description": "The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability.", + "is_array": true, + "requirement": "recommended", + "type": "cvss" + }, + "cwe": { + "caption": "CWE", + "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.", + "requirement": "optional", + "type": "cwe" + }, + "cwe_uid": { + "@deprecated": { + "message": "Use the cwe object attributes instead.", + "since": "1.1.0" + }, + "caption": "CWE UID", + "description": "The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.", + "requirement": "optional", + "type": "string_t" + }, + "cwe_url": { + "@deprecated": { + "message": "Use the cwe object attributes instead.", + "since": "1.1.0" + }, + "caption": "CWE URL", + "description": "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "desc": { + "caption": "Description", + "description": "A brief description of the CVE Record.", + "requirement": "optional", + "type": "string_t" + }, + "epss": { + "caption": "EPSS", + "description": "The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS).", + "requirement": "optional", + "type": "epss" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The Record Modified Date identifies when the CVE record was last updated.", + "requirement": "optional", + "type": "timestamp_t" + }, + "product": { + "caption": "Product", + "description": "The product where the vulnerability was discovered.", + "requirement": "optional", + "type": "product" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "References", + "description": "A list of reference URLs with additional information about the CVE Record.", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "title": { + "caption": "Title", + "description": "A title or a brief phrase summarizing the CVE record.", + "requirement": "recommended", + "type": "string_t" + }, + "type": { + "caption": "Vulnerability Type", + "description": "

The vulnerability type as selected from a large dropdown menu during CVE refinement.

Most frequently used vulnerability types are: DoS, Code Execution, Overflow, Memory Corruption, Sql Injection, XSS, Directory Traversal, Http Response Splitting, Bypass something, Gain Information, Gain Privileges, CSRF, File Inclusion. For more information see Vulnerabilities By Type distributions.", + "requirement": "recommended", + "type": "string_t" + }, + "uid": { + "caption": "CVE ID", + "description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.", + "observable": 18, + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "CVE", + "description": "The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE). There is one CVE Record for each vulnerability in the catalog.", + "extends": "object", + "name": "cve" + }, + "cvss": { + "attributes": { + "access_complexity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Access Complexity (AC)", + "description": "Name: Access Complexity (AC). Group: Base. CVSS Version: v1, v2", + "enum": { + "0": { + "caption": "Low (L)" + }, + "1": { + "caption": "Medium (M)" + }, + "2": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "access_vector_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Access Vector (AV)", + "description": "Name: Access Vector (AV). Group: Base. CVSS version: v1, v2", + "enum": { + "0": { + "caption": "Local (L)" + }, + "1": { + "caption": "Adjacent Network (A)" + }, + "2": { + "caption": "Network (N)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "attack_complexity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Attack Complexity (AC)", + "description": "The Attack Complexity Common Vulnerability Scoring System (CVSS) metric. Name: Attack Complexity (AC). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "Low (L)" + }, + "1": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "attack_vector_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Attack Vector (AV)", + "description": "Name: Attack Vector (AV). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "Network (N)" + }, + "1": { + "caption": "Adjacent (A)" + }, + "2": { + "caption": "Local (L)" + }, + "3": { + "caption": "Physical (P)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "authentication_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Authentication (Au)", + "description": "Name: Authentication (Au). Group: Base. CVSS version: v1, v2", + "enum": { + "0": { + "caption": "None" + }, + "1": { + "caption": "Single (S)" + }, + "2": { + "caption": "Multiple (M)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "availability_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Availability (A)", + "description": "Name: Availability (A). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "availability_impact_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Availability Impact (A)", + "description": "Name: Availability Impact (A). Group: Base, CVSS version: v1, v2", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Partial (P)" + }, + "2": { + "caption": "Complete (C)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "availability_requirement_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Availability Requirement (AR)", + "description": "Name: Availability Requirement (AR). Group: Environmental. CVSS version: v2, v3", + "enum": { + "0": { + "caption": "Not Defined (X, ND)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "Medium (LM)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "base_score": { + "caption": "Base Score", + "description": "The CVSS base score. For example: 9.1.", + "requirement": "required", + "type": "float_t" + }, + "collateral_damage_potential_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Collateral Damage Potential (CDP)", + "description": "Name: Collateral Damage Potential (CDP). Group: Environmental. CVSS version: v1, v2", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "Low-Medium (LM)" + }, + "3": { + "caption": "Medium-High (MH)" + }, + "4": { + "caption": "High (H)" + }, + "5": { + "caption": "Not Defined (ND)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "confidentiality_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidentiality (C)", + "description": "The Confidentiality Common Vulnerability Scoring System (CVSS) metric. Name: Confidentiality (C). Group: Base. CVSS version: v3", + "enum": { + "-1": { + "caption": "Other" + }, + "0": { + "caption": "None (N)", + "description": "The confidentiality is unknown." + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "High (H)" + }, + "3": { + "caption": "Secret" + }, + "4": { + "caption": "Top Secret" + }, + "5": { + "caption": "Private" + }, + "6": { + "caption": "Restricted" + }, + "99": { + "caption": "Other", + "description": "The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "confidentiality", + "type": "integer_t" + }, + "confidentiality_impact_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidentiality Impact (C)", + "description": "Name: Confidentiality Impact (C). Group: Base CVSS version: v1, v2", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Partial (P)" + }, + "2": { + "caption": "Complete (C)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "confidentiality_requirement_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Confidentiality Requirement (CR)", + "description": "Name: Confidentiality Requirement (CR). Group: Environmental. CVSS version: v2, v3", + "enum": { + "0": { + "caption": "Not Defined (X, ND)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "Medium (LM)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "depth": { + "caption": "CVSS Depth", + "description": "The CVSS depth represents a depth of the equation used to calculate CVSS score.", + "enum": { + "Base": { + "caption": "Base" + }, + "Environmental": { + "caption": "Environmental" + }, + "Temporal": { + "caption": "Temporal" + } + }, + "requirement": "recommended", + "type": "string_t" + }, + "depth_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "CVSS Depth", + "description": "The CVSS depth. Representing a depth of the equation used to calculate CVSS score.", + "enum": { + "0": { + "caption": "Base" + }, + "1": { + "caption": "Temporal" + }, + "2": { + "caption": "Environmental" + } + }, + "requirement": "recommended", + "type": "integer_t" + }, + "exploit_code_maturity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Exploit Code Maturity (E)", + "description": "Name: Exploit Code Maturity (E). Group: Temporal. CVSS version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "High (H)" + }, + "2": { + "caption": "Functional (F)" + }, + "3": { + "caption": "Proof-of-Concept (P)" + }, + "4": { + "caption": "Unproven (U)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "exploitability_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Exploitability (E)", + "description": "Name: Exploitability (E). Group: Temporal. CVSS version: v1, v2", + "enum": { + "0": { + "caption": "Not Defined (ND)" + }, + "1": { + "caption": "High (H)" + }, + "2": { + "caption": "Functional (F)" + }, + "3": { + "caption": "Proof-of-Concept (POC)" + }, + "4": { + "caption": "Unproven (U)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "integrity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Integrity (I)", + "description": "The Integrity Common Vulnerability Scoring System (CVSS) metric. Name: Integrity (I). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "sibling": "integrity", + "type": "integer_t" + }, + "integrity_impact_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Integrity Impact (I)", + "description": "Name: Integrity Impact (I). Group: Base. CVSS version: v1, v2", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Partial (P)" + }, + "2": { + "caption": "Complete (C)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "integrity_requirement_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Integrity Requirement (IR)", + "description": "Name: Integrity Requirement (IR). Group: Environmental. CVSS version: v2, v3", + "enum": { + "0": { + "caption": "Not Defined (X, ND)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "Medium (LM)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "metrics": { + "caption": "Metrics", + "description": "The Common Vulnerability Scoring System metrics. This attribute contains information on the CVE's impact. If the CVE has been analyzed, this attribute will contain any CVSSv2 or CVSSv3 information associated with the vulnerability. For example: { {\"Access Vector\", \"Network\"}, {\"Access Complexity\", \"Low\"}, ...}.", + "is_array": true, + "requirement": "optional", + "type": "metric" + }, + "modified_attack_complexity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Attack Complexity (MAC)", + "description": "Name: Modified Attack Complexity (MAC). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_attack_vector_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Attack Vector (MAV)", + "description": "Name: Modified Attack Vector (MAV). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "Network (N)" + }, + "2": { + "caption": "Adjacent (A)" + }, + "3": { + "caption": "Local (L)" + }, + "4": { + "caption": "Physical (P)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_availability_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Availability (MA)", + "description": "Name: Modified Availability (MA). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "None (N)" + }, + "2": { + "caption": "Low (L)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_confidentiality_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Confidentiality (MC)", + "description": "Name: Modified Confidentiality (MC). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "None (N)" + }, + "2": { + "caption": "Low (L)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_integrity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Integrity (MI)", + "description": "Name: Modified Integrity (MI). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "None (N)" + }, + "2": { + "caption": "Low (L)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_privileges_required_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Privileges Required (MPR)", + "description": "Name: Modified Privileges Required (MPR). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "None (N)" + }, + "2": { + "caption": "Low (L)" + }, + "3": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_scope_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified Scope (MS)", + "description": "Name: Modified Scope (MS). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "Unchanged (U)" + }, + "2": { + "caption": "Changed (C)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "modified_user_interaction_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Modified User Interaction (MUI)", + "description": "Name: Modified User Interaction (MUI). Group: Environmental. Version: v3", + "enum": { + "0": { + "caption": "Not Defined (X)" + }, + "1": { + "caption": "None (N)" + }, + "2": { + "caption": "Required (R)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "overall_score": { + "caption": "Overall Score", + "description": "The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.", + "requirement": "recommended", + "type": "float_t" + }, + "privileges_required_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Privileges Required (PR)", + "description": "The Privileges Required (PR) Common Vulnerability Scoring System (CVSS) metric. Name: Privileges Required (PR). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "High (H)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "raw_score": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Score", + "description": "CVSS Score in the range of 0.0 to 10.0.", + "requirement": "recommended", + "type": "float_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "remediation_level_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Remediation Level (RL)", + "description": "Name: Remediation Level (RL). Group: Temporal. CVSS version: v1, v2, v3", + "enum": { + "0": { + "caption": "Not Defined (X, ND)" + }, + "1": { + "caption": "Unavailable (U)" + }, + "2": { + "caption": "Workaround (W)" + }, + "3": { + "caption": "Temporary Fix (T, TF)" + }, + "4": { + "caption": "Official Fix (O, OF)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "report_confidence_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Report Confidence (RC)", + "description": "Name: Report Confidence (RC). Group: Temporal. CVSS version: v1, v2, v3", + "enum": { + "0": { + "caption": "Not Defined (X, ND)" + }, + "1": { + "caption": "Confirmed (C)" + }, + "2": { + "caption": "Reasonable (R)" + }, + "3": { + "caption": "Unconfirmed (UC)" + }, + "4": { + "caption": "Uncorroborated (UR)" + }, + "5": { + "caption": "Unknown (U)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "scope_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Scope (S)", + "description": "Name: Scope (S). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "Unchanged (U)" + }, + "1": { + "caption": "Changed (C)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "severity": { + "caption": "Severity", + "description": "

The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.

CVSS v2.0

CVSS v3.0", + "requirement": "optional", + "type": "string_t" + }, + "severity_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Qualitative Severity Rating", + "description": "The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9), Critical (9.0 - 10.0)", + "enum": { + "-1": { + "caption": "Other", + "description": "The event severity is not mapped. See the severity attribute, which contains a data source specific value." + }, + "0": { + "caption": "None", + "description": "The event severity is not known." + }, + "1": { + "caption": "Low", + "description": "Informational message. No action required." + }, + "2": { + "caption": "Medium", + "description": "The user decides if action is needed." + }, + "3": { + "caption": "High", + "description": "Action is required but the situation is not serious at this time." + }, + "4": { + "caption": "Critical", + "description": "Action is required immediately." + }, + "5": { + "caption": "Critical", + "description": "Action is required immediately and the scope is broad." + }, + "6": { + "caption": "Fatal", + "description": "An error occurred but it is too late to take remedial action." + }, + "99": { + "caption": "Other", + "description": "The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "severity", + "type": "integer_t" + }, + "target_distribution_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Target Distribution (TD)", + "description": "Name: Target Distribution (TD). Group: Environmental. CVSS version: v1, v2", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Low (L)" + }, + "2": { + "caption": "Medium (LM)" + }, + "3": { + "caption": "High (H)" + }, + "4": { + "caption": "Not Defined (ND)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user_interaction_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "User Interaction (UI)", + "description": "The User Interaction Common Vulnerability Scoring System (CVSS) metric. Name: User Interaction (UI). Group: Base. CVSS version: v3", + "enum": { + "0": { + "caption": "None (N)" + }, + "1": { + "caption": "Required (R)" + } + }, + "requirement": "optional", + "type": "integer_t" + }, + "vector_string": { + "caption": "Vector String", + "description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.", + "requirement": "optional", + "type": "string_t" + }, + "version": { + "caption": "Version", + "description": "The CVSS version. For example: 3.1.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "CVSS Score", + "description": "The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.", + "extends": "object", + "name": "cvss" + }, + "cwe": { + "attributes": { + "caption": { + "caption": "Caption", + "description": "The caption assigned to the Common Weakness Enumeration unique identifier.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "src_url": { + "caption": "Source URL", + "description": "URL pointing to the CWE Specification. For more information see CWE.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "uid": { + "caption": "CWE ID", + "description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123.", + "observable": 17, + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "CWE", + "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.", + "extends": "object", + "name": "cwe" + }, + "data_classification": { + "attributes": { + "category": { + "caption": "Category", + "description": "The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.", + "requirement": "optional", + "type": "string_t" + }, + "category_id": { + "caption": "Category ID", + "description": "The normalized identifier of the data classification category.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is not mapped. See the data_type attribute, which contains a data source specific value." + }, + "1": { + "caption": "Personal", + "description": "Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc." + }, + "2": { + "caption": "Governmental", + "description": "Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc." + }, + "3": { + "caption": "Financial", + "description": "Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc." + }, + "4": { + "caption": "Business", + "description": "Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar." + }, + "5": { + "caption": "Military and Law Enforcement", + "description": "Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data." + }, + "6": { + "caption": "Security", + "description": "Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc." + }, + "99": { + "caption": "Other", + "description": "Any other type of data classification or a multi-variate classification made up of several other classification categories." + } + }, + "requirement": "recommended", + "sibling": "category", + "type": "integer_t" + }, + "confidentiality": { + "caption": "Confidentiality", + "description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "confidentiality_id": { + "caption": "Confidentiality ID", + "description": "The normalized identifier of the file content confidentiality indicator.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The confidentiality is unknown." + }, + "1": { + "caption": "Not Confidential" + }, + "2": { + "caption": "Confidential" + }, + "3": { + "caption": "Secret" + }, + "4": { + "caption": "Top Secret" + }, + "5": { + "caption": "Private" + }, + "6": { + "caption": "Restricted" + }, + "99": { + "caption": "Other", + "description": "The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "confidentiality", + "type": "integer_t" + }, + "policy": { + "caption": "Policy", + "description": "Details about the data policy that governs data handling and security measures related to classification.", + "requirement": "optional", + "type": "policy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Data Classification", + "constraints": { + "at_least_one": [ + "category_id", + "confidentiality_id" + ] + }, + "description": "The Data Classification object includes information about data classification levels and data category types.", + "extends": "object", + "name": "data_classification" + }, + "data_security": { + "attributes": { + "category": { + "caption": "Category", + "description": "The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.", + "requirement": "optional", + "type": "string_t" + }, + "category_id": { + "caption": "Category ID", + "description": "The normalized identifier of the data classification category.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is not mapped. See the data_type attribute, which contains a data source specific value." + }, + "1": { + "caption": "Personal", + "description": "Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc." + }, + "2": { + "caption": "Governmental", + "description": "Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc." + }, + "3": { + "caption": "Financial", + "description": "Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc." + }, + "4": { + "caption": "Business", + "description": "Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar." + }, + "5": { + "caption": "Military and Law Enforcement", + "description": "Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data." + }, + "6": { + "caption": "Security", + "description": "Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc." + }, + "99": { + "caption": "Other", + "description": "Any other type of data classification or a multi-variate classification made up of several other classification categories." + } + }, + "requirement": "recommended", + "sibling": "category", + "type": "integer_t" + }, + "confidentiality": { + "caption": "Confidentiality", + "description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "confidentiality_id": { + "caption": "Confidentiality ID", + "description": "The normalized identifier of the file content confidentiality indicator.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The confidentiality is unknown." + }, + "1": { + "caption": "Not Confidential" + }, + "2": { + "caption": "Confidential" + }, + "3": { + "caption": "Secret" + }, + "4": { + "caption": "Top Secret" + }, + "5": { + "caption": "Private" + }, + "6": { + "caption": "Restricted" + }, + "99": { + "caption": "Other", + "description": "The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "confidentiality", + "type": "integer_t" + }, + "data_lifecycle_state": { + "caption": "Data Lifecycle State", + "description": "The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.", + "requirement": "optional", + "type": "string_t" + }, + "data_lifecycle_state_id": { + "caption": "Data Lifecycle State ID", + "description": "The stage or state that the data was in when it was assessed or scanned by a data security tool.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is not mapped. See the data_lifecycle_state attribute, which contains a data source specific value." + }, + "1": { + "caption": "Data at-Rest", + "description": "The data was stored on physical or logcial media and was not actively moving through the network nor was being processed. E.g., data stored in a database, PDF files in a file share, or EHR records in object storage." + }, + "2": { + "caption": "Data in-Transit", + "description": "The data was actively moving through the network or from one physical or logical location to another. E.g., emails being send, data replication or Change Data Capture (CDC) streams, or sensitive data processed on an API." + }, + "3": { + "caption": "Data in-Use", + "description": "The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF." + } + }, + "requirement": "recommended", + "sibling": "data_lifecycle_state", + "type": "integer_t" + }, + "data_type": { + "@deprecated": { + "message": "Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0", + "since": "1.2.0" + }, + "caption": "Data Type", + "description": "The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.", + "requirement": "optional", + "type": "string_t" + }, + "data_type_id": { + "@deprecated": { + "message": "Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0", + "since": "1.2.0" + }, + "caption": "Data Type ID", + "description": "The category or type of sensitive data as assessed or scanned by a data security tool (e.g., Personal, Govermental, Financial).", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is not mapped. See the data_type attribute, which contains a data source specific value." + }, + "1": { + "caption": "Personal", + "description": "Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc." + }, + "2": { + "caption": "Governmental", + "description": "Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc." + }, + "3": { + "caption": "Financial", + "description": "Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc." + }, + "4": { + "caption": "Business", + "description": "Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar." + }, + "5": { + "caption": "Military and Law Enforcement", + "description": "Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data." + }, + "6": { + "caption": "Security", + "description": "Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc." + }, + "99": { + "caption": "Other", + "description": "Any other type of data classification or a multi-variate classification made up of several other classification categories." + } + }, + "requirement": "recommended", + "sibling": "data_type", + "type": "integer_t" + }, + "detection_pattern": { + "caption": "Detection Pattern", + "description": "Specific pattern, algorithm, fingerpint, or model used for detection.", + "requirement": "recommended", + "type": "string_t" + }, + "detection_system": { + "caption": "Detection System", + "description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.", + "requirement": "optional", + "type": "string_t" + }, + "detection_system_id": { + "caption": "Detection System ID", + "description": "The type of data security tool or system that the finding, detection, or alert originated from.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is not mapped. See the detection_system attribute, which contains a data source specific value." + }, + "1": { + "caption": "Endpoint", + "description": "A dedicated agent or sensor installed on a device, either a dedicated data security tool or an Endpoint Detection & Response (EDR) tool that can detect sensitive data and/or enforce data security policies. E.g., Forcepoint DLP, Symantec DLP, Microsoft Defender for Endpoint (MDE)." + }, + "10": { + "caption": "Application-Level DLP", + "description": "A built in Data Loss Prevention (DLP) or other data security capability within a tool or platform such as an Enterprise Resource Planning (ERP) or Customer Relations Management (CRM) tool that can detect sensitive data and/or enforce data security policies." + }, + "11": { + "caption": "Developer Security", + "description": "Any Developer Security tool such as an Infrastrucre-as-Securty (IAC) scanner, Secrets Detection, or Secure Software Development Lifecycle (SSDLC) tool that can detect sensitive data and/or enforce data security policies. E.g., TruffleHog, GitGuardian, Git-Secrets." + }, + "12": { + "caption": "Data Security Posture Management", + "description": "A Data Security Posture Management (DSPM) tool is a continuous monitoring and data discovery solution that can detect sensitive data and/or enforce data security policies for local and cloud environments. E.g., Cyera, Sentra, IBM Polar Security." + }, + "2": { + "caption": "DLP Gateway", + "description": "A Data Loss Prevention (DLP) gateway that is positioned in-line of an information store such as a network share, a database, or otherwise that can detect sensitive data and/or enforce data security policies." + }, + "3": { + "caption": "Mobile Device Management", + "description": "A Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tool that can detect sensitive data and/or enforce data security policies on mobile devices (e.g., cellphones, tablets, End User Devices [EUDs])." + }, + "4": { + "caption": "Data Discovery & Classification", + "description": "A tool that actively identifies and classifies sensitive data in digitial media and information stores in accordance with a policy or automated functionality. E.g, Amazon Macie, Microsoft Purview." + }, + "5": { + "caption": "Secure Web Gateway", + "description": "A Secure Web Gateway (SWG) is any tool that can detect sensitive data and/or enforce data security policies at a network-edge such as within a proxy or firewall service." + }, + "6": { + "caption": "Secure Email Gateway", + "description": "A Secure Email Gateway (SEG) is any tool that can detect sensitive data and/or enforce data security policies within email systems. E.g., Microsoft Defender for Office, Google Workspaces." + }, + "7": { + "caption": "Digital Rights Management", + "description": "A Digital Rights Management (DRM) or a dedicated Information Rights Management (IRM) are tools which can detect sensitive data and/or enforce data security policies on digitial media via policy or user access rights." + }, + "8": { + "caption": "Cloud Access Security Broker", + "description": "A Cloud Access Security Broker (CASB) that can detect sensitive data and/or enforce data security policies in-line to cloud systems such as the public cloud or Software-as-a-Service (SaaS) tool. E.g., Forcepoint CASB, SkyHigh Security." + }, + "9": { + "caption": "Database Activity Monitoring", + "description": "A Database Activity Monitoring (DAM) tool that can detect sensitive data and/or enforce data security policies as part of a dedicated database or warehouse monitoring solution." + }, + "99": { + "caption": "Other", + "description": "Any other type of detection system or a multi-variate system made up of several other systems." + } + }, + "requirement": "recommended", + "sibling": "detection_system", + "type": "integer_t" + }, + "pattern_match": { + "caption": "Pattern Match", + "description": "A text, binary, file name, or datastore that matched against a detection rule.", + "requirement": "optional", + "type": "string_t" + }, + "policy": { + "caption": "Policy", + "description": "Details about the policy that triggered the finding.", + "requirement": "recommended", + "type": "policy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Data Security", + "constraints": { + "at_least_one": [ + "data_lifecycle_state_id", + "detection_pattern", + "detection_system_id", + "policy" + ] + }, + "description": "The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).", + "extends": "data_classification", + "name": "data_security" + }, + "database": { + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The time when the database was known to have been created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "desc": { + "caption": "Description", + "description": "The description of the database.", + "requirement": "optional", + "type": "string_t" + }, + "groups": { + "caption": "Groups", + "description": "The group names to which the database belongs.", + "is_array": true, + "requirement": "optional", + "type": "group" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The most recent time when any changes, updates, or modifications were made within the database.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The database name, ordinarily as assigned by a database administrator.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "size": { + "caption": "Size", + "description": "The size of the database in bytes.", + "requirement": "optional", + "type": "long_t" + }, + "type": { + "caption": "Type", + "description": "The database type.", + "requirement": "recommended", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The normalized identifier of the database type.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Relational" + }, + "2": { + "caption": "Network" + }, + "3": { + "caption": "Object Oriented" + }, + "4": { + "caption": "Centralized" + }, + "5": { + "caption": "Operational" + }, + "6": { + "caption": "NoSQL" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the database.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Database", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.", + "extends": "_entity", + "name": "database", + "profiles": [ + "data_classification" + ] + }, + "databucket": { + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The time when the databucket was known to have been created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "desc": { + "caption": "Description", + "description": "The description of the databucket.", + "requirement": "optional", + "type": "string_t" + }, + "file": { + "caption": "File", + "description": "A file within a databucket.", + "observable": 24, + "requirement": "optional", + "type": "file" + }, + "groups": { + "caption": "Groups", + "description": "The group names to which the databucket belongs.", + "is_array": true, + "requirement": "optional", + "type": "group" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The most recent time when any changes, updates, or modifications were made within the databucket.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The databucket name.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "size": { + "caption": "Size", + "description": "The size of the databucket in bytes.", + "requirement": "optional", + "type": "long_t" + }, + "type": { + "caption": "Type", + "description": "The databucket type.", + "requirement": "recommended", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The normalized identifier of the databucket type.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "S3" + }, + "2": { + "caption": "Azure Blob" + }, + "3": { + "caption": "GCP Bucket" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the databucket.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Databucket", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The databucket object is a basic container that holds data, typically organized through the use of data partitions.", + "extends": "_entity", + "name": "databucket", + "profiles": [ + "data_classification" + ] + }, + "dce_rpc": { + "attributes": { + "command": { + "caption": "Command", + "description": "The request command (e.g. REQUEST, BIND).", + "requirement": "recommended", + "type": "string_t" + }, + "command_response": { + "caption": "Command Response", + "description": "The reply to the request command (e.g. RESPONSE, BINDACK or FAULT).", + "requirement": "recommended", + "type": "string_t" + }, + "flags": { + "caption": "Flags", + "description": "The list of interface flags.", + "is_array": true, + "requirement": "required", + "type": "string_t" + }, + "network_interfaces": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Network Interfaces", + "description": "The list of DCE/RPC interfaces", + "is_array": true, + "requirement": "required", + "type": "network_interface" + }, + "opnum": { + "caption": "Opnum", + "description": "An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.", + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "rpc_interface": { + "caption": "Remote Procedure Call Interface", + "description": "The RPC Interface object describes the details pertaining to the remote procedure call interface.", + "requirement": "required", + "type": "rpc_interface" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "DCE/RPC", + "description": "The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments. Defined by D3FEND d3f:RemoteProcedureCall.", + "extends": "object", + "name": "dce_rpc" + }, + "device": { + "attributes": { + "agent_list": { + "caption": "Agent List", + "description": "A list of agent objects associated with a device, endpoint, or resource.", + "is_array": true, + "requirement": "optional", + "type": "agent" + }, + "autoscale_uid": { + "caption": "Autoscale UID", + "description": "The unique identifier of the cloud autoscale configuration.", + "requirement": "optional", + "type": "string_t" + }, + "container": { + "caption": "Container", + "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", + "group": "context", + "observable": 27, + "requirement": "recommended", + "type": "container" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the device was known to have been created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the device, ordinarily as reported by the operating system.", + "requirement": "optional", + "type": "string_t" + }, + "domain": { + "caption": "Domain", + "description": "The network domain where the device resides. For example: work.example.com.", + "requirement": "optional", + "type": "string_t" + }, + "first_seen_time": { + "caption": "First Seen", + "description": "The initial discovery time of the device.", + "requirement": "optional", + "type": "timestamp_t" + }, + "groups": { + "caption": "Groups", + "description": "The group names to which the device belongs. For example: [\"Windows Laptops\", \"Engineering\"].", + "is_array": true, + "requirement": "optional", + "type": "group" + }, + "hostname": { + "caption": "Hostname", + "description": "The device hostname.", + "observable": 1, + "requirement": "recommended", + "type": "hostname_t" + }, + "hw_info": { + "caption": "Hardware Info", + "description": "The endpoint hardware information.", + "requirement": "optional", + "type": "device_hw_info" + }, + "hypervisor": { + "caption": "Hypervisor", + "description": "The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.", + "requirement": "optional", + "type": "string_t" + }, + "image": { + "caption": "Image", + "description": "The image used as a template to run the virtual machine.", + "requirement": "optional", + "type": "image" + }, + "imei": { + "caption": "IMEI", + "description": "The International Mobile Station Equipment Identifier that is associated with the device.", + "requirement": "optional", + "type": "string_t" + }, + "instance_uid": { + "caption": "Instance ID", + "description": "The unique identifier of a VM instance.", + "requirement": "recommended", + "type": "string_t" + }, + "interface_name": { + "caption": "Network Interface Name", + "description": "The name of the network interface (e.g. eth2).", + "requirement": "recommended", + "type": "string_t" + }, + "interface_uid": { + "caption": "Network Interface ID", + "description": "The unique identifier of the network interface.", + "requirement": "recommended", + "type": "string_t" + }, + "ip": { + "caption": "IP Address", + "description": "The device IP address, in either IPv4 or IPv6 format.", + "observable": 2, + "requirement": "recommended", + "type": "ip_t" + }, + "is_compliant": { + "caption": "Compliant Device", + "description": "The event occurred on a compliant device.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_managed": { + "caption": "Managed Device", + "description": "The event occurred on a managed device.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_personal": { + "caption": "Personal Device", + "description": "The event occurred on a personal device.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_trusted": { + "caption": "Trusted Device", + "description": "The event occurred on a trusted device.", + "requirement": "optional", + "type": "boolean_t" + }, + "last_seen_time": { + "caption": "Last Seen", + "description": "The most recent discovery time of the device.", + "requirement": "optional", + "type": "timestamp_t" + }, + "location": { + "caption": "Geo Location", + "description": "The geographical location of the device.", + "observable": 26, + "requirement": "optional", + "type": "location" + }, + "mac": { + "caption": "MAC Address", + "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, + "requirement": "optional", + "type": "mac_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the device was last known to have been modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The alternate device name, ordinarily as assigned by an administrator.

Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

", + "requirement": "recommended", + "type": "string_t" + }, + "namespace_pid": { + "caption": "Namespace PID", + "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "network_interfaces": { + "caption": "Network Interfaces", + "description": "The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.

Note: The first element of the array is the network information that pertains to the event.

", + "is_array": true, + "requirement": "optional", + "type": "network_interface" + }, + "org": { + "caption": "Organization", + "description": "Organization and org unit related to the device.", + "requirement": "optional", + "type": "organization" + }, + "org_unit": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Org Unit", + "description": "The name of the organization to which the user belongs.", + "requirement": "optional", + "type": "string_t" + }, + "os": { + "caption": "OS", + "description": "The endpoint operating system.", + "requirement": "optional", + "type": "os" + }, + "owner": { + "caption": "Owner", + "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, + "requirement": "recommended", + "type": "user" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "region": { + "caption": "Region", + "description": "The region where the virtual machine is located. For example, an AWS Region.", + "requirement": "recommended", + "type": "string_t" + }, + "reputation": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "risk_level": { + "caption": "Risk Level", + "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "risk_level_id": { + "caption": "Risk Level ID", + "description": "The normalized risk level id.", + "enum": { + "0": { + "caption": "Info" + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + } + }, + "requirement": "optional", + "sibling": "risk_level", + "type": "integer_t" + }, + "risk_score": { + "caption": "Risk Score", + "description": "The risk score as reported by the event source.", + "requirement": "optional", + "type": "integer_t" + }, + "subnet": { + "caption": "Subnet", + "description": "The subnet mask.", + "observable": 12, + "requirement": "optional", + "type": "subnet_t" + }, + "subnet_uid": { + "caption": "Subnet UID", + "description": "The unique identifier of a virtual subnet.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The device type ID.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Server", + "description": "A server." + }, + "10": { + "caption": "Switch", + "description": "A networking switch." + }, + "11": { + "caption": "Hub", + "description": "A networking hub." + }, + "2": { + "caption": "Desktop", + "description": "A desktop computer." + }, + "3": { + "caption": "Laptop", + "description": "A laptop computer." + }, + "4": { + "caption": "Tablet", + "description": "A tablet computer." + }, + "5": { + "caption": "Mobile", + "description": "A mobile phone." + }, + "6": { + "caption": "Virtual", + "description": "A virtual machine." + }, + "7": { + "caption": "IOT", + "description": "A IOT (Internet of Things) device." + }, + "8": { + "caption": "Browser", + "description": "A web browser." + }, + "9": { + "caption": "Firewall", + "description": "A networking firewall." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.", + "requirement": "recommended", + "type": "string_t" + }, + "uid_alt": { + "caption": "Alternate ID", + "description": "An alternate unique identifier of the device if any. For example the ActiveDirectory DN.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vlan_uid": { + "caption": "VLAN", + "description": "The Virtual LAN identifier.", + "requirement": "optional", + "type": "string_t" + }, + "vpc_uid": { + "caption": "VPC UID", + "description": "The unique identifier of the Virtual Private Cloud (VPC).", + "requirement": "optional", + "type": "string_t" + }, + "zone": { + "caption": "Network Zone", + "description": "The network zone or LAN segment.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Device", + "constraints": { + "at_least_one": [ + "ip", + "uid", + "name", + "hostname", + "instance_uid", + "interface_uid", + "interface_name" + ] + }, + "description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.", + "extends": "endpoint", + "name": "device", + "profiles": [ + "container" + ] + }, + "device_hw_info": { + "attributes": { + "bios_date": { + "caption": "BIOS Date", + "description": "The BIOS date. For example: 03/31/16.", + "requirement": "optional", + "type": "string_t" + }, + "bios_manufacturer": { + "caption": "BIOS Manufacturer", + "description": "The BIOS manufacturer. For example: LENOVO.", + "requirement": "optional", + "type": "string_t" + }, + "bios_ver": { + "caption": "BIOS Version", + "description": "The BIOS version. For example: LENOVO G5ETA2WW (2.62).", + "requirement": "optional", + "type": "string_t" + }, + "chassis": { + "caption": "Chassis", + "description": "The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types", + "requirement": "optional", + "type": "string_t" + }, + "cpu_bits": { + "caption": "CPU Bits", + "description": "The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.", + "requirement": "optional", + "type": "integer_t" + }, + "cpu_cores": { + "caption": "CPU Cores", + "description": "The number of processor cores in all installed processors. For Example: 42.", + "requirement": "optional", + "type": "integer_t" + }, + "cpu_count": { + "caption": "CPU Count", + "description": "The number of physical processors on a system. For example: 1.", + "requirement": "optional", + "type": "integer_t" + }, + "cpu_speed": { + "caption": "Processor Speed", + "description": "The speed of the processor in Mhz. For Example: 4200.", + "requirement": "optional", + "type": "integer_t" + }, + "cpu_type": { + "caption": "Processor Type", + "description": "The processor type. For example: x86 Family 6 Model 37 Stepping 5.", + "requirement": "optional", + "type": "string_t" + }, + "desktop_display": { + "caption": "Desktop Display", + "description": "The desktop display affiliated with the event", + "requirement": "optional", + "type": "display" + }, + "keyboard_info": { + "caption": "Keyboard Information", + "description": "The keyboard detailed information.", + "requirement": "optional", + "type": "keyboard_info" + }, + "ram_size": { + "caption": "RAM Size", + "description": "The total amount of installed RAM, in Megabytes. For example: 2048.", + "requirement": "optional", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "serial_number": { + "caption": "Serial Number", + "description": "The device manufacturer serial number.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Device Hardware Info", + "description": "The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.", + "extends": "object", + "name": "device_hw_info" + }, + "digital_signature": { + "attributes": { + "algorithm": { + "caption": "Algorithm", + "description": "The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "algorithm_id": { + "caption": "Algorithm ID", + "description": "The identifier of the normalized digital signature algorithm.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The algorithm is unknown." + }, + "1": { + "caption": "DSA", + "description": "Digital Signature Algorithm (DSA)." + }, + "2": { + "caption": "RSA", + "description": "Rivest-Shamir-Adleman (RSA) Algorithm." + }, + "3": { + "caption": "ECDSA", + "description": "Elliptic Curve Digital Signature Algorithm." + }, + "4": { + "caption": "Authenticode", + "description": "Microsoft Authenticode Digital Signature Algorithm." + }, + "99": { + "caption": "Other", + "description": "The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "algorithm", + "type": "integer_t" + }, + "certificate": { + "caption": "Certificate", + "description": "The certificate object containing information about the digital certificate.", + "requirement": "recommended", + "type": "certificate" + }, + "company_name": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Company Name", + "description": "The name of the company that published the file. For example: Microsoft Corporation.", + "requirement": "required", + "type": "string_t" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the digital signature was created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "developer_uid": { + "caption": "Developer UID", + "description": "The developer ID on the certificate that signed the file.", + "requirement": "optional", + "type": "string_t" + }, + "digest": { + "caption": "Message Digest", + "description": "The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.", + "observable": 30, + "requirement": "optional", + "type": "fingerprint" + }, + "fingerprints": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Fingerprints", + "description": "An array of digital fingerprint objects.", + "is_array": true, + "observable": 30, + "requirement": "optional", + "type": "fingerprint" + }, + "issuer_name": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Issuer Name", + "description": "The certificate issuer name.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "serial_number": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Serial Number", + "description": "The serial number of the digital signature.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Digital Signature", + "description": "The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.", + "extends": "object", + "name": "digital_signature" + }, + "display": { + "attributes": { + "color_depth": { + "caption": "Color Depth", + "description": "The numeric color depth.", + "requirement": "optional", + "type": "integer_t" + }, + "physical_height": { + "caption": "Physical Height", + "description": "The numeric physical height of display.", + "requirement": "optional", + "type": "integer_t" + }, + "physical_orientation": { + "caption": "Physical Orientation", + "description": "The numeric physical orientation of display.", + "requirement": "optional", + "type": "integer_t" + }, + "physical_width": { + "caption": "Physical Width", + "description": "The numeric physical width of display.", + "requirement": "optional", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "scale_factor": { + "caption": "Scale Factor", + "description": "The numeric scale factor of display.", + "requirement": "optional", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Display", + "description": "The Display object contains information about the physical or virtual display connected to a computer system.", + "extends": "object", + "name": "display" + }, + "dns_answer": { + "attributes": { + "class": { + "caption": "Resource Record Class", + "description": "The class of DNS data contained in this resource record. See RFC1035. For example: IN.", + "requirement": "recommended", + "type": "string_t" + }, + "flag_ids": { + "caption": "DNS Header Flags", + "description": "The list of DNS answer header flag IDs.", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Authoritative Answer" + }, + "2": { + "caption": "Truncated Response" + }, + "3": { + "caption": "Recursion Desired" + }, + "4": { + "caption": "Recursion Available" + }, + "5": { + "caption": "Authentic Data" + }, + "6": { + "caption": "Checking Disabled" + }, + "99": { + "caption": "Other", + "description": "The event DNS header flag is not mapped." + } + }, + "is_array": true, + "requirement": "optional", + "sibling": "flags", + "type": "integer_t" + }, + "flags": { + "caption": "DNS Header Flags", + "description": "The list of DNS answer header flags.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "packet_uid": { + "caption": "Packet UID", + "description": "The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.", + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "rdata": { + "caption": "DNS RData", + "description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.", + "requirement": "required", + "type": "string_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "ttl": { + "caption": "TTL", + "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.", + "requirement": "recommended", + "type": "integer_t" + }, + "type": { + "caption": "Resource Record Type", + "description": "The type of data contained in this resource record. See RFC1035. For example: CNAME.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "DNS Answer", + "description": "The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation. It encapsulates the relevant details and data returned by the DNS server in response to a query.", + "extends": "_dns", + "name": "dns_answer" + }, + "dns_query": { + "attributes": { + "class": { + "caption": "Resource Record Class", + "description": "The class of resource records being queried. See RFC1035. For example: IN.", + "requirement": "recommended", + "type": "string_t" + }, + "hostname": { + "caption": "Hostname", + "description": "The hostname or domain being queried. For example: www.example.com", + "observable": 1, + "requirement": "required", + "type": "hostname_t" + }, + "opcode": { + "caption": "DNS Opcode", + "description": "The DNS opcode specifies the type of the query message.", + "requirement": "optional", + "type": "string_t" + }, + "opcode_id": { + "caption": "DNS Opcode ID", + "description": "The DNS opcode ID specifies the normalized query message type.", + "enum": { + "0": { + "caption": "Query", + "description": "Standard query" + }, + "1": { + "caption": "Inverse Query", + "description": "Inverse query, obsolete" + }, + "2": { + "caption": "Status", + "description": "Server status request" + }, + "3": { + "caption": "Reserved", + "description": "Reserved, not used" + }, + "4": { + "caption": "Notify", + "description": "Zone change notification" + }, + "5": { + "caption": "Update", + "description": "Dynamic DNS update" + }, + "6": { + "caption": "DSO Message", + "description": "DNS Stateful Operations (DSO)" + } + }, + "requirement": "recommended", + "type": "integer_t" + }, + "packet_uid": { + "caption": "Packet UID", + "description": "The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.", + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Resource Record Type", + "description": "The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "DNS Query", + "description": "The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX). Defined by D3FEND d3f:DNSLookup.", + "extends": "_dns", + "name": "dns_query" + }, + "domain_info": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The time when the domain was registered/created.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "domain": { + "caption": "Domain", + "description": "The domain name.", + "requirement": "required", + "type": "string_t" + }, + "expiration_time": { + "caption": "Expiration Time", + "description": "The domain expiration time.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the domain was last modified.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "registrar": { + "caption": "Domain Registrar", + "description": "The domain registrar.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Domain Information", + "description": "The registration information pertaining to a domain.", + "extension": "archive", + "name": "domain_info" + }, + "domain_intelligence": { + "attributes": { + "details": { + "caption": "Details", + "description": "Details about the IP address.", + "requirement": "optional", + "type": "string_t" + }, + "dns_entries": { + "caption": "DNS Entries", + "description": "The Domain Name System (DNS) entries from passive DNS logs or a direct query for enrichment.", + "is_array": true, + "requirement": "optional", + "type": "dns_answer" + }, + "domain": { + "caption": "Domain", + "description": "The name of the domain.", + "requirement": "optional", + "type": "string_t" + }, + "domain_info": { + "caption": "Domain Information", + "description": "The registration information pertaining to a domain.", + "requirement": "optional", + "type": "domain_info" + }, + "findings": { + "caption": "Findings", + "description": "The findings from threat intelligence platforms", + "is_array": true, + "requirement": "optional", + "type": "finding" + }, + "labels": { + "caption": "Labels", + "description": "The labels or tags in the intelligence.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "Additional references for more information.", + "description": "A list of reference URLs supporting the finding/detection.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "reputations": { + "caption": "Reputations", + "description": "Reputation score as reported by provider", + "is_array": true, + "requirement": "optional", + "type": "reputation" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The vendor that provided the intelligence.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Domain Threat Intelligence", + "description": "Insights from threat intelligence platforms about domains", + "extends": "_base_threat_intelligence", + "extension": "query", + "name": "domain_intelligence" + }, + "email": { + "attributes": { + "cc": { + "caption": "Cc", + "description": "The email header Cc values, as defined by RFC 5322.", + "is_array": true, + "observable": 5, + "requirement": "optional", + "type": "email_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "delivered_to": { + "caption": "Delivered To", + "description": "The Delivered-To email header field.", + "observable": 5, + "requirement": "optional", + "type": "email_t" + }, + "direction": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Direction", + "description": "The direction of the email, as defined by the direction_id value.", + "requirement": "optional", + "type": "string_t" + }, + "direction_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Direction ID", + "description": "The direction of the email relative to the scanning host or organization.

Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.", + "enum": { + "-1": { + "caption": "Other" + }, + "0": { + "caption": "Unknown", + "description": "The email direction is unknown." + }, + "1": { + "caption": "Inbound", + "description": "Email Inbound, from the Internet or outside network destined for an entity inside network." + }, + "2": { + "caption": "Outbound", + "description": "Email Outbound, from inside the network destined for an entity outside network." + }, + "3": { + "caption": "Internal", + "description": "Email Internal, from inside the network destined for an entity inside network." + }, + "99": { + "caption": "Other", + "description": "The direction is not mapped. See the direction attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "direction", + "type": "integer_t" + }, + "from": { + "caption": "From", + "description": "The email header From values, as defined by RFC 5322.", + "observable": 5, + "requirement": "required", + "type": "email_t" + }, + "message_uid": { + "caption": "Message UID", + "description": "The email header Message-Id value, as defined by RFC 5322.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "raw_header": { + "caption": "Raw Header", + "description": "The email authentication header.", + "requirement": "optional", + "type": "string_t" + }, + "recipient_users": { + "caption": "Recipient Users", + "description": "The users receiving the email", + "is_array": true, + "observable": 21, + "requirement": "optional", + "type": "user" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reply_to": { + "caption": "Reply To", + "description": "The email header Reply-To values, as defined by RFC 5322.", + "observable": 5, + "requirement": "recommended", + "type": "email_t" + }, + "sender_users": { + "caption": "Sender Users", + "description": "The user who sent the email", + "observable": 21, + "requirement": "optional", + "type": "user" + }, + "size": { + "caption": "Size", + "description": "The size in bytes of the email, including attachments.", + "requirement": "recommended", + "type": "long_t" + }, + "smtp_from": { + "caption": "SMTP From", + "description": "The value of the SMTP MAIL FROM command.", + "observable": 5, + "requirement": "recommended", + "type": "email_t" + }, + "smtp_hello": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "SMTP Hello", + "description": "The value of the SMTP HELO or EHLO command.", + "requirement": "recommended", + "type": "string_t" + }, + "smtp_to": { + "caption": "SMTP To", + "description": "The value of the SMTP envelope RCPT TO command.", + "is_array": true, + "observable": 5, + "requirement": "recommended", + "type": "email_t" + }, + "subject": { + "caption": "Subject", + "description": "The email header Subject value, as defined by RFC 5322.", + "requirement": "required", + "type": "string_t" + }, + "to": { + "caption": "To", + "description": "The email header To values, as defined by RFC 5322.", + "is_array": true, + "observable": 5, + "requirement": "required", + "type": "email_t" + }, + "uid": { + "caption": "Email UID", + "description": "The email unique identifier.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "x_originating_ip": { + "caption": "X-Originating-IP", + "description": "The X-Originating-IP header identifying the emails originating IP address(es).", + "is_array": true, + "observable": 2, + "requirement": "optional", + "type": "ip_t" + } + }, + "caption": "Email", + "description": "The Email object describes the email metadata such as sender, recipients, and direction.", + "extends": null, + "name": "email", + "observable": 22, + "profiles": [ + "data_classification" + ] + }, + "email_auth": { + "attributes": { + "dkim": { + "caption": "DKIM Status", + "description": "The DomainKeys Identified Mail (DKIM) status of the email.", + "requirement": "recommended", + "type": "string_t" + }, + "dkim_domain": { + "caption": "DKIM Domain", + "description": "The DomainKeys Identified Mail (DKIM) signing domain of the email.", + "requirement": "recommended", + "type": "string_t" + }, + "dkim_signature": { + "caption": "DKIM Signature", + "description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.", + "requirement": "recommended", + "type": "string_t" + }, + "dmarc": { + "caption": "DMARC Status", + "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.", + "requirement": "recommended", + "type": "string_t" + }, + "dmarc_override": { + "caption": "DMARC Override", + "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.", + "requirement": "recommended", + "type": "string_t" + }, + "dmarc_policy": { + "caption": "DMARC Policy", + "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "raw_header": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Raw Header", + "description": "The email authentication header.", + "requirement": "recommended", + "type": "string_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "spf": { + "caption": "SPF Status", + "description": "The Sender Policy Framework (SPF) status of the email.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Email Authentication", + "description": "The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.", + "extends": "object", + "name": "email_auth" + }, + "endpoint": { + "attributes": { + "agent_list": { + "caption": "Agent List", + "description": "A list of agent objects associated with a device, endpoint, or resource.", + "is_array": true, + "requirement": "optional", + "type": "agent" + }, + "container": { + "caption": "Container", + "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", + "group": "context", + "observable": 27, + "requirement": "recommended", + "type": "container" + }, + "domain": { + "caption": "Domain", + "description": "The name of the domain.", + "requirement": "optional", + "type": "string_t" + }, + "hostname": { + "caption": "Hostname", + "description": "The fully qualified name of the endpoint.", + "observable": 1, + "requirement": "recommended", + "type": "hostname_t" + }, + "hw_info": { + "caption": "Hardware Info", + "description": "The endpoint hardware information.", + "requirement": "optional", + "type": "device_hw_info" + }, + "instance_uid": { + "caption": "Instance ID", + "description": "The unique identifier of a VM instance.", + "requirement": "recommended", + "type": "string_t" + }, + "interface_name": { + "caption": "Network Interface Name", + "description": "The name of the network interface (e.g. eth2).", + "requirement": "recommended", + "type": "string_t" + }, + "interface_uid": { + "caption": "Network Interface ID", + "description": "The unique identifier of the network interface.", + "requirement": "recommended", + "type": "string_t" + }, + "ip": { + "caption": "IP Address", + "description": "The IP address of the endpoint, in either IPv4 or IPv6 format.", + "observable": 2, + "requirement": "recommended", + "type": "ip_t" + }, + "location": { + "caption": "Geo Location", + "description": "The geographical location of the endpoint.", + "observable": 26, + "requirement": "optional", + "type": "location" + }, + "mac": { + "caption": "MAC Address", + "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, + "requirement": "optional", + "type": "mac_t" + }, + "name": { + "caption": "Name", + "description": "The short name of the endpoint.", + "requirement": "recommended", + "type": "string_t" + }, + "namespace_pid": { + "caption": "Namespace PID", + "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "os": { + "caption": "OS", + "description": "The endpoint operating system.", + "requirement": "optional", + "type": "os" + }, + "owner": { + "caption": "Owner", + "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, + "requirement": "recommended", + "type": "user" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "subnet_uid": { + "caption": "Subnet UID", + "description": "The unique identifier of a virtual subnet.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The endpoint type ID.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Server", + "description": "A server." + }, + "10": { + "caption": "Switch", + "description": "A networking switch." + }, + "11": { + "caption": "Hub", + "description": "A networking hub." + }, + "2": { + "caption": "Desktop", + "description": "A desktop computer." + }, + "3": { + "caption": "Laptop", + "description": "A laptop computer." + }, + "4": { + "caption": "Tablet", + "description": "A tablet computer." + }, + "5": { + "caption": "Mobile", + "description": "A mobile phone." + }, + "6": { + "caption": "Virtual", + "description": "A virtual machine." + }, + "7": { + "caption": "IOT", + "description": "A IOT (Internet of Things) device." + }, + "8": { + "caption": "Browser", + "description": "A web browser." + }, + "9": { + "caption": "Firewall", + "description": "A networking firewall." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the endpoint.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vlan_uid": { + "caption": "VLAN", + "description": "The Virtual LAN identifier.", + "requirement": "optional", + "type": "string_t" + }, + "vpc_uid": { + "caption": "VPC UID", + "description": "The unique identifier of the Virtual Private Cloud (VPC).", + "requirement": "optional", + "type": "string_t" + }, + "zone": { + "caption": "Network Zone", + "description": "The network zone or LAN segment.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Endpoint", + "constraints": { + "at_least_one": [ + "ip", + "uid", + "name", + "hostname", + "instance_uid", + "interface_uid", + "interface_name" + ] + }, + "description": "The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices\u2014like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats\u2014are also endpoints.", + "extends": "_entity", + "name": "endpoint", + "observable": 20, + "profiles": [ + "container" + ] + }, + "endpoint_connection": { + "attributes": { + "code": { + "caption": "Response Code", + "description": "A numerical response status code providing details about the connection.", + "requirement": "recommended", + "type": "integer_t" + }, + "network_endpoint": { + "caption": "Network Endpoint", + "description": "Provides characteristics of the network endpoint.", + "requirement": "recommended", + "type": "network_endpoint" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Endpoint Connection", + "constraints": { + "at_least_one": [ + "network_endpoint", + "code" + ] + }, + "description": "The Endpoint Connection object contains information detailing a connection attempt to an endpoint.", + "extends": "object", + "name": "endpoint_connection" + }, + "enrichment": { + "attributes": { + "data": { + "caption": "Data", + "description": "The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.", + "requirement": "required", + "type": "json_t" + }, + "name": { + "caption": "Name", + "description": "The name of the attribute to which the enriched data pertains.", + "requirement": "required", + "type": "string_t" + }, + "provider": { + "caption": "Provider", + "description": "The enrichment data provider name.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The enrichment type. For example: location.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "The value of the attribute to which the enriched data pertains.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Enrichment", + "description": "The Enrichment object provides inline enrichment data for specific attributes of interest within an event. It serves as a mechanism to enhance or supplement the information associated with the event by adding additional relevant details or context.", + "extends": "object", + "name": "enrichment" + }, + "epss": { + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The timestamp indicating when the EPSS score was calculated.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "percentile": { + "caption": "EPSS Percentile", + "description": "The EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset.", + "requirement": "optional", + "type": "float_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "score": { + "caption": "EPPS Score", + "description": "The EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication).", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the EPSS model used to calculate the score.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "EPSS", + "description": "The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS).", + "extends": "object", + "name": "epss" + }, + "evidences": { + "attributes": { + "actor": { + "caption": "Actor", + "description": "Describes details about the user/role/process that was the source of the activity that triggered the detection.", + "requirement": "recommended", + "type": "actor" + }, + "api": { + "caption": "API Details", + "description": "Describes details about the API call associated to the activity that triggered the detection.", + "requirement": "recommended", + "type": "api" + }, + "connection_info": { + "caption": "Connection Info", + "description": "Describes details about the network connection associated to the activity that triggered the detection.", + "requirement": "recommended", + "type": "network_connection_info" + }, + "container": { + "caption": "Container", + "description": "Describes details about the container associated to the activity that triggered the detection.", + "observable": 27, + "requirement": "recommended", + "type": "container" + }, + "data": { + "caption": "Data", + "description": "Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.", + "requirement": "optional", + "type": "json_t" + }, + "database": { + "caption": "Database", + "description": "Describes details about the database associated to the activity that triggered the detection.", + "requirement": "recommended", + "type": "database" + }, + "databucket": { + "caption": "Databucket", + "description": "Describes details about the databucket associated to the activity that triggered the detection.", + "requirement": "recommended", + "type": "databucket" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "Describes details about the destination of the network activity that triggered the detection.", + "requirement": "recommended", + "type": "network_endpoint" + }, + "file": { + "caption": "File", + "description": "Describes details about the file associated to the activity that triggered the detection.", + "observable": 24, + "requirement": "recommended", + "type": "file" + }, + "process": { + "caption": "Process", + "description": "Describes details about the process associated to the activity that triggered the detection.", + "observable": 25, + "requirement": "recommended", + "type": "process" + }, + "query": { + "caption": "DNS Query", + "description": "Describes details about the DNS query associated to the activity that triggered the detection.", + "requirement": "recommended", + "type": "dns_query" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "src_endpoint": { + "caption": "Source Endpoint", + "description": "Describes details about the source of the network activity that triggered the detection.", + "requirement": "recommended", + "type": "network_endpoint" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Evidence Artifacts", + "constraints": { + "at_least_one": [ + "actor", + "api", + "connection_info", + "data", + "database", + "databucket", + "dst_endpoint", + "file", + "process", + "query", + "src_endpoint" + ] + }, + "description": "A collection of evidence artifacts associated to the activity/activities that triggered a security detection.", + "extends": "object", + "name": "evidences" + }, + "extension": { + "attributes": { + "name": { + "caption": "Name", + "description": "The schema extension name. For example: dev.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The schema extension unique identifier. For example: 999.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The schema extension version. For example: 1.0.0-alpha.2.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Schema Extension", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.", + "extends": "_entity", + "name": "extension" + }, + "feature": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the feature.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the feature.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the feature.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Feature", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.", + "extends": "_entity", + "name": "feature" + }, + "file": { + "attributes": { + "accessed_time": { + "caption": "Accessed Time", + "description": "The time when the file was last accessed.", + "requirement": "optional", + "type": "timestamp_t" + }, + "accessor": { + "caption": "Accessor", + "description": "The name of the user who last accessed the object.", + "requirement": "optional", + "type": "string_t" + }, + "attributes": { + "caption": "Attributes", + "description": "The bitmask value that represents the file attributes.", + "requirement": "optional", + "type": "integer_t" + }, + "company_name": { + "caption": "Company Name", + "description": "The name of the company that published the file. For example: Microsoft Corporation.", + "requirement": "optional", + "type": "string_t" + }, + "confidentiality": { + "caption": "Confidentiality", + "description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "confidentiality_id": { + "caption": "Confidentiality ID", + "description": "The normalized identifier of the file content confidentiality indicator.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The confidentiality is unknown." + }, + "1": { + "caption": "Not Confidential" + }, + "2": { + "caption": "Confidential" + }, + "3": { + "caption": "Secret" + }, + "4": { + "caption": "Top Secret" + }, + "5": { + "caption": "Private" + }, + "6": { + "caption": "Restricted" + }, + "99": { + "caption": "Other", + "description": "The confidentiality is not mapped. See the confidentiality attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "confidentiality", + "type": "integer_t" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the file was created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "creator": { + "caption": "Creator", + "description": "The user that created the file.", + "requirement": "optional", + "type": "string_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "desc": { + "caption": "Description", + "description": "The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.", + "requirement": "optional", + "type": "string_t" + }, + "fingerprints": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Fingerprints", + "description": "An array of digital fingerprint objects.", + "is_array": true, + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "hashes": { + "caption": "Hashes", + "description": "An array of hash attributes.", + "is_array": true, + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "is_system": { + "caption": "System", + "description": "The indication of whether the object is part of the operating system.", + "requirement": "optional", + "type": "boolean_t" + }, + "mime_type": { + "caption": "MIME type", + "description": "The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.", + "requirement": "optional", + "type": "string_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the file was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "modifier": { + "caption": "Modifier", + "description": "The user that last modified the file.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the file. For example: svchost.exe", + "name": "file_name_t", + "requirement": "required", + "type": "string_t" + }, + "owner": { + "caption": "Owner", + "description": "The user that owns the file/object.", + "requirement": "optional", + "type": "string_t" + }, + "parent_folder": { + "caption": "Parent Folder", + "description": "The parent folder in which the file resides. For example: c:\\windows\\system32", + "requirement": "optional", + "type": "path_t" + }, + "path": { + "caption": "Path", + "description": "The full path to the file. For example: c:\\windows\\system32\\svchost.exe.", + "requirement": "recommended", + "type": "path_t" + }, + "product": { + "caption": "Product", + "description": "The product that created or installed the file.", + "requirement": "optional", + "type": "product" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "security_descriptor": { + "caption": "Security Descriptor", + "description": "The object security descriptor.", + "requirement": "optional", + "type": "string_t" + }, + "signature": { + "caption": "Digital Signature", + "description": "The digital signature of the file.", + "requirement": "optional", + "type": "digital_signature" + }, + "size": { + "caption": "Size", + "description": "The size of data, in bytes.", + "requirement": "optional", + "type": "long_t" + }, + "type": { + "caption": "Type", + "description": "The file type.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The file type ID.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Regular File" + }, + "2": { + "caption": "Folder" + }, + "3": { + "caption": "Character Device" + }, + "4": { + "caption": "Block Device" + }, + "5": { + "caption": "Local Socket" + }, + "6": { + "caption": "Named Pipe" + }, + "7": { + "caption": "Symbolic Link" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the file as defined by the storage system, such the file system file ID.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The file version. For example: 8.0.7601.17514.", + "requirement": "optional", + "type": "string_t" + }, + "xattributes": { + "caption": "Extended Attributes", + "description": "An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.

For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS:

", + "requirement": "optional", + "type": "json_t" + } + }, + "caption": "File", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.", + "extends": "_entity", + "name": "file", + "observable": 24, + "profiles": [ + "data_classification" + ] + }, + "file_intelligence": { + "attributes": { + "details": { + "caption": "Details", + "description": "Details about the IP address.", + "requirement": "optional", + "type": "string_t" + }, + "filenames": { + "caption": "Filenames", + "description": "The names a file is known by.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "findings": { + "caption": "Findings", + "description": "The findings from threat intelligence platforms", + "is_array": true, + "requirement": "optional", + "type": "finding" + }, + "fingerprints": { + "caption": "Fingerprints", + "description": "An array of known fingerprints for the file.", + "is_array": true, + "observable": 30, + "requirement": "optional", + "type": "fingerprint" + }, + "first_seen_time": { + "caption": "First Seen", + "description": "The initial detection time of the activity or object. See specific usage", + "requirement": "optional", + "type": "timestamp_t" + }, + "labels": { + "caption": "Labels", + "description": "The labels or tags in the intelligence.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "last_seen_time": { + "caption": "Last Seen", + "description": "The most recent detection time of the activity or object. See specific usage.", + "requirement": "optional", + "type": "timestamp_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "Additional references for more information.", + "description": "A list of reference URLs supporting the finding/detection.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "reputations": { + "caption": "Reputations", + "description": "Reputation score as reported by provider", + "is_array": true, + "requirement": "optional", + "type": "reputation" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The vendor that provided the intelligence.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "File Threat Intelligence", + "description": "Insights from threat intelligence platforms about files", + "extends": "_base_threat_intelligence", + "extension": "query", + "name": "file_intelligence" + }, + "finding": { + "@deprecated": { + "message": "Use the new finding_info object.", + "since": "1.0.0" + }, + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The time when the finding was created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the reported finding.", + "requirement": "optional", + "type": "string_t" + }, + "first_seen_time": { + "caption": "First Seen", + "description": "The time when the finding was first observed.", + "requirement": "optional", + "type": "timestamp_t" + }, + "last_seen_time": { + "caption": "Last Seen", + "description": "The time when the finding was most recently observed.", + "requirement": "optional", + "type": "timestamp_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the finding was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "product_uid": { + "caption": "Product Identifier", + "description": "The unique identifier of the product that reported the finding.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "related_events": { + "caption": "Related Events", + "description": "Describes events and/or other findings related to the finding as identified by the security product.", + "is_array": true, + "requirement": "optional", + "type": "related_event" + }, + "related_findings": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Related Findings", + "description": "Describes findings related to a finding as identified by the security product.", + "is_array": true, + "requirement": "optional", + "type": "related_findings" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "Describes the recommended remediation steps to address identified issue(s).", + "requirement": "optional", + "type": "remediation" + }, + "src_url": { + "caption": "Source URL", + "description": "The URL pointing to the source of the finding.", + "requirement": "optional", + "type": "string_t" + }, + "supporting_data": { + "caption": "Supporting Data", + "description": "Additional data supporting a finding as provided by security tool", + "is_array": true, + "requirement": "optional", + "type": "json_t" + }, + "title": { + "caption": "Title", + "description": "A title or a brief phrase summarizing the reported finding.", + "requirement": "required", + "type": "string_t" + }, + "types": { + "caption": "Types", + "description": "One or more types of the reported finding.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the reported finding.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Finding", + "description": "The Finding object describes metadata related to a security finding generated by a security tool or system.", + "extends": "object", + "name": "finding" + }, + "finding_info": { + "attributes": { + "analytic": { + "caption": "Analytic", + "description": "The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.", + "requirement": "recommended", + "type": "analytic" + }, + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "The MITRE ATT&CK\u00ae technique and associated tactics related to the finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the finding was created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "data_sources": { + "caption": "Data Sources", + "description": "A list of data sources utilized in generation of the finding.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the reported finding.", + "requirement": "optional", + "type": "string_t" + }, + "first_seen_time": { + "caption": "First Seen", + "description": "The time when the finding was first observed. e.g. The time when a vulnerability was first observed.

It can differ from the created_time timestamp, which reflects the time this finding was created.

", + "requirement": "optional", + "type": "timestamp_t" + }, + "kill_chain": { + "caption": "Kill Chain", + "description": "The Cyber Kill Chain\u00ae provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.", + "is_array": true, + "requirement": "optional", + "type": "kill_chain_phase" + }, + "last_seen_time": { + "caption": "Last Seen", + "description": "The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.

It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

", + "requirement": "optional", + "type": "timestamp_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the finding was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "product_uid": { + "caption": "Product Identifier", + "description": "The unique identifier of the product that reported the finding.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "related_analytics": { + "caption": "Related Analytics", + "description": "Other analytics related to this finding.", + "is_array": true, + "requirement": "optional", + "type": "analytic" + }, + "related_events": { + "caption": "Related Events", + "description": "Describes events and/or other findings related to the finding as identified by the security product.", + "is_array": true, + "requirement": "optional", + "type": "related_event" + }, + "src_url": { + "caption": "Source URL", + "description": "The URL pointing to the source of the finding.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "title": { + "caption": "Title", + "description": "A title or a brief phrase summarizing the reported finding.", + "requirement": "required", + "type": "string_t" + }, + "types": { + "caption": "Types", + "description": "One or more types of the reported finding.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the reported finding.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Finding Information", + "description": "The Finding Information object describes metadata related to a security finding generated by a security tool or system.", + "extends": "object", + "name": "finding_info" + }, + "fingerprint": { + "attributes": { + "algorithm": { + "caption": "Algorithm", + "description": "The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "algorithm_id": { + "caption": "Algorithm ID", + "description": "The identifier of the normalized hash algorithm, which was used to create the digital fingerprint.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The algorithm is unknown." + }, + "1": { + "caption": "MD5", + "description": "MD5 message-digest algorithm producing a 128-bit (16-byte) hash value." + }, + "2": { + "caption": "SHA-1", + "description": "Secure Hash Algorithm 1 producing a 160-bit (20-byte) hash value." + }, + "3": { + "caption": "SHA-256", + "description": "Secure Hash Algorithm 2 producing a 256-bit (32-byte) hash value." + }, + "4": { + "caption": "SHA-512", + "description": "Secure Hash Algorithm 2 producing a 512-bit (64-byte) hash value." + }, + "5": { + "caption": "CTPH", + "description": "The ssdeep generated fuzzy checksum. Also known as Context Triggered Piecewise Hash (CTPH)." + }, + "6": { + "caption": "TLSH", + "description": "The TLSH fuzzy hashing algorithm." + }, + "7": { + "caption": "quickXorHash", + "description": "Microsoft simple non-cryptographic hash algorithm that works by XORing the bytes in a circular-shifting fashion." + }, + "99": { + "caption": "Other", + "description": "The algorithm is not mapped. See the algorithm attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "algorithm", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "The digital fingerprint value.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Fingerprint", + "description": "The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data.", + "extends": "object", + "name": "fingerprint", + "observable": 30 + }, + "firewall_rule": { + "attributes": { + "category": { + "caption": "Category", + "description": "The rule category.", + "requirement": "optional", + "type": "string_t" + }, + "condition": { + "caption": "Condition", + "description": "The rule trigger condition for the rule. For example: SQL_INJECTION.", + "requirement": "optional", + "type": "string_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the rule that generated the event.", + "requirement": "optional", + "type": "string_t" + }, + "duration": { + "caption": "Duration", + "description": "The rule response time duration, usually used for challenge completion time.", + "requirement": "optional", + "type": "integer_t" + }, + "match_details": { + "caption": "Match Details", + "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "match_location": { + "caption": "Match Location", + "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the rule that generated the event.", + "requirement": "recommended", + "type": "string_t" + }, + "rate_limit": { + "caption": "Rate Limit", + "description": "The rate limit for a rate-based rule.", + "requirement": "optional", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sensitivity": { + "caption": "Sensitivity", + "description": "The sensitivity of the firewall rule in the matched event. For example: HIGH.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The rule type.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the rule that generated the event.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The rule version. For example: 1.1.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Firewall Rule", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.", + "extends": "rule", + "name": "firewall_rule" + }, + "group": { + "attributes": { + "desc": { + "caption": "Description", + "description": "The group description.", + "requirement": "optional", + "type": "string_t" + }, + "domain": { + "caption": "Domain", + "description": "The domain where the group is defined. For example: the LDAP or Active Directory domain.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The group name.", + "requirement": "recommended", + "type": "string_t" + }, + "privileges": { + "caption": "Privileges", + "description": "The group privileges.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Account Type", + "description": "The type of the group or account.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Group", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.", + "extends": "_entity", + "name": "group" + }, + "hassh": { + "attributes": { + "algorithm": { + "caption": "Algorithm", + "description": "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation.", + "requirement": "recommended", + "type": "string_t" + }, + "fingerprint": { + "caption": "Fingerprint", + "description": "The hash of the key exchange, encryption, authentication and compression algorithms.", + "observable": 30, + "requirement": "required", + "type": "fingerprint" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "HASSH", + "description": "The HASSH object contains SSH network fingerprinting values for specific client/server implementations. It provides a standardized way of identifying and categorizing SSH connections based on their unique characteristics and behavior.", + "extends": "object", + "name": "hassh" + }, + "http_cookie": { + "attributes": { + "domain": { + "caption": "Domain", + "description": "The name of the domain.", + "requirement": "optional", + "type": "string_t" + }, + "expiration_time": { + "caption": "Expiration Time", + "description": "The expiration time of the HTTP cookie.", + "requirement": "optional", + "type": "timestamp_t" + }, + "http_only": { + "@deprecated": { + "message": "Use the is_http_only attribute instead.", + "since": "1.1.0" + }, + "caption": "HTTP Only", + "description": "A cookie attribute to make it inaccessible via JavaScript", + "requirement": "optional", + "type": "boolean_t" + }, + "is_http_only": { + "caption": "HTTP Only", + "description": "This attribute prevents the cookie from being accessed via JavaScript.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_secure": { + "caption": "Secure", + "description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.", + "requirement": "optional", + "type": "boolean_t" + }, + "name": { + "caption": "Name", + "description": "The HTTP cookie name.", + "requirement": "required", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The path of the HTTP cookie.", + "requirement": "optional", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "samesite": { + "caption": "SameSite", + "description": "The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None", + "requirement": "optional", + "type": "string_t" + }, + "secure": { + "@deprecated": { + "message": "Use the is_secure attribute instead.", + "since": "1.1.0" + }, + "caption": "Secure", + "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.", + "requirement": "optional", + "type": "boolean_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "The HTTP cookie value.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "HTTP Cookie", + "description": "The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user's web browser. This data is then stored by the browser and sent back to the server with subsequent requests, allowing the server to remember and track certain information about the user's browsing session or preferences.", + "extends": "object", + "name": "http_cookie" + }, + "http_header": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the header", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "The value of the header", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "HTTP Header", + "description": "TThe HTTP Header object represents the headers sent in an HTTP request or response. HTTP headers are key-value pairs that convey additional information about the HTTP message, including details about the content, caching, authentication, encoding, and other aspects of the communication.", + "extends": "object", + "name": "http_header" + }, + "http_request": { + "attributes": { + "args": { + "caption": "HTTP Arguments", + "description": "The arguments sent along with the HTTP request.", + "requirement": "optional", + "type": "string_t" + }, + "http_headers": { + "caption": "HTTP Headers", + "description": "Additional HTTP headers of an HTTP request or response.", + "is_array": true, + "requirement": "recommended", + "type": "http_header" + }, + "http_method": { + "caption": "HTTP Method", + "description": "The HTTP request method indicates the desired action to be performed for a given resource.", + "enum": { + "CONNECT": { + "caption": "Connect", + "description": "The CONNECT method establishes a tunnel to the server identified by the target resource." + }, + "DELETE": { + "caption": "Delete", + "description": "The DELETE method deletes the specified resource." + }, + "GET": { + "caption": "Get", + "description": "The GET method requests a representation of the specified resource. Requests using GET should only retrieve data." + }, + "HEAD": { + "caption": "Head", + "description": "The HEAD method asks for a response identical to a GET request, but without the response body." + }, + "OPTIONS": { + "caption": "Options", + "description": "The OPTIONS method describes the communication options for the target resource." + }, + "POST": { + "caption": "Post", + "description": "The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server." + }, + "PUT": { + "caption": "Put", + "description": "The PUT method replaces all current representations of the target resource with the request payload." + }, + "TRACE": { + "caption": "Trace", + "description": "The TRACE method performs a message loop-back test along the path to the target resource." + } + }, + "requirement": "recommended", + "type": "string_t" + }, + "length": { + "caption": "Request Length", + "description": "The HTTP request length, in number of bytes.", + "requirement": "optional", + "type": "integer_t" + }, + "prefix": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Prefix", + "description": "Domain prefix.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "referrer": { + "caption": "HTTP Referrer", + "description": "The request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the http request.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url": { + "caption": "URL", + "description": "The URL object that pertains to the request.", + "observable": 23, + "requirement": "recommended", + "type": "url" + }, + "user_agent": { + "caption": "HTTP User-Agent", + "description": "The request header that identifies the operating system and web browser.", + "observable": 16, + "requirement": "recommended", + "type": "string_t" + }, + "version": { + "caption": "HTTP Version", + "description": "The Hypertext Transfer Protocol (HTTP) version.", + "requirement": "recommended", + "type": "string_t" + }, + "x_forwarded_for": { + "caption": "X-Forwarded-For", + "description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.", + "is_array": true, + "observable": 2, + "requirement": "optional", + "type": "ip_t" + } + }, + "caption": "HTTP Request", + "constraints": { + "at_least_one": [ + "user_agent", + "url", + "hostname" + ] + }, + "description": "The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.", + "extends": "object", + "name": "http_request" + }, + "http_response": { + "attributes": { + "code": { + "caption": "Response Code", + "description": "The Hypertext Transfer Protocol (HTTP) status code returned from the web server to the client. For example, 200.", + "requirement": "required", + "type": "integer_t" + }, + "content_type": { + "caption": "HTTP Content Type", + "description": "The request header that identifies the original media type of the resource (prior to any content encoding applied for sending).", + "requirement": "optional", + "type": "string_t" + }, + "http_headers": { + "caption": "HTTP Headers", + "description": "Additional HTTP headers of an HTTP request or response.", + "is_array": true, + "requirement": "recommended", + "type": "http_header" + }, + "latency": { + "caption": "Latency", + "description": "The HTTP response latency measured in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "length": { + "caption": "Response Length", + "description": "The HTTP response length, in number of bytes.", + "requirement": "optional", + "type": "integer_t" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "status": { + "caption": "Status", + "description": "The response status. For example: A successful HTTP status of 'OK' which corresponds to a code of 200.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "HTTP Response", + "description": "The HTTP Response object contains detailed information about the response sent from a web server to the requester. It encompasses attributes and metadata that describe the response status, headers, body content, and other relevant information.", + "extends": "object", + "name": "http_response" + }, + "idp": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the identity provider.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the identity provider.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Identity Provider", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services.", + "extends": "_entity", + "name": "idp" + }, + "image": { + "attributes": { + "labels": { + "caption": "Labels", + "description": "The image labels.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The image name. For example: elixir.", + "requirement": "recommended", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The full path to the image file.", + "requirement": "optional", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "tag": { + "caption": "Image Tag", + "description": "The image tag. For example: 1.11-alpine.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique image ID. For example: 77af4d6b9913.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Image", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.", + "extends": "_entity", + "name": "image" + }, + "ip_intelligence": { + "attributes": { + "asn": { + "caption": "ASN", + "description": "The 2- or 4-byte Autonomous System Number (ASN)", + "requirement": "optional", + "type": "integer_t" + }, + "asn_owner": { + "caption": "AS Owner", + "description": "The Autonomous System (AS) owner", + "requirement": "optional", + "type": "string_t" + }, + "details": { + "caption": "Details", + "description": "Details about the IP address.", + "requirement": "optional", + "type": "string_t" + }, + "findings": { + "caption": "Findings", + "description": "The findings from threat intelligence platforms", + "is_array": true, + "requirement": "optional", + "type": "finding" + }, + "ip": { + "caption": "IP Address", + "description": "The IP address, in either IPv4 or IPv6 format.", + "observable": 2, + "requirement": "optional", + "type": "ip_t" + }, + "labels": { + "caption": "Labels", + "description": "The labels or tags in the intelligence.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "location": { + "caption": "Geo Location", + "description": "The detailed geographical location usually associated with an IP address.", + "observable": 26, + "requirement": "optional", + "type": "location" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "Additional references for more information.", + "description": "A list of reference URLs supporting the finding/detection.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "reputations": { + "caption": "Reputations", + "description": "Reputation score as reported by provider", + "is_array": true, + "requirement": "optional", + "type": "reputation" + }, + "subnet": { + "caption": "Subnet", + "description": "The subnet mask.", + "observable": 12, + "requirement": "optional", + "type": "subnet_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The vendor that provided the intelligence.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "IP Threat Intelligence", + "description": "Insights from threat intelligence platforms about IP Addresses", + "extends": "_base_threat_intelligence", + "extension": "query", + "name": "ip_intelligence" + }, + "job": { + "attributes": { + "cmd_line": { + "caption": "Command Line", + "description": "The job command line.", + "observable": 13, + "requirement": "recommended", + "type": "string_t" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the job was created.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the job.", + "requirement": "recommended", + "type": "string_t" + }, + "file": { + "caption": "File", + "description": "The file that pertains to the job.", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "last_run_time": { + "caption": "Last Run", + "description": "The time when the job was last run.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The name of the job.", + "requirement": "required", + "type": "string_t" + }, + "next_run_time": { + "caption": "Next Run", + "description": "The time when the job will next be run.", + "requirement": "optional", + "type": "timestamp_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "run_state": { + "caption": "Run State", + "description": "The run state of the job.", + "requirement": "optional", + "type": "string_t" + }, + "run_state_id": { + "caption": "Run State ID", + "description": "The run state ID of the job.", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Ready" + }, + "2": { + "caption": "Queued" + }, + "3": { + "caption": "Running" + }, + "4": { + "caption": "Stopped" + }, + "99": { + "caption": "Other" + } + }, + "requirement": "recommended", + "sibling": "run_state", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user that created the job.", + "observable": 21, + "requirement": "optional", + "type": "user" + } + }, + "caption": "Job", + "description": "The Job object provides information about a scheduled job or task, including its name, command line, and state. It encompasses attributes that describe the properties and status of the scheduled job.", + "extends": "object", + "name": "job" + }, + "kb_article": { + "attributes": { + "bulletin": { + "caption": "Patch Bulletin", + "description": "The kb article bulletin identifier.", + "requirement": "optional", + "type": "string_t" + }, + "classification": { + "caption": "Classification", + "description": "The vendors classification of the kb article.", + "requirement": "optional", + "type": "string_t" + }, + "created_time": { + "caption": "Created Time", + "description": "The date the kb article was released by the vendor.", + "requirement": "optional", + "type": "timestamp_t" + }, + "is_superseded": { + "caption": "The patch is superseded.", + "description": "The kb article has been replaced by another.", + "requirement": "optional", + "type": "boolean_t" + }, + "os": { + "caption": "OS", + "description": "The operating system the kb article applies.", + "requirement": "recommended", + "type": "os" + }, + "product": { + "caption": "Product", + "description": "The product details the kb article applies.", + "requirement": "optional", + "type": "product" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "severity": { + "caption": "Severity", + "description": "The severity of the kb article.", + "requirement": "recommended", + "type": "string_t" + }, + "size": { + "caption": "Size", + "description": "The size in bytes for the kb article.", + "requirement": "optional", + "type": "long_t" + }, + "src_url": { + "caption": "Source URL", + "description": "The kb article link from the source vendor.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "title": { + "caption": "Title", + "description": "The title of the kb article.", + "requirement": "recommended", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier for the kb article.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "KB Article", + "description": "The KB Article object contains metadata that describes the patch or update.", + "extends": "object", + "name": "kb_article" + }, + "kernel": { + "attributes": { + "is_system": { + "caption": "System", + "description": "The indication of whether the object is part of the operating system.", + "requirement": "optional", + "type": "boolean_t" + }, + "name": { + "caption": "Name", + "description": "The name of the kernel resource.", + "requirement": "required", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The full path of the kernel resource.", + "requirement": "optional", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "system_call": { + "caption": "System Call", + "description": "The system call that was invoked.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The type of the kernel resource.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The type of the kernel resource.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Shared Mutex" + }, + "2": { + "caption": "System Call" + }, + "3": { + "caption": "Named Pipe" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Kernel Resource", + "description": "The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system. Defined by D3FEND d3f:Kernel.", + "extends": "object", + "name": "kernel" + }, + "kernel_driver": { + "attributes": { + "file": { + "caption": "File", + "description": "The driver/extension file object.", + "group": "primary", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Kernel Extension", + "description": "The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel. Defined by D3FEND d3f:KernelModule.", + "extends": "object", + "name": "kernel_driver" + }, + "keyboard_info": { + "attributes": { + "function_keys": { + "caption": "Function Keys", + "description": "The number of function keys on client keyboard.", + "requirement": "optional", + "type": "integer_t" + }, + "ime": { + "caption": "IME", + "description": "The Input Method Editor (IME) file name.", + "requirement": "optional", + "type": "string_t" + }, + "keyboard_layout": { + "caption": "Keyboard Layout", + "description": "The keyboard locale identifier name (e.g., en-US).", + "requirement": "optional", + "type": "string_t" + }, + "keyboard_subtype": { + "caption": "Keyboard Subtype", + "description": "The keyboard numeric code.", + "requirement": "optional", + "type": "integer_t" + }, + "keyboard_type": { + "caption": "Keyboard Type", + "description": "The keyboard type (e.g., xt, ico).", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Keyboard Information", + "description": "The Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard.", + "extends": "object", + "name": "keyboard_info" + }, + "kill_chain_phase": { + "attributes": { + "phase": { + "caption": "Kill Chain Phase", + "description": "The cyber kill chain phase.", + "requirement": "recommended", + "type": "string_t" + }, + "phase_id": { + "caption": "Kill Chain Phase ID", + "description": "The cyber kill chain phase identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The kill chain phase is unknown." + }, + "1": { + "caption": "Reconnaissance", + "description": "The attackers pick a target and perform a detailed analysis, start collecting information (email addresses, conferences information, etc.) and evaluate the victim\u2019s vulnerabilities to determine how to exploit them." + }, + "2": { + "caption": "Weaponization", + "description": "The attackers develop a malware weapon and aim to exploit the discovered vulnerabilities." + }, + "3": { + "caption": "Delivery", + "description": "The intruders will use various tactics, such as phishing, infected USB drives, etc." + }, + "4": { + "caption": "Exploitation", + "description": "The intruders start leveraging vulnerabilities to executed code on the victim\u2019s system." + }, + "5": { + "caption": "Installation", + "description": "The intruders install malware on the victim\u2019s system." + }, + "6": { + "caption": "Command & Control", + "description": "Malware opens a command channel to enable the intruders to remotely manipulate the victim's system." + }, + "7": { + "caption": "Actions on Objectives", + "description": "With hands-on keyboard access, intruders accomplish the mission\u2019s goal." + }, + "99": { + "caption": "Other", + "description": "The kill chain phase is not mapped. See the phase attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "phase", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Kill Chain Phase", + "description": "The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain\u00ae.", + "extends": "object", + "name": "kill_chain_phase" + }, + "ldap_person": { + "attributes": { + "cost_center": { + "caption": "Cost Center", + "description": "The cost center associated with the user.", + "requirement": "optional", + "type": "string_t" + }, + "created_time": { + "caption": "Created Time", + "description": "The timestamp when the user was created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "deleted_time": { + "caption": "Deleted Time", + "description": "The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.", + "requirement": "optional", + "type": "timestamp_t" + }, + "email_addrs": { + "caption": "Email Addresses", + "description": "A list of additional email addresses for the user.", + "is_array": true, + "observable": 5, + "requirement": "optional", + "type": "email_t" + }, + "employee_uid": { + "caption": "Employee ID", + "description": "The employee identifier assigned to the user by the organization.", + "requirement": "optional", + "type": "string_t" + }, + "given_name": { + "caption": "Given Name", + "description": "The given or first name of the user.", + "requirement": "optional", + "type": "string_t" + }, + "hire_time": { + "caption": "Hire Time", + "description": "The timestamp when the user was or will be hired by the organization.", + "requirement": "optional", + "type": "timestamp_t" + }, + "job_title": { + "caption": "Job Title", + "description": "The user's job title.", + "requirement": "optional", + "type": "string_t" + }, + "labels": { + "caption": "Labels", + "description": "The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "last_login_time": { + "caption": "Last Login", + "description": "The last time when the user logged in.", + "requirement": "optional", + "type": "timestamp_t" + }, + "ldap_cn": { + "caption": "LDAP Common Name", + "description": "The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe.", + "requirement": "optional", + "type": "string_t" + }, + "ldap_dn": { + "caption": "LDAP Distinguished Name", + "description": "The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com.", + "requirement": "optional", + "type": "string_t" + }, + "leave_time": { + "caption": "Leave Time", + "description": "The timestamp when the user left or will be leaving the organization.", + "requirement": "optional", + "type": "timestamp_t" + }, + "location": { + "caption": "Geo Location", + "description": "The geographical location associated with a user. This is typically the user's usual work location.", + "observable": 26, + "requirement": "optional", + "type": "location" + }, + "manager": { + "caption": "Manager", + "description": "The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.", + "observable": 21, + "requirement": "optional", + "type": "user" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The timestamp when the user entry was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "office_location": { + "caption": "Office Location", + "description": "The primary office location associated with the user. This could be any string and isn't a specific address. For example, South East Virtual.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "surname": { + "caption": "Surname", + "description": "The last or family name for the user.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "LDAP Person", + "description": "The additional LDAP attributes that describe a person.", + "extends": "object", + "name": "ldap_person" + }, + "load_balancer": { + "attributes": { + "classification": { + "caption": "Classification", + "description": "The request classification as defined by the load balancer.", + "requirement": "optional", + "type": "string_t" + }, + "code": { + "caption": "Response Code", + "description": "The numeric response status code detailing the connection from the load balancer to the destination target.", + "requirement": "recommended", + "type": "integer_t" + }, + "dst_endpoint": { + "caption": "Destination Endpoint", + "description": "The destination to which the load balancer is distributing traffic.", + "requirement": "recommended", + "type": "network_endpoint" + }, + "endpoint_connections": { + "caption": "Endpoint Connections", + "description": "An object detailing the load balancer connection attempts and responses.", + "is_array": true, + "requirement": "recommended", + "type": "endpoint_connection" + }, + "error_message": { + "caption": "Error Message", + "description": "The load balancer error message.", + "requirement": "optional", + "type": "string_t" + }, + "message": { + "caption": "Message", + "description": "The load balancer message.", + "requirement": "optional", + "type": "string_t" + }, + "metrics": { + "caption": "Metrics", + "description": "General purpose metrics associated with the load balancer.", + "is_array": true, + "requirement": "optional", + "type": "metric" + }, + "name": { + "caption": "Name", + "description": "The name of the load balancer.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "status_detail": { + "caption": "Status Detail", + "description": "The status detail contains additional status information about the load balancer distribution event.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier for the load balancer.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Load Balancer", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.", + "extends": "_entity", + "name": "load_balancer" + }, + "location": { + "attributes": { + "city": { + "caption": "City", + "description": "The name of the city.", + "requirement": "recommended", + "type": "string_t" + }, + "continent": { + "caption": "Continent", + "description": "The name of the continent.", + "requirement": "recommended", + "type": "string_t" + }, + "coordinates": { + "@deprecated": { + "message": "Use specific lat, long attributes instead.", + "since": "1.2.0" + }, + "caption": "Coordinates", + "description": "A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. For example: [-73.983, 40.719].", + "is_array": true, + "requirement": "optional", + "type": "float_t" + }, + "country": { + "caption": "Country", + "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.

Note: The two letter country code should be capitalized. For example: US or CA.

", + "observable": 14, + "requirement": "recommended", + "type": "string_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the geographical location.", + "requirement": "optional", + "type": "string_t" + }, + "geohash": { + "caption": "Geohash", + "description": "

Geohash of the geo-coordinates (latitude and longitude).

Geohashing is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.", + "requirement": "optional", + "type": "string_t" + }, + "is_on_premises": { + "caption": "On Premises", + "description": "The indication of whether the location is on premises.", + "requirement": "optional", + "type": "boolean_t" + }, + "isp": { + "caption": "ISP", + "description": "The name of the Internet Service Provider (ISP).", + "requirement": "optional", + "type": "string_t" + }, + "lat": { + "caption": "Latitude", + "description": "The geographical Latitude coordinate represented in Decimal Degrees (DD). For example: 42.361145.", + "requirement": "optional", + "type": "float_t" + }, + "long": { + "caption": "Longitude", + "description": "The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083.", + "requirement": "optional", + "type": "float_t" + }, + "postal_code": { + "caption": "Postal Code", + "description": "The postal code of the location.", + "requirement": "optional", + "type": "string_t" + }, + "provider": { + "caption": "Provider", + "description": "The provider of the geographical location data.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "region": { + "caption": "Region", + "description": "The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Geo Location", + "constraints": { + "at_least_one": [ + "city", + "country", + "postal_code", + "region" + ] + }, + "description": "The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.", + "extends": "object", + "name": "location", + "observable": 26 + }, + "logger": { + "attributes": { + "device": { + "caption": "Device", + "description": "The device where the events are logged.", + "requirement": "recommended", + "type": "device" + }, + "log_level": { + "caption": "Log Level", + "description": "The audit level at which an event was generated.", + "requirement": "optional", + "type": "string_t" + }, + "log_name": { + "caption": "Log Name", + "description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.", + "requirement": "recommended", + "type": "string_t" + }, + "log_provider": { + "caption": "Log Provider", + "description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.", + "requirement": "recommended", + "type": "string_t" + }, + "log_version": { + "caption": "Log Version", + "description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.", + "requirement": "optional", + "type": "string_t" + }, + "logged_time": { + "caption": "Logged Time", + "description": "

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The name of the logging product instance.", + "requirement": "recommended", + "type": "string_t" + }, + "product": { + "caption": "Product", + "description": "The product logging the event. This may be the event source product, a management server product, a scanning product, a SIEM, etc.", + "requirement": "recommended", + "type": "product" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "transmit_time": { + "caption": "Transmission Time", + "description": "The time when the event was transmitted from the logging device to it's next destination.", + "requirement": "optional", + "type": "timestamp_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the logging product instance.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the logging product.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Logger", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.", + "extends": "_entity", + "name": "logger" + }, + "malware": { + "attributes": { + "classification_ids": { + "caption": "Classification IDs", + "description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Adware" + }, + "10": { + "caption": "Ransomware" + }, + "11": { + "caption": "Remote-Access-Trojan" + }, + "13": { + "caption": "Resource-Exploitation" + }, + "14": { + "caption": "Rogue-Security-Software" + }, + "15": { + "caption": "Rootkit" + }, + "16": { + "caption": "Screen-Capture" + }, + "17": { + "caption": "Spyware" + }, + "18": { + "caption": "Trojan" + }, + "19": { + "caption": "Virus" + }, + "2": { + "caption": "Backdoor" + }, + "20": { + "caption": "Webshell" + }, + "21": { + "caption": "Wiper" + }, + "22": { + "caption": "Worm" + }, + "3": { + "caption": "Bot" + }, + "4": { + "caption": "Bootkit" + }, + "5": { + "caption": "DDOS" + }, + "6": { + "caption": "Downloader" + }, + "7": { + "caption": "Dropper" + }, + "8": { + "caption": "Exploit-Kit" + }, + "9": { + "caption": "Keylogger" + }, + "99": { + "caption": "Other" + } + }, + "is_array": true, + "requirement": "required", + "sibling": "classifications", + "type": "integer_t" + }, + "classifications": { + "caption": "Classifications", + "description": "The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "cve_uids": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "CVE UIDs", + "description": "The common vulnerabilities and exposures (CVE) unique identifiers.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "cves": { + "caption": "CVE List", + "description": "List of Common Vulnerabilities and Exposures (CVE).", + "is_array": true, + "requirement": "optional", + "type": "cve" + }, + "name": { + "caption": "Name", + "description": "The malware name, as reported by the detection engine.", + "requirement": "recommended", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The filesystem path of the malware that was observed.", + "requirement": "recommended", + "type": "path_t" + }, + "provider": { + "caption": "Provider", + "description": "The provider of the malware information.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Malware", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.", + "extends": "_entity", + "name": "malware" + }, + "managed_entity": { + "attributes": { + "data": { + "caption": "Data", + "description": "The managed entity content as a JSON object.", + "requirement": "optional", + "type": "json_t" + }, + "name": { + "caption": "Name", + "description": "The name of the managed entity.", + "notes": "For example Browser Isolation Policy.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The managed entity type. For example: policy, user, organizational unit, device.", + "notes": "For example: policy, user, organizational unit, device.", + "requirement": "recommended", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The identifier of the managed entity.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the managed entity. For example: 1.2.3.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Managed Entity", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Managed Entity object describes the type and version of an entity, such as a policy or configuration.", + "extends": "_entity", + "name": "managed_entity" + }, + "metadata": { + "attributes": { + "correlation_uid": { + "caption": "Correlation UID", + "description": "The unique identifier used to correlate events.", + "requirement": "optional", + "type": "string_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "event_code": { + "caption": "Event Code", + "description": "The Event ID or Code that the product uses to describe the event.", + "requirement": "optional", + "type": "string_t" + }, + "extension": { + "@deprecated": { + "message": "Use the extensions attribute instead.", + "since": "1.1.0" + }, + "caption": "Schema Extension", + "description": "The schema extension used to create the event.", + "requirement": "optional", + "type": "extension" + }, + "extensions": { + "caption": "Schema Extensions", + "description": "The schema extensions used to create the event.", + "is_array": true, + "requirement": "optional", + "type": "extension" + }, + "labels": { + "caption": "Labels", + "description": "

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: [\"network\", \"connection.ip:destination\", \"device.ip:source\"]", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "log_level": { + "caption": "Log Level", + "description": "The audit level at which an event was generated.", + "requirement": "optional", + "type": "string_t" + }, + "log_name": { + "caption": "Log Name", + "description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.", + "requirement": "recommended", + "type": "string_t" + }, + "log_provider": { + "caption": "Log Provider", + "description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.", + "requirement": "recommended", + "type": "string_t" + }, + "log_version": { + "caption": "Log Version", + "description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.", + "requirement": "optional", + "type": "string_t" + }, + "logged_time": { + "caption": "Logged Time", + "description": "

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.", + "requirement": "optional", + "type": "timestamp_t" + }, + "loggers": { + "caption": "Loggers", + "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.", + "is_array": true, + "requirement": "optional", + "type": "logger" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the event was last modified or enriched.", + "requirement": "optional", + "type": "timestamp_t" + }, + "original_time": { + "caption": "Original Time", + "description": "The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.", + "requirement": "recommended", + "type": "string_t" + }, + "processed_time": { + "caption": "Processed Time", + "description": "The event processed time, such as an ETL operation.", + "requirement": "optional", + "type": "timestamp_t" + }, + "product": { + "caption": "Product", + "description": "The product that reported the event.", + "requirement": "required", + "type": "product" + }, + "profiles": { + "caption": "Profiles", + "description": "The list of profiles used to create the event.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sequence": { + "caption": "Sequence Number", + "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.", + "requirement": "optional", + "type": "integer_t" + }, + "tenant_uid": { + "caption": "Tenant UID", + "description": "The unique tenant identifier.", + "requirement": "recommended", + "type": "string_t" + }, + "uid": { + "caption": "Event UID", + "description": "The logging system-assigned unique identifier of an event instance.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "default": "1.0.0", + "description": "The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Metadata", + "description": "The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.", + "extends": "object", + "name": "metadata", + "profiles": [ + "data_classification" + ] + }, + "metric": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the metric.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "The value of the metric.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Metric", + "description": "The Metric object defines a simple name/value pair entity for a metric.", + "extends": "object", + "name": "metric" + }, + "module": { + "attributes": { + "base_address": { + "caption": "Base Address", + "description": "The memory address where the module was loaded.", + "requirement": "recommended", + "type": "string_t" + }, + "file": { + "caption": "File", + "description": "The module file object.", + "observable": 24, + "requirement": "recommended", + "type": "file" + }, + "function_name": { + "caption": "Function Name", + "description": "The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.", + "requirement": "optional", + "type": "string_t" + }, + "load_type": { + "caption": "Load Type", + "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.", + "requirement": "optional", + "type": "string_t" + }, + "load_type_id": { + "caption": "Load Type ID", + "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Standard", + "description": "A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary." + }, + "2": { + "caption": "Non Standard", + "description": "A module loaded in a way avoidant of normal windows procedures. i.e. Bootstrapped Loading/Manual Dll Loading." + }, + "3": { + "caption": "ShellCode", + "description": "A raw module in process memory that is READWRITE_EXECUTE and had a thread started in its range." + }, + "4": { + "caption": "Mapped", + "description": "A memory mapped file, typically created with CreatefileMapping/MapViewOfFile." + }, + "5": { + "caption": "NonStandard Backed", + "description": "A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation." + }, + "99": { + "caption": "Other" + } + }, + "requirement": "required", + "sibling": "load_type", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "start_address": { + "caption": "Start Address", + "description": "The start address of the execution.", + "requirement": "recommended", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The module type.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Module", + "description": "The Module object describes the load attributes of a module.", + "extends": "object", + "name": "module" + }, + "network_connection_info": { + "attributes": { + "boundary": { + "caption": "Boundary", + "description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.

For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

", + "requirement": "optional", + "type": "string_t" + }, + "boundary_id": { + "caption": "Boundary ID", + "description": "

The normalized identifier of the boundary of the connection.

For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.

", + "enum": { + "0": { + "caption": "Unknown", + "description": "The connection boundary is unknown." + }, + "1": { + "caption": "Localhost", + "description": "Local network traffic on the same endpoint." + }, + "10": { + "caption": "Gateway VPC", + "description": "Through a gateway VPC endpoint (Nitro-based instances only)" + }, + "11": { + "caption": "Internet Gateway", + "description": "Through an Internet gateway (Nitro-based instances only)" + }, + "2": { + "caption": "Internal", + "description": "Internal network traffic between two endpoints inside network." + }, + "3": { + "caption": "External", + "description": "External network traffic between two endpoints on the Internet or outside the network." + }, + "4": { + "caption": "Same VPC", + "description": "Through another resource in the same VPC" + }, + "5": { + "caption": "Internet/VPC Gateway", + "description": "Through an Internet gateway or a gateway VPC endpoint" + }, + "6": { + "caption": "Virtual Private Gateway", + "description": "Through a virtual private gateway" + }, + "7": { + "caption": "Intra-region VPC", + "description": "Through an intra-region VPC peering connection" + }, + "8": { + "caption": "Inter-region VPC", + "description": "Through an inter-region VPC peering connection" + }, + "9": { + "caption": "Local Gateway", + "description": "Through a local gateway" + }, + "99": { + "caption": "Other", + "description": "The boundary is not mapped. See the boundary attribute, which contains a data source specific value." + } + }, + "requirement": "optional", + "sibling": "boundary", + "type": "integer_t" + }, + "direction": { + "caption": "Direction", + "description": "The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "direction_id": { + "caption": "Direction ID", + "description": "The normalized identifier of the direction of the initiated connection, traffic, or email.", + "enum": { + "0": { + "caption": "Unknown", + "description": "Connection direction is unknown." + }, + "1": { + "caption": "Inbound", + "description": "Inbound network connection. The connection was originated from the Internet or outside network, destined for services on the inside network." + }, + "2": { + "caption": "Outbound", + "description": "Outbound network connection. The connection was originated from inside the network, destined for services on the Internet or outside network." + }, + "3": { + "caption": "Lateral", + "description": "Lateral network connection. The connection was originated from inside the network, destined for services on the inside network." + }, + "99": { + "caption": "Other", + "description": "The direction is not mapped. See the direction attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "direction", + "type": "integer_t" + }, + "protocol_name": { + "caption": "Protocol Name", + "description": "The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.", + "requirement": "optional", + "type": "string_t" + }, + "protocol_num": { + "caption": "Protocol Number", + "description": "The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.", + "requirement": "recommended", + "type": "integer_t" + }, + "protocol_ver": { + "caption": "IP Version", + "description": "The Internet Protocol version.", + "requirement": "optional", + "type": "string_t" + }, + "protocol_ver_id": { + "caption": "IP Version ID", + "description": "The Internet Protocol version identifier.", + "enum": { + "0": { + "caption": "Unknown" + }, + "4": { + "caption": "Internet Protocol version 4 (IPv4)" + }, + "6": { + "caption": "Internet Protocol version 6 (IPv6)" + }, + "99": { + "caption": "Other" + } + }, + "requirement": "optional", + "sibling": "protocol_ver", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "session": { + "caption": "Session", + "description": "The authenticated user or service session.", + "requirement": "optional", + "type": "session" + }, + "tcp_flags": { + "caption": "TCP Flags", + "description": "The network connection TCP header flags (i.e., control bits).", + "requirement": "optional", + "type": "integer_t" + }, + "uid": { + "caption": "Connection UID", + "description": "The unique identifier of the connection.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Network Connection Information", + "description": "The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND d3f:NetworkSession.", + "extends": "object", + "name": "network_connection_info" + }, + "network_endpoint": { + "attributes": { + "agent_list": { + "caption": "Agent List", + "description": "A list of agent objects associated with a device, endpoint, or resource.", + "is_array": true, + "requirement": "optional", + "type": "agent" + }, + "autonomous_system": { + "caption": "Autonomous System", + "description": "The Autonomous System details associated with an IP address.", + "requirement": "optional", + "type": "autonomous_system" + }, + "container": { + "caption": "Container", + "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", + "group": "context", + "observable": 27, + "requirement": "recommended", + "type": "container" + }, + "domain": { + "caption": "Domain", + "description": "The name of the domain.", + "requirement": "optional", + "type": "string_t" + }, + "hostname": { + "caption": "Hostname", + "description": "The fully qualified name of the endpoint.", + "observable": 1, + "requirement": "recommended", + "type": "hostname_t" + }, + "hw_info": { + "caption": "Hardware Info", + "description": "The endpoint hardware information.", + "requirement": "optional", + "type": "device_hw_info" + }, + "instance_uid": { + "caption": "Instance ID", + "description": "The unique identifier of a VM instance.", + "requirement": "recommended", + "type": "string_t" + }, + "interface_name": { + "caption": "Network Interface Name", + "description": "The name of the network interface (e.g. eth2).", + "requirement": "recommended", + "type": "string_t" + }, + "interface_uid": { + "caption": "Network Interface ID", + "description": "The unique identifier of the network interface.", + "requirement": "recommended", + "type": "string_t" + }, + "intermediate_ips": { + "caption": "Intermediate IP Addresses", + "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.", + "is_array": true, + "observable": 2, + "requirement": "optional", + "type": "ip_t" + }, + "ip": { + "caption": "IP Address", + "description": "The IP address of the endpoint, in either IPv4 or IPv6 format.", + "observable": 2, + "requirement": "recommended", + "type": "ip_t" + }, + "ip_intelligence": { + "caption": "IP Intelligence", + "description": "Insights from threat intelligence platforms about IP Address", + "requirement": "optional", + "type": "ip_intelligence" + }, + "location": { + "caption": "Geo Location", + "description": "The geographical location of the endpoint.", + "observable": 26, + "requirement": "optional", + "type": "location" + }, + "mac": { + "caption": "MAC Address", + "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, + "requirement": "optional", + "type": "mac_t" + }, + "name": { + "caption": "Name", + "description": "The short name of the endpoint.", + "requirement": "recommended", + "type": "string_t" + }, + "namespace_pid": { + "caption": "Namespace PID", + "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "os": { + "caption": "OS", + "description": "The endpoint operating system.", + "requirement": "optional", + "type": "os" + }, + "owner": { + "caption": "Owner", + "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, + "requirement": "recommended", + "type": "user" + }, + "port": { + "caption": "Port", + "description": "The port used for communication within the network connection.", + "observable": 11, + "requirement": "recommended", + "type": "port_t" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).", + "requirement": "optional", + "type": "network_proxy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "subnet_uid": { + "caption": "Subnet UID", + "description": "The unique identifier of a virtual subnet.", + "requirement": "optional", + "type": "string_t" + }, + "svc_name": { + "caption": "Service Name", + "description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.", + "requirement": "recommended", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The network endpoint type ID.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Server", + "description": "A server." + }, + "10": { + "caption": "Switch", + "description": "A networking switch." + }, + "11": { + "caption": "Hub", + "description": "A networking hub." + }, + "2": { + "caption": "Desktop", + "description": "A desktop computer." + }, + "3": { + "caption": "Laptop", + "description": "A laptop computer." + }, + "4": { + "caption": "Tablet", + "description": "A tablet computer." + }, + "5": { + "caption": "Mobile", + "description": "A mobile phone." + }, + "6": { + "caption": "Virtual", + "description": "A virtual machine." + }, + "7": { + "caption": "IOT", + "description": "A IOT (Internet of Things) device." + }, + "8": { + "caption": "Browser", + "description": "A web browser." + }, + "9": { + "caption": "Firewall", + "description": "A networking firewall." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the endpoint.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vlan_uid": { + "caption": "VLAN", + "description": "The Virtual LAN identifier.", + "requirement": "optional", + "type": "string_t" + }, + "vpc_uid": { + "caption": "VPC UID", + "description": "The unique identifier of the Virtual Private Cloud (VPC).", + "requirement": "optional", + "type": "string_t" + }, + "zone": { + "caption": "Network Zone", + "description": "The network zone or LAN segment.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Network Endpoint", + "constraints": { + "at_least_one": [ + "ip", + "uid", + "name", + "hostname", + "svc_name", + "instance_uid", + "interface_uid", + "interface_name" + ] + }, + "description": "The network endpoint object describes source or destination of a network connection.", + "extends": null, + "name": "network_endpoint", + "profiles": [ + "container" + ] + }, + "network_interface": { + "attributes": { + "hostname": { + "caption": "Hostname", + "description": "The hostname associated with the network interface.", + "observable": 1, + "requirement": "recommended", + "type": "hostname_t" + }, + "ip": { + "caption": "IP Address", + "description": "The IP address associated with the network interface.", + "observable": 2, + "requirement": "recommended", + "type": "ip_t" + }, + "mac": { + "caption": "MAC Address", + "description": "The MAC address of the network interface.", + "observable": 3, + "requirement": "recommended", + "type": "mac_t" + }, + "name": { + "caption": "Name", + "description": "The name of the network interface.", + "requirement": "recommended", + "type": "string_t" + }, + "namespace": { + "caption": "Namespace", + "description": "The namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "subnet_prefix": { + "caption": "Subnet Prefix Length", + "description": "The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.", + "requirement": "optional", + "type": "integer_t" + }, + "type": { + "caption": "Type", + "description": "The type of network interface.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The network interface type identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Wired" + }, + "2": { + "caption": "Wireless" + }, + "3": { + "caption": "Mobile" + }, + "4": { + "caption": "Tunnel" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier for the network interface.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Network Interface", + "constraints": { + "at_least_one": [ + "ip", + "mac", + "name", + "hostname" + ] + }, + "description": "The Network Interface object describes the type and associated attributes of a network interface.", + "extends": "_entity", + "name": "network_interface" + }, + "network_proxy": { + "attributes": { + "agent_list": { + "caption": "Agent List", + "description": "A list of agent objects associated with a device, endpoint, or resource.", + "is_array": true, + "requirement": "optional", + "type": "agent" + }, + "autonomous_system": { + "caption": "Autonomous System", + "description": "The Autonomous System details associated with an IP address.", + "requirement": "optional", + "type": "autonomous_system" + }, + "container": { + "caption": "Container", + "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", + "group": "context", + "observable": 27, + "requirement": "recommended", + "type": "container" + }, + "domain": { + "caption": "Domain", + "description": "The name of the domain.", + "requirement": "optional", + "type": "string_t" + }, + "hostname": { + "caption": "Hostname", + "description": "The fully qualified name of the endpoint.", + "observable": 1, + "requirement": "recommended", + "type": "hostname_t" + }, + "hw_info": { + "caption": "Hardware Info", + "description": "The endpoint hardware information.", + "requirement": "optional", + "type": "device_hw_info" + }, + "instance_uid": { + "caption": "Instance ID", + "description": "The unique identifier of a VM instance.", + "requirement": "recommended", + "type": "string_t" + }, + "interface_name": { + "caption": "Network Interface Name", + "description": "The name of the network interface (e.g. eth2).", + "requirement": "recommended", + "type": "string_t" + }, + "interface_uid": { + "caption": "Network Interface ID", + "description": "The unique identifier of the network interface.", + "requirement": "recommended", + "type": "string_t" + }, + "intermediate_ips": { + "caption": "Intermediate IP Addresses", + "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.", + "is_array": true, + "observable": 2, + "requirement": "optional", + "type": "ip_t" + }, + "ip": { + "caption": "IP Address", + "description": "The IP address of the endpoint, in either IPv4 or IPv6 format.", + "observable": 2, + "requirement": "recommended", + "type": "ip_t" + }, + "ip_intelligence": { + "caption": "IP Intelligence", + "description": "Insights from threat intelligence platforms about IP Address", + "requirement": "optional", + "type": "ip_intelligence" + }, + "location": { + "caption": "Geo Location", + "description": "The geographical location of the endpoint.", + "observable": 26, + "requirement": "optional", + "type": "location" + }, + "mac": { + "caption": "MAC Address", + "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, + "requirement": "optional", + "type": "mac_t" + }, + "name": { + "caption": "Name", + "description": "The short name of the endpoint.", + "requirement": "recommended", + "type": "string_t" + }, + "namespace_pid": { + "caption": "Namespace PID", + "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "os": { + "caption": "OS", + "description": "The endpoint operating system.", + "requirement": "optional", + "type": "os" + }, + "owner": { + "caption": "Owner", + "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, + "requirement": "recommended", + "type": "user" + }, + "port": { + "caption": "Port", + "description": "The port used for communication within the network connection.", + "observable": 11, + "requirement": "recommended", + "type": "port_t" + }, + "proxy_endpoint": { + "caption": "Proxy Endpoint", + "description": "The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).", + "requirement": "optional", + "type": "network_proxy" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "subnet_uid": { + "caption": "Subnet UID", + "description": "The unique identifier of a virtual subnet.", + "requirement": "optional", + "type": "string_t" + }, + "svc_name": { + "caption": "Service Name", + "description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.", + "requirement": "recommended", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The network endpoint type ID.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Server", + "description": "A server." + }, + "10": { + "caption": "Switch", + "description": "A networking switch." + }, + "11": { + "caption": "Hub", + "description": "A networking hub." + }, + "2": { + "caption": "Desktop", + "description": "A desktop computer." + }, + "3": { + "caption": "Laptop", + "description": "A laptop computer." + }, + "4": { + "caption": "Tablet", + "description": "A tablet computer." + }, + "5": { + "caption": "Mobile", + "description": "A mobile phone." + }, + "6": { + "caption": "Virtual", + "description": "A virtual machine." + }, + "7": { + "caption": "IOT", + "description": "A IOT (Internet of Things) device." + }, + "8": { + "caption": "Browser", + "description": "A web browser." + }, + "9": { + "caption": "Firewall", + "description": "A networking firewall." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the endpoint.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vlan_uid": { + "caption": "VLAN", + "description": "The Virtual LAN identifier.", + "requirement": "optional", + "type": "string_t" + }, + "vpc_uid": { + "caption": "VPC UID", + "description": "The unique identifier of the Virtual Private Cloud (VPC).", + "requirement": "optional", + "type": "string_t" + }, + "zone": { + "caption": "Network Zone", + "description": "The network zone or LAN segment.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Network Proxy Endpoint", + "constraints": { + "at_least_one": [ + "ip", + "uid", + "name", + "hostname", + "svc_name", + "instance_uid", + "interface_uid", + "interface_name" + ] + }, + "description": "The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource. Defined by D3FEND d3f:ProxyServer.", + "extends": "network_endpoint", + "name": "network_proxy", + "profiles": [ + "container" + ] + }, + "network_traffic": { + "attributes": { + "bytes": { + "caption": "Total Bytes", + "default": 0, + "description": "The total number of bytes (in and out).", + "requirement": "recommended", + "type": "long_t" + }, + "bytes_in": { + "caption": "Bytes In", + "default": 0, + "description": "The number of bytes sent from the destination to the source.", + "requirement": "optional", + "type": "long_t" + }, + "bytes_out": { + "caption": "Bytes Out", + "default": 0, + "description": "The number of bytes sent from the source to the destination.", + "requirement": "optional", + "type": "long_t" + }, + "chunks": { + "caption": "Chunks", + "description": "The total number of chunks (in and out).", + "requirement": "optional", + "type": "long_t" + }, + "chunks_in": { + "caption": "Chunks In", + "description": "The number of chunks sent from the destination to the source.", + "requirement": "optional", + "type": "long_t" + }, + "chunks_out": { + "caption": "Chunks Out", + "description": "The number of chunks sent from the source to the destination.", + "requirement": "optional", + "type": "long_t" + }, + "packets": { + "caption": "Total Packets", + "default": 0, + "description": "The total number of packets (in and out).", + "requirement": "recommended", + "type": "long_t" + }, + "packets_in": { + "caption": "Packets In", + "default": 0, + "description": "The number of packets sent from the destination to the source.", + "requirement": "optional", + "type": "long_t" + }, + "packets_out": { + "caption": "Packets Out", + "default": 0, + "description": "The number of packets sent from the source to the destination.", + "requirement": "optional", + "type": "long_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Network Traffic", + "description": "The Network Traffic object describes characteristics of network traffic. Network traffic refers to data moving across a network at a given point of time. Defined by D3FEND d3f:NetworkTraffic.", + "extends": "object", + "name": "network_traffic" + }, + "object": { + "attributes": { + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Object", + "description": "An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.", + "extends": null, + "name": "object" + }, + "observable": { + "attributes": { + "name": { + "caption": "Name", + "description": "The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "type": { + "caption": "Type", + "description": "The observable value type name.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The observable value type identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "Unknown observable data type." + }, + "1": { + "caption": "Hostname", + "description": "Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com." + }, + "10": { + "caption": "Resource UID", + "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID." + }, + "11": { + "caption": "Port", + "description": "The TCP/UDP port number. For example: 80 or 22." + }, + "12": { + "caption": "Subnet", + "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
For example:
  • 192.168.1.0/24
  • 2001:0db8:85a3:0000::/64
" + }, + "13": { + "caption": "Command Line", + "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used." + }, + "14": { + "caption": "Country", + "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.

Note: The two letter country code should be capitalized. For example: US or CA.

" + }, + "15": { + "caption": "Process ID", + "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process." + }, + "16": { + "caption": "HTTP User-Agent", + "description": "The request header that identifies the operating system and web browser." + }, + "17": { + "caption": "CWE ID", + "description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123." + }, + "18": { + "caption": "CVE ID", + "description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345." + }, + "2": { + "caption": "IP Address", + "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334." + }, + "20": { + "caption": "Endpoint", + "description": "The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices\u2014like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats\u2014are also endpoints." + }, + "21": { + "caption": "User", + "description": "The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount." + }, + "22": { + "caption": "Email", + "description": "The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email." + }, + "23": { + "caption": "Uniform Resource Locator", + "description": "The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL." + }, + "24": { + "caption": "File", + "description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File." + }, + "25": { + "caption": "Process", + "description": "The Process object describes a running instance of a launched program. Defined by D3FEND d3f:Process." + }, + "26": { + "caption": "Geo Location", + "description": "The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation." + }, + "27": { + "caption": "Container", + "description": "The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd." + }, + "28": { + "caption": "Registry Key", + "description": "The registry key object describes a Windows registry key. Defined by D3FEND d3f:WindowsRegistryKey." + }, + "29": { + "caption": "Registry Value", + "description": "The registry value object describes a Windows registry value." + }, + "3": { + "caption": "MAC Address", + "description": "Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A." + }, + "30": { + "caption": "Fingerprint", + "description": "The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data." + }, + "4": { + "caption": "User Name", + "description": "User name. For example: john_doe." + }, + "5": { + "caption": "Email Address", + "description": "Email address. For example: john_doe@example.com." + }, + "6": { + "caption": "URL String", + "description": "Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe." + }, + "7": { + "caption": "File Name", + "description": "File name. For example: text-file.txt." + }, + "8": { + "caption": "Hash", + "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628." + }, + "9": { + "caption": "Process Name", + "description": "Process name. For example: Notepad." + }, + "99": { + "caption": "Other", + "description": "The observable data type is not mapped. See the type attribute, which may contain data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "The value associated with the observable attribute. The meaning of the value depends on the observable type.
If the name refers to a scalar attribute, then the value is the value of the attribute.
If the name refers to an object attribute, then the value is not populated.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Observable", + "description": "The observable object is a pivot element that contains related information found in many places in the event.", + "extends": "object", + "name": "observable" + }, + "organization": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the organization. For example, Widget, Inc.", + "requirement": "recommended", + "type": "string_t" + }, + "ou_name": { + "caption": "Org Unit Name", + "description": "The name of the organizational unit, within an organization. For example, Finance, IT, R&D", + "requirement": "recommended", + "type": "string_t" + }, + "ou_uid": { + "caption": "Org Unit ID", + "description": "The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the organization. For example, its Active Directory or AWS Org ID.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Organization", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Organization object describes characteristics of an organization or company and its division if any.", + "extends": "_entity", + "name": "organization" + }, + "os": { + "attributes": { + "build": { + "caption": "OS Build", + "description": "The operating system build number.", + "requirement": "optional", + "type": "string_t" + }, + "country": { + "caption": "Country", + "description": "The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.", + "observable": 14, + "requirement": "optional", + "type": "string_t" + }, + "cpe_name": { + "caption": "The product CPE identifier", + "description": "The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.", + "requirement": "optional", + "type": "string_t" + }, + "cpu_bits": { + "caption": "CPU Bits", + "description": "The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.", + "requirement": "optional", + "type": "integer_t" + }, + "edition": { + "caption": "OS Edition", + "description": "The operating system edition. For example: Professional.", + "requirement": "optional", + "type": "string_t" + }, + "lang": { + "caption": "Language", + "description": "The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The operating system name.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sp_name": { + "caption": "OS Service Pack", + "description": "The name of the latest Service Pack.", + "requirement": "optional", + "type": "string_t" + }, + "sp_ver": { + "caption": "OS Service Pack Version", + "description": "The version number of the latest Service Pack.", + "requirement": "optional", + "type": "integer_t" + }, + "type": { + "caption": "Type", + "description": "The type of the operating system.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The type identifier of the operating system.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "100": { + "caption": "Windows" + }, + "101": { + "caption": "Windows Mobile" + }, + "200": { + "caption": "Linux" + }, + "201": { + "caption": "Android" + }, + "300": { + "caption": "macOS" + }, + "301": { + "caption": "iOS" + }, + "302": { + "caption": "iPadOS" + }, + "400": { + "caption": "Solaris" + }, + "401": { + "caption": "AIX" + }, + "402": { + "caption": "HP-UX" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the OS running on the device that originated the event. For example: \"Windows 10\", \"OS X 10.7\", or \"iOS 9\".", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Operating System (OS)", + "description": "The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.", + "extends": "object", + "name": "os" + }, + "package": { + "attributes": { + "architecture": { + "caption": "Architecture", + "description": "Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.", + "requirement": "recommended", + "type": "string_t" + }, + "epoch": { + "caption": "Epoch", + "description": "The software package epoch. Epoch is a way to define weighted dependencies based on version numbers.", + "requirement": "optional", + "type": "integer_t" + }, + "license": { + "caption": "Software License", + "description": "The software license applied to this package.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The software package name.", + "requirement": "required", + "type": "string_t" + }, + "purl": { + "caption": "Package URL", + "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "release": { + "caption": "Software Release Details", + "description": "Release is the number of times a version of the software has been packaged.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The software package version.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Software Package", + "description": "The Software Package object describes details about a software package. Defined by D3FEND d3f:SoftwarePackage.", + "extends": "object", + "name": "package" + }, + "peripheral_device": { + "attributes": { + "class": { + "caption": "Class", + "description": "The class of the peripheral device.", + "requirement": "required", + "type": "string_t" + }, + "model": { + "caption": "Model", + "description": "The peripheral device model.", + "requirement": "recommended", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the peripheral device.", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "serial_number": { + "caption": "Serial Number", + "description": "The peripheral device serial number.", + "requirement": "recommended", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the peripheral device.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The peripheral device vendor.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Peripheral Device", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The peripheral device object describes the identity, vendor and model of a peripheral device.", + "extends": "_entity", + "name": "peripheral_device" + }, + "policy": { + "attributes": { + "desc": { + "caption": "Description", + "description": "The description of the policy.", + "requirement": "optional", + "type": "string_t" + }, + "effective_time": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Effective Date", + "description": "The date and time that the specific policy and rule was applied and became operational. ", + "requirement": "recommended", + "type": "timestamp_t" + }, + "group": { + "caption": "Group", + "description": "The policy group.", + "requirement": "optional", + "type": "group" + }, + "is_applied": { + "caption": "Applied", + "description": "A determination if the content of a policy was applied to a target or request, or not.", + "requirement": "optional", + "type": "boolean_t" + }, + "label": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Label", + "description": "The label set for the policy.", + "requirement": "recommended", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The policy name. For example: IAM Policy.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "rule": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Rule", + "description": "The primary rule that triggered the policy event.", + "requirement": "recommended", + "type": "rule" + }, + "rules": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Rules", + "description": "Additional rules that triggered the policy event.", + "is_array": true, + "requirement": "recommended", + "type": "rule" + }, + "type": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Type", + "description": "The type of the policy.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Type ID", + "default": 0, + "description": "The policy type identifier; one of:", + "enum": { + "-1": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which may contain a data source specific value." + }, + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Policy Group", + "description": "Policy group" + }, + "10": { + "caption": "Deny List", + "description": "Deny List policy" + }, + "11": { + "caption": "Generic Discovery", + "description": "Application Isolation generic discovery policy" + }, + "12": { + "caption": "Targeted Discovery", + "description": "Application Isolation targeted discovery policy" + }, + "13": { + "caption": "Malware Protection", + "description": "Malware Protection policy" + }, + "14": { + "caption": "Exploit Protection", + "description": "Exploit Protection policy" + }, + "15": { + "caption": "Telemetry", + "description": "Telemetry policy" + }, + "16": { + "caption": "Exception", + "description": "Exception policy" + }, + "17": { + "caption": "System", + "description": "System policy" + }, + "2": { + "caption": "Browser Isolation", + "description": "Application isolation browser policy" + }, + "3": { + "caption": "Java Isolation", + "description": "Application isolation Java\u00ae Virtual Machine policy" + }, + "4": { + "caption": "Office Isolation", + "description": "Application Isolation Microsoft Office policy" + }, + "5": { + "caption": "PDF Renderer Isolation", + "description": "Application Isolation PDF Renderer policy" + }, + "6": { + "caption": "Generic Isolation", + "description": "Application Isolation custom policy" + }, + "7": { + "caption": "Null Isolation", + "description": "Application Isolation null policy" + }, + "8": { + "caption": "Platform", + "description": "Application Isolation platform policy" + }, + "9": { + "caption": "Allow List", + "description": "Allow List policy" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "A unique identifier of the policy instance.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The policy version number.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Policy", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

", + "extends": "_entity", + "name": "policy" + }, + "process": { + "attributes": { + "auid": { + "caption": "Audit User ID", + "description": "The audit user assigned at login by the audit subsystem.", + "requirement": "optional", + "type": "integer_t" + }, + "cmd_line": { + "caption": "Command Line", + "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.", + "observable": 13, + "requirement": "recommended", + "type": "string_t" + }, + "container": { + "caption": "Container", + "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", + "group": "context", + "observable": 27, + "requirement": "recommended", + "type": "container" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the process was created/started.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "egid": { + "caption": "Effective Group ID", + "description": "The effective group under which this process is running.", + "requirement": "optional", + "type": "integer_t" + }, + "euid": { + "caption": "Effective User ID", + "description": "The effective user under which this process is running.", + "requirement": "optional", + "type": "integer_t" + }, + "file": { + "caption": "File", + "description": "The process file object.", + "observable": 24, + "requirement": "recommended", + "type": "file" + }, + "group": { + "caption": "Group", + "description": "The group under which this process is running.", + "requirement": "recommended", + "type": "group" + }, + "integrity": { + "caption": "Integrity", + "description": "The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only).", + "requirement": "optional", + "sibling": "integrity", + "type": "string_t" + }, + "integrity_id": { + "caption": "Integrity Level", + "description": "The normalized identifier of the process integrity level (Windows only).", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Untrusted" + }, + "2": { + "caption": "Low" + }, + "3": { + "caption": "Medium" + }, + "4": { + "caption": "High" + }, + "5": { + "caption": "System" + }, + "6": { + "caption": "Protected" + }, + "99": { + "caption": "Other" + } + }, + "requirement": "optional", + "sibling": "integrity", + "type": "integer_t" + }, + "lineage": { + "caption": "Lineage", + "description": "The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "loaded_modules": { + "caption": "Loaded Modules", + "description": "The list of loaded module names.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The friendly name of the process, for example: Notepad++.", + "name": "process_name_t", + "requirement": "recommended", + "type": "string_t" + }, + "namespace_pid": { + "caption": "Namespace PID", + "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.", + "group": "context", + "requirement": "recommended", + "type": "integer_t" + }, + "parent_process": { + "caption": "Parent Process", + "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.", + "observable": 25, + "requirement": "recommended", + "type": "process" + }, + "pid": { + "caption": "Process ID", + "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.", + "observable": 15, + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sandbox": { + "caption": "Sandbox", + "description": "The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.", + "requirement": "optional", + "type": "string_t" + }, + "session": { + "caption": "Session", + "description": "The user session under which this process is running.", + "requirement": "optional", + "type": "session" + }, + "terminated_time": { + "caption": "Terminated Time", + "description": "The time when the process was terminated.", + "requirement": "optional", + "type": "timestamp_t" + }, + "tid": { + "caption": "Thread ID", + "description": "The Identifier of the thread associated with the event, as returned by the operating system.", + "requirement": "optional", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "user": { + "caption": "User", + "description": "The user under which this process is running.", + "observable": 21, + "requirement": "recommended", + "type": "user" + }, + "xattributes": { + "caption": "Extended Attributes", + "description": "An unordered collection of zero or more name/value pairs that represent a process extended attribute.", + "requirement": "optional", + "type": "json_t" + } + }, + "caption": "Linux Process", + "constraints": { + "at_least_one": [ + "pid", + "uid" + ] + }, + "description": "Extends the process object to add Linux specific fields", + "extends": "process", + "name": "process", + "observable": 25, + "profiles": [ + "linux/linux_users" + ] + }, + "product": { + "attributes": { + "cpe_name": { + "caption": "The product CPE identifier", + "description": "The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.", + "requirement": "optional", + "type": "string_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "feature": { + "caption": "Feature", + "description": "The feature that reported the event.", + "requirement": "optional", + "type": "feature" + }, + "lang": { + "caption": "Language", + "description": "The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the product.", + "requirement": "recommended", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The installation path of the product.", + "requirement": "optional", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the product.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url_string": { + "caption": "URL String", + "description": "The URL pointing towards the product.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The name of the vendor of the product.", + "requirement": "required", + "type": "string_t" + }, + "version": { + "caption": "Version", + "description": "The version of the product, as defined by the event source. For example: 2013.1.3-beta.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Product", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Product object describes characteristics of a software product.", + "extends": "_entity", + "name": "product", + "profiles": [ + "data_classification" + ] + }, + "query_info": { + "attributes": { + "bytes": { + "caption": "Total Bytes", + "description": "The size of the data returned from the query.", + "requirement": "optional", + "type": "long_t" + }, + "data": { + "caption": "Data", + "description": "The data returned from the query execution.", + "requirement": "optional", + "type": "json_t" + }, + "name": { + "caption": "Name", + "description": "The query name for a saved or scheduled query.", + "requirement": "recommended", + "type": "string_t" + }, + "query_string": { + "caption": "Query String", + "description": "A string representing the query code being run. For example: SELECT * FROM my_table", + "requirement": "required", + "type": "string_t" + }, + "query_time": { + "caption": "Query Time", + "description": "The time when the query was run.", + "requirement": "optional", + "type": "timestamp_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the query.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Query Information", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a query must be written using a specific syntax.", + "extends": "_entity", + "name": "query_info" + }, + "reg_key": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "is_system": { + "caption": "System", + "description": "The indication of whether the object is part of the operating system.", + "requirement": "optional", + "type": "boolean_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the registry key was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "path": { + "caption": "Path", + "description": "The full path to the registry key.", + "requirement": "required", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "security_descriptor": { + "caption": "Security Descriptor", + "description": "The security descriptor of the registry key.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Registry Key", + "description": "The registry key object describes a Windows registry key.", + "extends": "object", + "extension": "windows", + "name": "registry_key", + "observable": 28 + }, + "reg_value": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "data": { + "caption": "Data", + "description": "The data of the registry value.", + "requirement": "optional", + "type": "json_t" + }, + "is_default": { + "caption": "Default Value", + "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_system": { + "caption": "System", + "description": "The indication of whether the object is part of the operating system.", + "requirement": "optional", + "type": "boolean_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the registry value was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The name of the registry value.", + "requirement": "required", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The full path to the registry key, where the value is located.", + "requirement": "required", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "A string representation of the value type as specified in Registry Value Types.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The value type ID.", + "enum": { + "-1": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which may contain a data source specific value." + }, + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "REG_BINARY" + }, + "10": { + "caption": "REG_SZ" + }, + "2": { + "caption": "REG_DWORD" + }, + "3": { + "caption": "REG_DWORD_BIG_ENDIAN" + }, + "4": { + "caption": "REG_EXPAND_SZ" + }, + "5": { + "caption": "REG_LINK" + }, + "6": { + "caption": "REG_MULTI_SZ" + }, + "7": { + "caption": "REG_NONE" + }, + "8": { + "caption": "REG_QWORD" + }, + "9": { + "caption": "REG_QWORD_LITTLE_ENDIAN" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Registry Value", + "description": "The registry value object describes a Windows registry value.", + "extends": "object", + "extension": "windows", + "name": "registry_value", + "observable": 29 + }, + "registry_key": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "is_system": { + "caption": "System", + "description": "The indication of whether the object is part of the operating system.", + "requirement": "optional", + "type": "boolean_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the registry key was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "path": { + "caption": "Path", + "description": "The full path to the registry key.", + "requirement": "required", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "security_descriptor": { + "caption": "Security Descriptor", + "description": "The security descriptor of the registry key.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Registry Key", + "description": "The registry key object describes a Windows registry key.", + "name": "registry_key" + }, + "registry_value": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "data": { + "caption": "Data", + "description": "The data of the registry value.", + "requirement": "optional", + "type": "json_t" + }, + "is_default": { + "caption": "Default Value", + "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_system": { + "caption": "System", + "description": "The indication of whether the object is part of the operating system.", + "requirement": "optional", + "type": "boolean_t" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The time when the registry value was last modified.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The name of the registry value.", + "requirement": "required", + "type": "string_t" + }, + "path": { + "caption": "Path", + "description": "The full path to the registry key, where the value is located.", + "requirement": "required", + "type": "path_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "A string representation of the value type as specified in Registry Value Types.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The value type ID.", + "enum": { + "-1": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which may contain a data source specific value." + }, + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "REG_BINARY" + }, + "10": { + "caption": "REG_SZ" + }, + "2": { + "caption": "REG_DWORD" + }, + "3": { + "caption": "REG_DWORD_BIG_ENDIAN" + }, + "4": { + "caption": "REG_EXPAND_SZ" + }, + "5": { + "caption": "REG_LINK" + }, + "6": { + "caption": "REG_MULTI_SZ" + }, + "7": { + "caption": "REG_NONE" + }, + "8": { + "caption": "REG_QWORD" + }, + "9": { + "caption": "REG_QWORD_LITTLE_ENDIAN" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + } + }, + "caption": "Registry Value", + "description": "The registry value object describes a Windows registry value.", + "name": "registry_value" + }, + "related_event": { + "attributes": { + "attacks": { + "caption": "MITRE ATT&CK\u00ae Details", + "description": "An array of MITRE ATT&CK\u00ae objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", + "is_array": true, + "requirement": "optional", + "type": "attack" + }, + "kill_chain": { + "caption": "Kill Chain", + "description": "The Cyber Kill Chain\u00ae provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.", + "is_array": true, + "requirement": "optional", + "type": "kill_chain_phase" + }, + "observables": { + "caption": "Observables", + "description": "The observables associated with the event or a finding.", + "is_array": true, + "requirement": "optional", + "type": "observable" + }, + "product_uid": { + "caption": "Product Identifier", + "description": "The unique identifier of the product that reported the related event.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "@deprecated": { + "message": "Use type_name attribute instead.", + "since": "1.2.0" + }, + "caption": "Type", + "description": "The type of the related event, as defined by type_uid.

For example: Process Activity: Launch.

", + "requirement": "optional", + "type": "string_t" + }, + "type_name": { + "caption": "Type Name", + "description": "The type of the related OCSF event, as defined by type_uid.

For example: Process Activity: Launch.

", + "requirement": "optional", + "type": "string_t" + }, + "type_uid": { + "caption": "Type ID", + "description": "The unique identifier of the related OCSF event type.

For example: 100701.

", + "requirement": "recommended", + "sibling": "type_name", + "type": "long_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the related OCSF event. This value must be equal to metadata.uid in the corresponding related event.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Related Event", + "description": "The Related Event object describes an OCSF event related to a finding.", + "extends": "object", + "name": "related_event" + }, + "related_findings": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "product_uid": { + "caption": "Product Identifier", + "description": "The unique identifier of the product that reported the finding.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the related finding.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Related Findings", + "description": "Related Findings object describes findings related to a finding as identified by the security product.", + "extension": "archive", + "name": "related_findings" + }, + "remediation": { + "attributes": { + "desc": { + "caption": "Description", + "description": "The description of the remediation strategy.", + "requirement": "required", + "type": "string_t" + }, + "kb_article_list": { + "caption": "Knowledgebase Articles", + "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.", + "is_array": true, + "requirement": "optional", + "type": "kb_article" + }, + "kb_articles": { + "@deprecated": { + "message": "Use the kb_article_list attribute instead.", + "since": "1.1.0" + }, + "caption": "Knowledgebase Articles", + "description": "The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "References", + "description": "A list of supporting URL/s, references that help describe the remediation strategy.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Remediation", + "description": "The Remediation object describes the recommended remediation steps to address identified issue(s).", + "extends": "object", + "name": "remediation" + }, + "reputation": { + "attributes": { + "base_score": { + "caption": "Reputation Score", + "description": "The reputation score as reported by the event source.", + "requirement": "required", + "type": "float_t" + }, + "provider": { + "caption": "Provider", + "description": "The provider of the reputation information.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "raw_score": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Score", + "description": "The reputation score as reported by the event source.", + "requirement": "required", + "type": "float_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "score": { + "caption": "Reputation Score", + "description": "The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "score_id": { + "caption": "Reputation Score ID", + "description": "The normalized reputation score identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The reputation score is unknown." + }, + "1": { + "caption": "Very Safe", + "description": "Long history of good behavior." + }, + "10": { + "caption": "Malicious", + "description": "Proven evidence of maliciousness." + }, + "2": { + "caption": "Safe", + "description": "Consistently good behavior." + }, + "3": { + "caption": "Probably Safe", + "description": "Reasonable history of good behavior." + }, + "4": { + "caption": "Leans Safe", + "description": "Starting to establish a history of normal behavior." + }, + "5": { + "caption": "May not be Safe", + "description": "No established history of normal behavior." + }, + "6": { + "caption": "Exercise Caution", + "description": "Starting to establish a history of suspicious or risky behavior." + }, + "7": { + "caption": "Suspicious/Risky", + "description": "A site with a history of suspicious or risky behavior. (spam, scam, potentially unwanted software, potentially malicious)." + }, + "8": { + "caption": "Possibly Malicious", + "description": "Strong possibility of maliciousness." + }, + "9": { + "caption": "Probably Malicious", + "description": "Indicators of maliciousness." + }, + "99": { + "caption": "Other", + "description": "The reputation score is not mapped. See the rep_score attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "score", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Reputation", + "description": "The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).", + "extends": "object", + "name": "reputation" + }, + "request": { + "attributes": { + "containers": { + "caption": "Containers", + "description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.", + "is_array": true, + "observable": 27, + "requirement": "optional", + "type": "container" + }, + "data": { + "caption": "Data", + "description": "The additional data that is associated with the api request.", + "requirement": "optional", + "type": "json_t" + }, + "flags": { + "caption": "Flags", + "description": "The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique request identifier.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Request Elements", + "description": "The Request Elements object describes characteristics of an API request.", + "extends": "object", + "name": "request" + }, + "resource": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "attributes": { + "account_uid": { + "caption": "Account UID", + "description": "The unique identifier of the resource owning account(e.g. AWS Account ID).", + "requirement": "optional", + "type": "string_t" + }, + "cloud_partition": { + "caption": "Cloud Partition", + "description": "The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).", + "requirement": "optional", + "type": "string_t" + }, + "criticality": { + "caption": "Criticality", + "description": "The criticality of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "details": { + "caption": "Details", + "description": "The details pertaining to the resource.", + "requirement": "optional", + "type": "string_t" + }, + "group_name": { + "@deprecated": { + "message": "Use the group.name attribute instead.", + "since": "1.1.0" + }, + "caption": "Group Name", + "description": "The name of the group that the resource belongs to.", + "requirement": "recommended", + "type": "string_t" + }, + "labels": { + "caption": "Labels", + "description": "The list of labels attached to an event, object, or attribute.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the resource.", + "requirement": "recommended", + "type": "string_t" + }, + "owner": { + "caption": "Owner", + "description": "The identity of the service or user account that owns the resource", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "region": { + "caption": "Region", + "description": "The region of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The type of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the resource.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Resource", + "description": "The resource object describes a managed resource.", + "extension": "archive", + "name": "resource" + }, + "resource_details": { + "attributes": { + "agent_list": { + "caption": "Agent List", + "description": "A list of agent objects associated with a device, endpoint, or resource.", + "is_array": true, + "requirement": "optional", + "type": "agent" + }, + "api": { + "caption": "API Details", + "description": "Describes details about a typical API (Application Programming Interface) call.", + "group": "context", + "requirement": "optional", + "type": "api" + }, + "cloud": { + "caption": "Cloud", + "description": "Describes details about the Cloud environment where the event was originally created or logged.", + "group": "primary", + "requirement": "required", + "type": "cloud" + }, + "cloud_partition": { + "caption": "Cloud Partition", + "description": "The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).", + "profile": "cloud", + "requirement": "optional", + "type": "string_t" + }, + "criticality": { + "caption": "Criticality", + "description": "The criticality of the resource as defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "data": { + "caption": "Data", + "description": "Additional data describing the resource.", + "requirement": "optional", + "type": "json_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "group": { + "caption": "Group", + "description": "The name of the related resource group.", + "requirement": "optional", + "type": "group" + }, + "labels": { + "caption": "Labels", + "description": "The list of labels/tags associated to a resource.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "namespace": { + "caption": "Namespace", + "description": "The namespace is useful when similar entities exist that you need to keep separate.", + "requirement": "optional", + "type": "string_t" + }, + "owner": { + "caption": "Owner", + "description": "The identity of the service or user account that owns the resource.", + "observable": 21, + "requirement": "recommended", + "type": "user" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "region": { + "caption": "Region", + "description": "The cloud region of the resource.", + "profile": "cloud", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The resource type as defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the resource.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the resource. For example 1.2.3.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Resource Details", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Resource Details object describes details about resources that were affected by the activity/event.", + "extends": "_resource", + "name": "resource_details", + "profiles": [ + "cloud" + ] + }, + "response": { + "attributes": { + "code": { + "caption": "Response Code", + "description": "The numeric response sent to a request.", + "requirement": "recommended", + "type": "integer_t" + }, + "containers": { + "caption": "Containers", + "description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.", + "is_array": true, + "observable": 27, + "requirement": "optional", + "type": "container" + }, + "data": { + "caption": "Data", + "description": "The additional data that is associated with the api response.", + "requirement": "optional", + "type": "json_t" + }, + "error": { + "caption": "Error Code", + "description": "Error Code", + "requirement": "recommended", + "type": "string_t" + }, + "error_message": { + "caption": "Error Message", + "description": "Error Message", + "requirement": "recommended", + "type": "string_t" + }, + "flags": { + "caption": "Flags", + "description": "The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "message": { + "caption": "Message", + "description": "The description of the event/finding, as defined by the source.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Response Elements", + "description": "The Response Elements object describes characteristics of an API response.", + "extends": "object", + "name": "response" + }, + "rpc_interface": { + "attributes": { + "ack_reason": { + "caption": "Acknowledgement Reason", + "description": "An integer that provides a reason code or additional information about the acknowledgment result.", + "requirement": "recommended", + "type": "integer_t" + }, + "ack_result": { + "caption": "Acknowledgement Result", + "description": "An integer that denotes the acknowledgment result of the DCE/RPC call.", + "requirement": "recommended", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "uuid": { + "caption": "UUID", + "description": "The unique identifier of the particular remote procedure or service.", + "requirement": "required", + "type": "uuid_t" + }, + "version": { + "caption": "Version", + "description": "The version of the DCE/RPC protocol being used in the session.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "RPC Interface", + "description": "The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.", + "extends": "object", + "name": "rpc_interface" + }, + "rule": { + "attributes": { + "category": { + "caption": "Category", + "description": "The rule category.", + "requirement": "optional", + "type": "string_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the rule that generated the event.", + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the rule that generated the event.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The rule type.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the rule that generated the event.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The rule version. For example: 1.1.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Rule", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Rule object describes characteristics of a rule associated with a policy or an event.", + "extends": "_entity", + "name": "rule" + }, + "san": { + "attributes": { + "name": { + "caption": "Name", + "description": "Name of SAN (e.g. The actual IP Address or domain.)", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "Type descriptor of SAN (e.g. IP Address/domain/etc.)", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Subject Alternative Name", + "description": "The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate", + "extends": "object", + "name": "san" + }, + "scan": { + "attributes": { + "name": { + "caption": "Name", + "description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The type of scan.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The type id of the scan.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "Manual", + "description": "The scan was manually initiated by the user or administrator." + }, + "2": { + "caption": "Scheduled", + "description": "The scan was started based on scheduler." + }, + "3": { + "caption": "Updated Content", + "description": "The scan was triggered by a content update." + }, + "4": { + "caption": "Quarantined Items", + "description": "The scan was triggered by newly quarantined items." + }, + "5": { + "caption": "Attached Media", + "description": "The scan was triggered by the attachment of removable media." + }, + "6": { + "caption": "User Logon", + "description": "The scan was started due to a user logon." + }, + "7": { + "caption": "ELAM", + "description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection." + }, + "99": { + "caption": "Other", + "description": "The scan type id is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Scan UID", + "description": "The application-defined unique identifier assigned to an instance of a scan.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Scan", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Scan object describes characteristics of a proactive scan.", + "extends": "_entity", + "name": "scan" + }, + "security_state": { + "attributes": { + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "state": { + "caption": "Security State", + "description": "The security state, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.", + "requirement": "optional", + "type": "string_t" + }, + "state_id": { + "caption": "Security State ID", + "description": "The security state of the managed entity.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The security state is unknown." + }, + "1": { + "caption": "Missing or outdated content", + "description": "The content is missing or outdated." + }, + "10": { + "caption": "Content is locked", + "description": "The content is locked to a specific version." + }, + "11": { + "caption": "Not installed", + "description": "The entity is not installed." + }, + "12": { + "caption": "Writable system partition", + "description": "The system partition is writeable." + }, + "13": { + "caption": "SafetyNet failure", + "description": "The device has failed the SafetyNet check." + }, + "14": { + "caption": "Failed boot verify", + "description": "The device has failed the boot verification process." + }, + "15": { + "caption": "Modified execution environment", + "description": "The execution environment has been modified." + }, + "16": { + "caption": "SELinux disabled", + "description": "The SELinux security feature has been disabled." + }, + "17": { + "caption": "Elevated privilege shell", + "description": "An elevated privilege shell has been detected." + }, + "18": { + "caption": "iOS file system altered", + "description": "The file system has been altered on an iOS device." + }, + "19": { + "caption": "Open remote access", + "description": "Remote access is enabled." + }, + "2": { + "caption": "Policy mismatch", + "description": "Not in compliance with the expected security policy." + }, + "20": { + "caption": "OTA updates disabled", + "description": "Mobile OTA (Over The Air) updates have been disabled." + }, + "21": { + "caption": "Rooted", + "description": "The device has been modified to allow root access." + }, + "22": { + "caption": "Android partition modified", + "description": "The Android partition has been modified." + }, + "23": { + "caption": "Compliance failure", + "description": "The entity is not compliant with the associated security policy." + }, + "3": { + "caption": "In network quarantine", + "description": "Isolated from the network." + }, + "4": { + "caption": "Protection off", + "description": "Not protected by a security solution." + }, + "5": { + "caption": "Protection malfunction", + "description": "The security solution is not functioning properly." + }, + "6": { + "caption": "Protection not licensed", + "description": "The security solution does not have a valid license." + }, + "7": { + "caption": "Unremediated threat", + "description": "A detected threat has not been remediated." + }, + "8": { + "caption": "Suspicious reputation", + "description": "Reputation of the entity is suspicious." + }, + "9": { + "caption": "Reboot pending", + "description": "A reboot is required for one or more pending actions." + }, + "99": { + "caption": "Other", + "description": "The security state is not mapped. See the state attribute, which contains data source specific values." + } + }, + "requirement": "optional", + "sibling": "state", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Security State", + "description": "The Security State object describes the security related state of a managed entity.", + "extends": "object", + "name": "security_state" + }, + "service": { + "attributes": { + "cmd_line": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Command Line", + "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used", + "observable": 13, + "requirement": "recommended", + "type": "string_t" + }, + "file": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "File", + "description": "The service file object.", + "observable": 24, + "requirement": "required", + "type": "file" + }, + "labels": { + "caption": "Labels", + "description": "The list of labels associated with the service.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "loaded_module_name": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Loaded Module", + "description": "The name of the module loaded by the service.", + "requirement": "recommended", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the service.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "run_state": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Run State", + "description": "The service run state.", + "requirement": "optional", + "type": "string_t" + }, + "run_state_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Run State ID", + "description": "The service run state ID.", + "enum": { + "-1": { + "caption": "Other", + "description": "The service run state is other." + }, + "0": { + "caption": "Unknown", + "description": "The service run state is unknown." + }, + "1": { + "caption": "Stopped", + "description": "The service is not running." + }, + "2": { + "caption": "Start Pending", + "description": "The service is starting." + }, + "3": { + "caption": "Stop Pending", + "description": "The service is stopping." + }, + "4": { + "caption": "Running", + "description": "The service is running." + }, + "5": { + "caption": "Continue Pending", + "description": "The service continue is pending." + }, + "6": { + "caption": "Pause Pending", + "description": "The service pause is pending." + }, + "7": { + "caption": "Paused", + "description": "The service is paused." + } + }, + "requirement": "required", + "sibling": "run_state", + "type": "integer_t" + }, + "start_type": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Start Type", + "description": "The service start type.", + "requirement": "optional", + "type": "string_t" + }, + "start_type_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Start Type ID", + "description": "The service start type ID.", + "enum": { + "-1": { + "caption": "Other", + "description": "The start type is not mapped. See the start_type attribute, which contains a data source specific value." + }, + "0": { + "caption": "Unknown", + "description": "The startup type is unknown." + }, + "1": { + "caption": "Auto", + "description": "Started automatically during system startup." + }, + "10": { + "caption": "System Changed", + "description": "Started when a system item, such as a file or registry key, changes." + }, + "2": { + "caption": "Boot", + "description": "Started by the system loader." + }, + "3": { + "caption": "Demand", + "description": "Started on demand. For example, by the Window service control manager when a process calls the StartService function." + }, + "4": { + "caption": "System", + "description": "Started by the IoInitSystem function." + }, + "5": { + "caption": "Disabled", + "description": "Disabled." + }, + "6": { + "caption": "All Logins", + "description": "Started on any user login." + }, + "7": { + "caption": "Specific User Login", + "description": "Started when on a specific user login." + }, + "8": { + "caption": "Interactive Login", + "description": "Started on interactive logins." + }, + "9": { + "caption": "Scheduled", + "description": "Stared according to a schedule." + } + }, + "requirement": "required", + "type": "integer_t" + }, + "type_ids": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Type IDs", + "description": "The service type identifiers.", + "enum": { + "-1": { + "caption": "Other", + "description": "The service type is not mapped. See the types attribute, which contains a data source specific values." + }, + "0": { + "caption": "Unknown", + "description": "The type is unknown" + }, + "1": { + "caption": "Adapter", + "description": "Adapter" + }, + "2": { + "caption": "File System Driver", + "description": "File system driver" + }, + "3": { + "caption": "Kernel Driver", + "description": "Device driver" + }, + "4": { + "caption": "Recognized Driver", + "description": "Recognized Driver" + }, + "5": { + "caption": "Own Process", + "description": "The application runs in its own process" + }, + "6": { + "caption": "Shared Process", + "description": "The application shares a process with other services" + }, + "7": { + "caption": "Interactive", + "description": "The service can interact with the desktop" + }, + "8": { + "caption": "Other", + "description": "U/X, OS X service" + }, + "9": { + "caption": "Autoload", + "description": "The Mac OS X Autoload Application" + } + }, + "is_array": true, + "requirement": "required", + "type": "integer_t" + }, + "types": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Types", + "description": "The service types.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the service.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The version of the service.", + "requirement": "recommended", + "type": "string_t" + } + }, + "caption": "Service", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Service object describes characteristics of a service, e.g. AWS EC2. ", + "extends": "_entity", + "name": "service" + }, + "session": { + "attributes": { + "count": { + "caption": "Count", + "description": "The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.", + "requirement": "optional", + "type": "integer_t" + }, + "created_time": { + "caption": "Created Time", + "description": "The time when the session was created.", + "requirement": "recommended", + "type": "timestamp_t" + }, + "credential_uid": { + "caption": "User Credential ID", + "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.", + "requirement": "optional", + "type": "string_t" + }, + "expiration_reason": { + "caption": "Expiration Reason", + "description": "The reason which triggered the session expiration.", + "requirement": "optional", + "type": "string_t" + }, + "expiration_time": { + "caption": "Expiration Time", + "description": "The session expiration time.", + "requirement": "optional", + "type": "timestamp_t" + }, + "is_mfa": { + "caption": "Multi Factor Authentication", + "description": "Indicates whether Multi Factor Authentication was used during authentication.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_remote": { + "caption": "Remote", + "description": "The indication of whether the session is remote.", + "requirement": "recommended", + "type": "boolean_t" + }, + "is_vpn": { + "caption": "VPN Session", + "description": "The indication of whether the session is a VPN session.", + "requirement": "optional", + "type": "boolean_t" + }, + "issuer": { + "caption": "Issuer Details", + "description": "The identifier of the session issuer.", + "requirement": "recommended", + "type": "string_t" + }, + "mfa": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Multi Factor Authentication", + "description": "The Multi Factor Authentication was used during authentication.", + "requirement": "optional", + "type": "boolean_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "terminal": { + "caption": "Terminal", + "description": "The Pseudo Terminal associated with the session. Ex: the tty or pts value.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the session.", + "requirement": "recommended", + "type": "string_t" + }, + "uid_alt": { + "caption": "Alternate ID", + "description": "The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "uuid": { + "caption": "UUID", + "description": "The universally unique identifier of the session.", + "requirement": "optional", + "type": "uuid_t" + } + }, + "caption": "Session", + "description": "The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session.", + "extends": "object", + "name": "session" + }, + "sub_technique": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the attack sub technique, as defined by ATT&CK MatrixTM. For example: Scanning IP Blocks.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "src_url": { + "caption": "Source URL", + "description": "The versioned permalink of the attack sub technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the attack sub technique, as defined by ATT&CK MatrixTM. For example: T1595.001.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Sub Technique", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.", + "extends": "_entity", + "name": "sub_technique" + }, + "table": { + "attributes": { + "created_time": { + "caption": "Created Time", + "description": "The time when the table was known to have been created.", + "requirement": "optional", + "type": "timestamp_t" + }, + "desc": { + "caption": "Description", + "description": "The description of the table.", + "requirement": "optional", + "type": "string_t" + }, + "groups": { + "caption": "Groups", + "description": "The group names to which the table belongs.", + "is_array": true, + "requirement": "optional", + "type": "group" + }, + "modified_time": { + "caption": "Modified Time", + "description": "The most recent time when any changes, updates, or modifications were made within the table.", + "requirement": "optional", + "type": "timestamp_t" + }, + "name": { + "caption": "Name", + "description": "The table name, ordinarily as assigned by a database administrator.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "size": { + "caption": "Size", + "description": "The size of the data table in bytes.", + "requirement": "optional", + "type": "long_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the table.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Table", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.", + "extends": "_entity", + "name": "table" + }, + "tactic": { + "attributes": { + "name": { + "caption": "Name", + "description": "The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. For example: Reconnaissance.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "src_url": { + "caption": "Source URL", + "description": "The versioned permalink of the attack tactic, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. For example: TA0043.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Tactic", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.", + "extends": "_entity", + "name": "tactic" + }, + "technique": { + "attributes": { + "name": { + "caption": "Name", + "description": "The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Active Scanning.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "src_url": { + "caption": "Source URL", + "description": "The versioned permalink of the attack technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.", + "observable": 6, + "requirement": "optional", + "type": "url_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1595.", + "requirement": "recommended", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Technique", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM.", + "extends": "_entity", + "name": "technique" + }, + "threat_intelligence": { + "attributes": { + "provider": { + "caption": "Provider", + "description": "Threat intelligence data provider name e.g. AlienVaultOTX", + "requirement": "required", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "caption": "Reputation Scores", + "description": "Reputation score as reported by provider", + "requirement": "optional", + "type": "reputation" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "Type of entity for which threat info is provided e.g. IP", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "IP" + }, + "2": { + "caption": "Domain" + }, + "3": { + "caption": "Url" + }, + "4": { + "caption": "Hash" + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "value": { + "caption": "Value", + "description": "Entity value for which threat info is provided", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Threat Intelligence", + "description": "Insights from threat intelligence platforms", + "extends": "object", + "extension": "query", + "name": "threat_intelligence" + }, + "tls": { + "attributes": { + "alert": { + "caption": "Client TLS Alert", + "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in RFC-2246.", + "requirement": "optional", + "type": "integer_t" + }, + "certificate": { + "caption": "Certificate", + "description": "The certificate object containing information about the digital certificate.", + "requirement": "recommended", + "type": "certificate" + }, + "certificate_chain": { + "caption": "Certificate Chain", + "description": "The Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "cipher": { + "caption": "Cipher Suite", + "description": "The negotiated cipher suite.", + "requirement": "recommended", + "type": "string_t" + }, + "client_ciphers": { + "caption": "Client Cipher Suites", + "description": "The client cipher suites that were exchanged during the TLS handshake negotiation.", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "extension_list": { + "@deprecated": { + "message": "Use the tls_extension_list attribute instead.", + "since": "1.1.0" + }, + "caption": "Extension List", + "description": "The list of TLS extensions.", + "is_array": true, + "requirement": "optional", + "type": "tls_extension" + }, + "handshake_dur": { + "caption": "Handshake Duration", + "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.", + "requirement": "optional", + "type": "integer_t" + }, + "ja3_fingerprint": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "JA3 Fingerprint", + "description": "The fingerprint of JA3 string.", + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "ja3_hash": { + "caption": "JA3 Hash", + "description": "The MD5 hash of a JA3 string.", + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "ja3_string": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "JA3 String", + "description": "The JA3 string.", + "requirement": "recommended", + "type": "string_t" + }, + "ja3s_fingerprint": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "JAS3 Fingerprint", + "description": "The fingerprint of JAS3 string.", + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "ja3s_hash": { + "caption": "JA3S Hash", + "description": "The MD5 hash of a JA3S string.", + "observable": 30, + "requirement": "recommended", + "type": "fingerprint" + }, + "ja3s_string": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "JAS3 String", + "description": "The JAS3 string.", + "requirement": "recommended", + "type": "string_t" + }, + "key_length": { + "caption": "Key Length", + "description": "The length of the encryption key.", + "requirement": "optional", + "type": "integer_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "sans": { + "caption": "Subject Alternative Names", + "description": "The list of subject alternative names that are secured by a specific certificate.", + "is_array": true, + "requirement": "optional", + "type": "san" + }, + "server_ciphers": { + "caption": "Server Cipher Suites", + "description": "The server cipher suites that were exchanged during the TLS handshake negotiation.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "sni": { + "caption": "Server Name Indication", + "description": " The Server Name Indication (SNI) extension sent by the client.", + "requirement": "recommended", + "type": "string_t" + }, + "tls_extension_list": { + "caption": "TLS Extension List", + "description": "The list of TLS extensions.", + "is_array": true, + "requirement": "optional", + "type": "tls_extension" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "version": { + "caption": "Version", + "description": "The TLS protocol version.", + "requirement": "required", + "type": "string_t" + } + }, + "caption": "Transport Layer Security (TLS)", + "description": "The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.", + "extends": "object", + "name": "tls" + }, + "tls_extension": { + "attributes": { + "data": { + "caption": "Data", + "description": "The data contains information specific to the particular extension type.", + "requirement": "recommended", + "type": "json_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The TLS extension type. For example: Server Name.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The TLS extension type identifier. See The Transport Layer Security (TLS) extension page.", + "enum": { + "0": { + "caption": "server_name", + "description": "The Server Name Indication extension." + }, + "1": { + "caption": "maximum_fragment_length", + "description": "The Maximum Fragment Length Negotiation extension." + }, + "10": { + "caption": "supported_groups", + "description": "The Supported Groups extension." + }, + "13": { + "caption": "signature_algorithms", + "description": "The Signature Algorithms extension." + }, + "14": { + "caption": "use_srtp", + "description": "The Use SRTP data protection extension." + }, + "15": { + "caption": "heartbeat", + "description": "The Heartbeat extension." + }, + "16": { + "caption": "application_layer_protocol_negotiation", + "description": "The Application-Layer Protocol Negotiation extension." + }, + "18": { + "caption": "signed_certificate_timestamp", + "description": "The Signed Certificate Timestamp extension." + }, + "19": { + "caption": "client_certificate_type", + "description": "The Client Certificate Type extension." + }, + "20": { + "caption": "server_certificate_type", + "description": "The Server Certificate Type extension." + }, + "21": { + "caption": "padding", + "description": "The Padding extension." + }, + "41": { + "caption": "pre_shared_key", + "description": "The Pre Shared Key extension." + }, + "42": { + "caption": "early_data", + "description": "The Early Data extension." + }, + "43": { + "caption": "supported_versions", + "description": "The Supported Versions extension." + }, + "44": { + "caption": "cookie", + "description": "The Cookie extension." + }, + "45": { + "caption": "psk_key_exchange_modes", + "description": "The Pre-Shared Key Exchange Modes extension." + }, + "47": { + "caption": "certificate_authorities", + "description": "The Certificate Authorities extension." + }, + "48": { + "caption": "oid_filters", + "description": "The OID Filters extension." + }, + "49": { + "caption": "post_handshake_auth", + "description": "The Post-Handshake Client Authentication extension." + }, + "5": { + "caption": "status_request", + "description": "The Certificate Status Request extension." + }, + "50": { + "caption": "signature_algorithms_cert", + "description": "The Signature Algorithms extension." + }, + "51": { + "caption": "key_share", + "description": "The Key Share extension." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "TLS Extension", + "description": "The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.", + "extends": "object", + "name": "tls_extension" + }, + "unmapped": { + "attributes": { + "caption": { + "caption": "Caption", + "description": "A short description or label for the unmapped attribute.", + "requirement": "optional", + "type": "string_t" + }, + "is_array": { + "caption": "Is Array", + "description": "If true, the value is understood to be an array. Otherwise it is assumed to be a scalar.", + "requirement": "optional", + "type": "boolean_t" + }, + "name": { + "caption": "Name", + "description": "The name of the unmapped attribute. This usually corresponds to a field name in the data provider. If no caption is provided, name will be used as a caption. The name attribute must be unique across all unmapped attributes of a record.", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The type of data that is unmapped.", + "requirement": "required", + "type": "string_t" + }, + "value": { + "caption": "Value", + "description": "The unmapped attribute value.", + "requirement": "required", + "type": "json_t" + } + }, + "caption": "Unmapped", + "description": "The Unmapped object contains an unmapped datum along with a label and type.", + "extension": "query", + "name": "unmapped" + }, + "url": { + "attributes": { + "categories": { + "caption": "Website Categorization", + "description": "The Website categorization names, as defined by category_ids enum values.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "category_ids": { + "caption": "Website Categorization IDs", + "description": "The Website categorization identifiers.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The Domain/URL category is unknown." + }, + "1": { + "caption": "Adult/Mature Content" + }, + "101": { + "caption": "Spam" + }, + "102": { + "caption": "Potentially Unwanted Software" + }, + "103": { + "caption": "Dynamic DNS Host" + }, + "106": { + "caption": "E-Card/Invitations" + }, + "107": { + "caption": "Informational" + }, + "108": { + "caption": "Computer/Information Security" + }, + "109": { + "caption": "Internet Connected Devices" + }, + "11": { + "caption": "Gambling" + }, + "110": { + "caption": "Internet Telephony" + }, + "111": { + "caption": "Online Meetings" + }, + "112": { + "caption": "Media Sharing" + }, + "113": { + "caption": "Radio/Audio Streams" + }, + "114": { + "caption": "TV/Video Streams" + }, + "118": { + "caption": "Piracy/Copyright Concerns" + }, + "121": { + "caption": "Marijuana" + }, + "14": { + "caption": "Violence/Hate/Racism" + }, + "15": { + "caption": "Weapons" + }, + "16": { + "caption": "Abortion" + }, + "17": { + "caption": "Hacking" + }, + "18": { + "caption": "Phishing" + }, + "20": { + "caption": "Entertainment" + }, + "21": { + "caption": "Business/Economy" + }, + "22": { + "caption": "Alternative Spirituality/Belief" + }, + "23": { + "caption": "Alcohol" + }, + "24": { + "caption": "Tobacco" + }, + "25": { + "caption": "Controlled Substances" + }, + "26": { + "caption": "Child Pornography" + }, + "27": { + "caption": "Education" + }, + "29": { + "caption": "Charitable Organizations" + }, + "3": { + "caption": "Pornography" + }, + "30": { + "caption": "Art/Culture" + }, + "31": { + "caption": "Financial Services" + }, + "32": { + "caption": "Brokerage/Trading" + }, + "33": { + "caption": "Games" + }, + "34": { + "caption": "Government/Legal" + }, + "35": { + "caption": "Military" + }, + "36": { + "caption": "Political/Social Advocacy" + }, + "37": { + "caption": "Health" + }, + "38": { + "caption": "Technology/Internet" + }, + "4": { + "caption": "Sex Education" + }, + "40": { + "caption": "Search Engines/Portals" + }, + "43": { + "caption": "Malicious Sources/Malnets" + }, + "44": { + "caption": "Malicious Outbound Data/Botnets" + }, + "45": { + "caption": "Job Search/Careers" + }, + "46": { + "caption": "News/Media" + }, + "47": { + "caption": "Personals/Dating" + }, + "49": { + "caption": "Reference" + }, + "5": { + "caption": "Intimate Apparel/Swimsuit" + }, + "50": { + "caption": "Mixed Content/Potentially Adult" + }, + "51": { + "caption": "Chat (IM)/SMS" + }, + "52": { + "caption": "Email" + }, + "53": { + "caption": "Newsgroups/Forums" + }, + "54": { + "caption": "Religion" + }, + "55": { + "caption": "Social Networking" + }, + "56": { + "caption": "File Storage/Sharing" + }, + "57": { + "caption": "Remote Access Tools" + }, + "58": { + "caption": "Shopping" + }, + "59": { + "caption": "Auctions" + }, + "6": { + "caption": "Nudity" + }, + "60": { + "caption": "Real Estate" + }, + "61": { + "caption": "Society/Daily Living" + }, + "63": { + "caption": "Personal Sites" + }, + "64": { + "caption": "Restaurants/Dining/Food" + }, + "65": { + "caption": "Sports/Recreation" + }, + "66": { + "caption": "Travel" + }, + "67": { + "caption": "Vehicles" + }, + "68": { + "caption": "Humor/Jokes" + }, + "7": { + "caption": "Extreme" + }, + "71": { + "caption": "Software Downloads" + }, + "83": { + "caption": "Peer-to-Peer (P2P)" + }, + "84": { + "caption": "Audio/Video Clips" + }, + "85": { + "caption": "Office/Business Applications" + }, + "86": { + "caption": "Proxy Avoidance" + }, + "87": { + "caption": "For Kids" + }, + "88": { + "caption": "Web Ads/Analytics" + }, + "89": { + "caption": "Web Hosting" + }, + "9": { + "caption": "Scam/Questionable/Illegal" + }, + "90": { + "caption": "Uncategorized" + }, + "92": { + "caption": "Suspicious" + }, + "93": { + "caption": "Sexual Expression" + }, + "95": { + "caption": "Translation" + }, + "96": { + "caption": "Non-Viewable/Infrastructure" + }, + "97": { + "caption": "Content Servers" + }, + "98": { + "caption": "Placeholders" + }, + "99": { + "caption": "Other", + "description": "The Domain/URL category is not mapped. See the categories attribute, which contains a data source specific value." + } + }, + "is_array": true, + "requirement": "recommended", + "sibling": "categories", + "type": "integer_t" + }, + "hostname": { + "caption": "Hostname", + "description": "The URL host as extracted from the URL. For example: www.example.com from www.example.com/download/trouble.", + "observable": 1, + "requirement": "recommended", + "type": "hostname_t" + }, + "path": { + "caption": "Path", + "description": "The URL path as extracted from the URL. For example: /download/trouble from www.example.com/download/trouble.", + "requirement": "recommended", + "type": "path_t" + }, + "port": { + "caption": "Port", + "description": "The URL port. For example: 80.", + "observable": 11, + "requirement": "recommended", + "type": "port_t" + }, + "query_string": { + "caption": "HTTP Query String", + "description": "The query portion of the URL. For example: the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date.", + "requirement": "recommended", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "reputation": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Reputation Scores", + "description": "Contains the original and normalized reputation scores.", + "requirement": "optional", + "type": "reputation" + }, + "resource_type": { + "caption": "Resource Type", + "description": "The context in which a resource was retrieved in a web request.", + "requirement": "optional", + "type": "string_t" + }, + "scheme": { + "caption": "Scheme", + "description": "The scheme portion of the URL. For example: http, https, ftp, or sftp.", + "requirement": "recommended", + "type": "string_t" + }, + "subdomain": { + "caption": "Subdomain", + "description": "The subdomain portion of the URL. For example: sub in https://sub.example.com or sub2.sub1 in https://sub2.sub1.example.com.", + "requirement": "optional", + "type": "string_t" + }, + "text": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "URL Text", + "description": "The URL. For example: http://www.example.com/download/trouble.exe.", + "observable": 6, + "requirement": "required", + "type": "url_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url_string": { + "caption": "URL String", + "description": "The URL string. See RFC 1738. For example: http://www.example.com/download/trouble.exe. Note: The URL path should not populate the URL string.", + "observable": 6, + "requirement": "recommended", + "type": "url_t" + } + }, + "caption": "Uniform Resource Locator", + "constraints": { + "at_least_one": [ + "url_string", + "path" + ] + }, + "description": "The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL.", + "extends": "object", + "name": "url", + "observable": 23 + }, + "url_intelligence": { + "attributes": { + "category_ids": { + "caption": "Website Categorization IDs", + "description": "The Website categorization identifiers.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The Domain/URL category is unknown." + }, + "1": { + "caption": "Adult/Mature Content" + }, + "101": { + "caption": "Spam" + }, + "102": { + "caption": "Potentially Unwanted Software" + }, + "103": { + "caption": "Dynamic DNS Host" + }, + "106": { + "caption": "E-Card/Invitations" + }, + "107": { + "caption": "Informational" + }, + "108": { + "caption": "Computer/Information Security" + }, + "109": { + "caption": "Internet Connected Devices" + }, + "11": { + "caption": "Gambling" + }, + "110": { + "caption": "Internet Telephony" + }, + "111": { + "caption": "Online Meetings" + }, + "112": { + "caption": "Media Sharing" + }, + "113": { + "caption": "Radio/Audio Streams" + }, + "114": { + "caption": "TV/Video Streams" + }, + "118": { + "caption": "Piracy/Copyright Concerns" + }, + "121": { + "caption": "Marijuana" + }, + "14": { + "caption": "Violence/Hate/Racism" + }, + "15": { + "caption": "Weapons" + }, + "16": { + "caption": "Abortion" + }, + "17": { + "caption": "Hacking" + }, + "18": { + "caption": "Phishing" + }, + "20": { + "caption": "Entertainment" + }, + "21": { + "caption": "Business/Economy" + }, + "22": { + "caption": "Alternative Spirituality/Belief" + }, + "23": { + "caption": "Alcohol" + }, + "24": { + "caption": "Tobacco" + }, + "25": { + "caption": "Controlled Substances" + }, + "26": { + "caption": "Child Pornography" + }, + "27": { + "caption": "Education" + }, + "29": { + "caption": "Charitable Organizations" + }, + "3": { + "caption": "Pornography" + }, + "30": { + "caption": "Art/Culture" + }, + "31": { + "caption": "Financial Services" + }, + "32": { + "caption": "Brokerage/Trading" + }, + "33": { + "caption": "Games" + }, + "34": { + "caption": "Government/Legal" + }, + "35": { + "caption": "Military" + }, + "36": { + "caption": "Political/Social Advocacy" + }, + "37": { + "caption": "Health" + }, + "38": { + "caption": "Technology/Internet" + }, + "4": { + "caption": "Sex Education" + }, + "40": { + "caption": "Search Engines/Portals" + }, + "43": { + "caption": "Malicious Sources/Malnets" + }, + "44": { + "caption": "Malicious Outbound Data/Botnets" + }, + "45": { + "caption": "Job Search/Careers" + }, + "46": { + "caption": "News/Media" + }, + "47": { + "caption": "Personals/Dating" + }, + "49": { + "caption": "Reference" + }, + "5": { + "caption": "Intimate Apparel/Swimsuit" + }, + "50": { + "caption": "Mixed Content/Potentially Adult" + }, + "51": { + "caption": "Chat (IM)/SMS" + }, + "52": { + "caption": "Email" + }, + "53": { + "caption": "Newsgroups/Forums" + }, + "54": { + "caption": "Religion" + }, + "55": { + "caption": "Social Networking" + }, + "56": { + "caption": "File Storage/Sharing" + }, + "57": { + "caption": "Remote Access Tools" + }, + "58": { + "caption": "Shopping" + }, + "59": { + "caption": "Auctions" + }, + "6": { + "caption": "Nudity" + }, + "60": { + "caption": "Real Estate" + }, + "61": { + "caption": "Society/Daily Living" + }, + "63": { + "caption": "Personal Sites" + }, + "64": { + "caption": "Restaurants/Dining/Food" + }, + "65": { + "caption": "Sports/Recreation" + }, + "66": { + "caption": "Travel" + }, + "67": { + "caption": "Vehicles" + }, + "68": { + "caption": "Humor/Jokes" + }, + "7": { + "caption": "Extreme" + }, + "71": { + "caption": "Software Downloads" + }, + "83": { + "caption": "Peer-to-Peer (P2P)" + }, + "84": { + "caption": "Audio/Video Clips" + }, + "85": { + "caption": "Office/Business Applications" + }, + "86": { + "caption": "Proxy Avoidance" + }, + "87": { + "caption": "For Kids" + }, + "88": { + "caption": "Web Ads/Analytics" + }, + "89": { + "caption": "Web Hosting" + }, + "9": { + "caption": "Scam/Questionable/Illegal" + }, + "90": { + "caption": "Uncategorized" + }, + "92": { + "caption": "Suspicious" + }, + "93": { + "caption": "Sexual Expression" + }, + "95": { + "caption": "Translation" + }, + "96": { + "caption": "Non-Viewable/Infrastructure" + }, + "97": { + "caption": "Content Servers" + }, + "98": { + "caption": "Placeholders" + }, + "99": { + "caption": "Other", + "description": "The Domain/URL category is not mapped. See the categories attribute, which contains a data source specific value." + } + }, + "is_array": true, + "requirement": "optional", + "sibling": "categories", + "type": "integer_t" + }, + "details": { + "caption": "Details", + "description": "Details about the IP address.", + "requirement": "optional", + "type": "string_t" + }, + "findings": { + "caption": "Findings", + "description": "The findings from threat intelligence platforms", + "is_array": true, + "requirement": "optional", + "type": "finding" + }, + "first_seen_time": { + "caption": "First Seen", + "description": "The initial detection time of the activity or object. See specific usage", + "requirement": "optional", + "type": "timestamp_t" + }, + "labels": { + "caption": "Labels", + "description": "The labels or tags in the intelligence.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "last_seen_time": { + "caption": "Last Seen", + "description": "The most recent detection time of the activity or object. See specific usage.", + "requirement": "optional", + "type": "timestamp_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "Additional references for more information.", + "description": "A list of reference URLs supporting the finding/detection.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "reputations": { + "caption": "Reputations", + "description": "Reputation score as reported by provider", + "is_array": true, + "requirement": "optional", + "type": "reputation" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url": { + "caption": "URL", + "description": "The URL the intelligence applies to.", + "observable": 23, + "requirement": "optional", + "type": "url" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The vendor that provided the intelligence.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "URL Threat Intelligence", + "description": "Insights from threat intelligence platforms about URLs", + "extends": "_base_threat_intelligence", + "extension": "query", + "name": "url_intelligence" + }, + "user": { + "attributes": { + "account": { + "caption": "Account", + "description": "The user's account or the account associated with the user.", + "requirement": "optional", + "type": "account" + }, + "account_type": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Account Type", + "description": "The user account type, as defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "account_type_id": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Account Type ID", + "description": "The normalized user account type identifier.", + "enum": { + "-1": { + "caption": "Other", + "description": "The user account type is not mapped." + }, + "0": { + "caption": "Unknown", + "description": "The user account type is unknown." + }, + "1": { + "caption": "LDAP Account" + }, + "2": { + "caption": "Windows Account" + }, + "3": { + "caption": "AWS IAM Account" + }, + "4": { + "caption": "GCP Account" + }, + "5": { + "caption": "Azure AD Account" + } + }, + "requirement": "optional", + "sibling": "account_type", + "type": "integer_t" + }, + "account_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Account UID", + "description": "The unique identifier of the account(e.g. AWS Account ID).", + "requirement": "optional", + "type": "string_t" + }, + "credential_uid": { + "caption": "User Credential ID", + "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.", + "requirement": "optional", + "type": "string_t" + }, + "devices": { + "caption": "Devices", + "description": "The devices related to user.", + "is_array": true, + "requirement": "optional", + "type": "device" + }, + "domain": { + "caption": "Domain", + "description": "The domain where the user is defined. For example: the LDAP or Active Directory domain.", + "requirement": "required", + "type": "string_t" + }, + "email_addr": { + "caption": "Email Address", + "description": "The user's primary email address.", + "observable": 5, + "requirement": "optional", + "type": "email_t" + }, + "full_name": { + "caption": "Full Name", + "description": "The full name of the person, as per the LDAP Common Name attribute (cn).", + "requirement": "optional", + "type": "string_t" + }, + "groups": { + "caption": "Groups", + "description": "The administrative groups to which the user belongs.", + "is_array": true, + "requirement": "optional", + "type": "group" + }, + "last_login_time": { + "caption": "Last Login", + "description": "The last time when the user logged in.", + "requirement": "optional", + "type": "timestamp_t" + }, + "ldap_person": { + "caption": "LDAP Person", + "description": "The additional LDAP attributes that describe a person.", + "requirement": "optional", + "type": "ldap_person" + }, + "name": { + "caption": "Name", + "description": "The username. For example, janedoe1.", + "name": "username_t", + "requirement": "recommended", + "type": "string_t" + }, + "org": { + "caption": "Organization", + "description": "Organization and org unit related to the user.", + "requirement": "optional", + "type": "organization" + }, + "org_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Org ID", + "description": "The unique identifier of the organization to which the user belongs. For example, Active Directory or AWS Org ID.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "risk_level": { + "caption": "Risk Level", + "description": "The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "risk_level_id": { + "caption": "Risk Level ID", + "description": "The normalized risk level id.", + "enum": { + "0": { + "caption": "Info" + }, + "1": { + "caption": "Low" + }, + "2": { + "caption": "Medium" + }, + "3": { + "caption": "High" + }, + "4": { + "caption": "Critical" + } + }, + "requirement": "optional", + "sibling": "risk_level", + "type": "integer_t" + }, + "risk_score": { + "caption": "Risk Score", + "description": "The risk score as reported by the event source.", + "requirement": "optional", + "type": "integer_t" + }, + "session_uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Session UID", + "description": "The unique ID of the user session, as reported by the OS.

Examples:
  • *nix: Aug 10 17:31:16 ip-192-168-1-1 systemd[1]: Started Session 222 of User ubuntu.
    • session_uid == 222
  • Windows: Logon ID: 0xd22e9734
    • session_uid == 0xd22e9734
", + "requirement": "optional", + "type": "string_t" + }, + "session_uuid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Session UUID", + "description": "The universally unique ID of the user session, as reported by the OS. For example, in Windows this is the Login GUID.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The type of the user. For example, System, AWS IAM User, etc.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "default": 0, + "description": "The account type identifier.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is unknown." + }, + "1": { + "caption": "User", + "description": "Regular user account." + }, + "2": { + "caption": "Admin", + "description": "Admin/root user account." + }, + "3": { + "caption": "System", + "description": "System account. For example, Windows computer accounts with a trailing dollar sign ($)." + }, + "99": { + "caption": "Other", + "description": "The type is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "name": "integer_t", + "requirement": "recommended", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.", + "requirement": "recommended", + "type": "string_t" + }, + "uid_alt": { + "caption": "Alternate ID", + "description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "uuid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Unique User ID", + "description": "The universally unique identifier of the user. For example, AWS ARN or Windows user GUID.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "User", + "constraints": { + "at_least_one": [ + "account", + "name", + "uid" + ] + }, + "description": "The user object describes the identity of a user.", + "extends": null, + "name": "user", + "observable": 21 + }, + "vulnerability": { + "attributes": { + "affected_code": { + "caption": "Affected Code", + "description": "List of Affected Code objects that describe details about code blocks identified as vulnerable.", + "is_array": true, + "requirement": "optional", + "type": "affected_code" + }, + "affected_packages": { + "caption": "Affected Software Packages", + "description": "List of software packages identified as affected by a vulnerability/vulnerabilities.", + "is_array": true, + "requirement": "optional", + "type": "affected_package" + }, + "cve": { + "caption": "CVE", + "description": "The Common Vulnerabilities and Exposures (CVE).", + "requirement": "recommended", + "type": "cve" + }, + "cvss": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "CVSS Scores", + "description": "The CVSS object details Common Vulnerability Scoring System (CVSS) scores from the advisory that are related to the vulnerability.", + "is_array": true, + "requirement": "recommended", + "type": "cvss" + }, + "cwe": { + "caption": "CWE", + "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.", + "requirement": "recommended", + "type": "cwe" + }, + "desc": { + "caption": "Description", + "description": "The description of the vulnerability.", + "requirement": "optional", + "type": "string_t" + }, + "first_seen_time": { + "caption": "First Seen", + "description": "The time when the vulnerability was first observed.", + "requirement": "optional", + "type": "timestamp_t" + }, + "fix_available": { + "@deprecated": { + "message": "Use the is_fix_available attribute instead.", + "since": "1.1.0" + }, + "caption": "Fix Availability", + "description": "Indicates if a fix is available for the reported vulnerability.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_exploit_available": { + "caption": "Exploit Availability", + "description": "Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.", + "requirement": "optional", + "type": "boolean_t" + }, + "is_fix_available": { + "caption": "Fix Availability", + "description": "Indicates if a fix is available for the reported vulnerability.", + "requirement": "optional", + "type": "boolean_t" + }, + "kb_article_list": { + "caption": "Knowledgebase Articles", + "description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.", + "is_array": true, + "requirement": "optional", + "type": "kb_article" + }, + "kb_articles": { + "@deprecated": { + "message": "Use the kb_article_list attribute instead.", + "since": "1.1.0" + }, + "caption": "Knowledgebase Articles", + "description": "The KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "last_seen_time": { + "caption": "Last Seen", + "description": "The time when the vulnerability was most recently observed.", + "requirement": "optional", + "type": "timestamp_t" + }, + "packages": { + "@deprecated": { + "message": "Use the affected_packages attribute instead.", + "since": "1.1.0" + }, + "caption": "Software Packages", + "description": "List of vulnerable packages as identified by the security product", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "references": { + "caption": "References", + "description": "A list of reference URLs with additional information about the vulnerability.", + "is_array": true, + "requirement": "recommended", + "type": "string_t" + }, + "related_vulnerabilities": { + "caption": "Related Vulnerabilities", + "description": "List of vulnerabilities that are related to this vulnerability.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "remediation": { + "caption": "Remediation Guidance", + "description": "The remediation recommendations on how to mitigate the identified vulnerability.", + "requirement": "optional", + "type": "remediation" + }, + "severity": { + "caption": "Severity", + "description": "The vendor assigned severity of the vulnerability.", + "requirement": "optional", + "type": "string_t" + }, + "title": { + "caption": "Title", + "description": "A title or a brief phrase summarizing the discovered vulnerability.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Unique ID", + "description": "The vulnerability unique identifier.", + "requirement": "required", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "vendor_name": { + "caption": "Vendor Name", + "description": "The name of the vendor that identified the vulnerability.", + "requirement": "optional", + "type": "string_t" + } + }, + "caption": "Vulnerability Details", + "constraints": { + "at_least_one": [ + "cve", + "cwe" + ] + }, + "description": "The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.", + "extends": "object", + "name": "vulnerability" + }, + "web_resource": { + "attributes": { + "data": { + "caption": "Data", + "description": "Details of the web resource, e.g, file details, search results or application-defined resource.", + "requirement": "optional", + "type": "json_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "desc": { + "caption": "Description", + "description": "Description of the web resource.", + "requirement": "optional", + "type": "string_t" + }, + "labels": { + "caption": "Labels", + "description": "The list of labels/tags associated to a resource.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the web resource.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The web resource type as defined by the event source.", + "requirement": "optional", + "type": "string_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The unique identifier of the web resource.", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + }, + "url_string": { + "caption": "URL String", + "description": "The URL pointing towards the source of the web resource.", + "observable": 6, + "requirement": "recommended", + "type": "url_t" + } + }, + "caption": "Web Resource", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Web Resource object describes characteristics of a web resource that was affected by the activity/event.", + "extends": "_resource", + "name": "web_resource", + "profiles": [ + "data_classification" + ] + }, + "win_resource": { + "attributes": { + "data": { + "caption": "Data", + "description": "Additional data describing the resource.", + "requirement": "optional", + "type": "json_t" + }, + "data_classification": { + "caption": "Data Classification", + "description": "The Data Classification object includes information about data classification levels and data category types.", + "group": "context", + "requirement": "recommended", + "type": "data_classification" + }, + "details": { + "caption": "Details", + "description": "The string detailing the attributes of the resource object.", + "requirement": "optional", + "type": "string_t" + }, + "labels": { + "caption": "Labels", + "description": "The list of labels/tags associated to a resource.", + "is_array": true, + "requirement": "optional", + "type": "string_t" + }, + "name": { + "caption": "Name", + "description": "The name of the resource object.", + "requirement": "optional", + "type": "string_t" + }, + "raw_data": { + "caption": "Raw Data", + "description": "The event data as received from the event source.", + "group": "context", + "requirement": "optional", + "type": "json_t" + }, + "record_id": { + "caption": "Record ID", + "description": "Unique identifier for the object", + "group": "primary", + "requirement": "required", + "type": "string_t" + }, + "svc_name": { + "caption": "Service Name", + "description": "The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.", + "requirement": "optional", + "type": "string_t" + }, + "type": { + "caption": "Type", + "description": "The type of the Windows resource object.", + "requirement": "optional", + "type": "string_t" + }, + "type_id": { + "caption": "Type ID", + "description": "The normalized type identifier of the Windows resource object accessed.", + "enum": { + "0": { + "caption": "Unknown", + "description": "The resource object type is unknown." + }, + "1": { + "caption": "Directory" + }, + "10": { + "caption": "Section" + }, + "11": { + "caption": "WindowStation" + }, + "12": { + "caption": "DebugObject" + }, + "13": { + "caption": "FilterCommunicationPort" + }, + "14": { + "caption": "EventPair" + }, + "15": { + "caption": "Driver" + }, + "16": { + "caption": "IoCompletion" + }, + "17": { + "caption": "Controller" + }, + "18": { + "caption": "SymbolicLink" + }, + "19": { + "caption": "WmiGuid" + }, + "2": { + "caption": "Event" + }, + "20": { + "caption": "Process" + }, + "21": { + "caption": "Profile" + }, + "22": { + "caption": "Desktop" + }, + "23": { + "caption": "KeyedEvent" + }, + "24": { + "caption": "Adapter" + }, + "25": { + "caption": "Key" + }, + "26": { + "caption": "WaitablePort" + }, + "27": { + "caption": "Callback" + }, + "28": { + "caption": "Semaphore" + }, + "29": { + "caption": "Job" + }, + "3": { + "caption": "Timer" + }, + "30": { + "caption": "Port" + }, + "31": { + "caption": "FilterConnectionPort" + }, + "32": { + "caption": "ALPC Port" + }, + "33": { + "caption": "SAM_ALIAS" + }, + "34": { + "caption": "SAM_GROUP" + }, + "35": { + "caption": "SAM_USER" + }, + "36": { + "caption": "SAM_DOMAIN" + }, + "37": { + "caption": "SAM_SERVER" + }, + "4": { + "caption": "Device" + }, + "5": { + "caption": "Mutant" + }, + "6": { + "caption": "Type" + }, + "7": { + "caption": "File" + }, + "8": { + "caption": "Token" + }, + "9": { + "caption": "Thread" + }, + "99": { + "caption": "Other", + "description": "The resource object type is not mapped. See the type attribute, which may contain a data source specific value." + } + }, + "requirement": "required", + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "caption": "Unique ID", + "description": "The Windows provided handle identifier for the resource object", + "requirement": "optional", + "type": "string_t" + }, + "unmapped": { + "caption": "Unmapped Data", + "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", + "is_array": true, + "requirement": "optional", + "type": "unmapped" + } + }, + "caption": "Windows Resource", + "constraints": { + "at_least_one": [ + "name", + "uid" + ] + }, + "description": "The Windows resource object describes a resource object managed by Windows, such as mutant or timer.", + "extends": "_resource", + "extension": "windows", + "name": "win_resource", + "profiles": [ + "data_classification" + ] + } + }, + "types": { + "boolean_t": { + "caption": "Boolean", + "description": "Boolean value. One of true or false.", + "values": [ + false, + true + ] + }, + "bytestring_t": { + "caption": "Byte String", + "description": "Base64 encoded immutable byte sequence.", + "type": "string_t", + "type_name": "String" + }, + "datetime_t": { + "caption": "Datetime", + "description": "The Internet Date/Time format as defined in RFC-3339. For example 1985-04-12T23:20:50.52Z.", + "regex": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?(Z|[\\+-]\\d{2}:\\d{2})?$", + "type": "string_t", + "type_name": "String" + }, + "email_t": { + "@deprecated": { + "message": "Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0", + "since": "1.2.0" + }, + "caption": "Email Address", + "description": "Email address. For example: john_doe@example.com.", + "observable": 5, + "regex": "^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$", + "type": "string_t", + "type_name": "String" + }, + "file_hash_t": { + "caption": "Hash", + "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628.", + "max_len": 64, + "observable": 8, + "type": "string_t", + "type_name": "String" + }, + "file_name_t": { + "caption": "File Name", + "description": "File name. For example: text-file.txt.", + "observable": 7, + "type": "string_t", + "type_name": "String" + }, + "float_t": { + "caption": "Float", + "description": "Real floating-point value. For example: 3.14." + }, + "hostname_t": { + "caption": "Hostname", + "description": "Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.", + "observable": 1, + "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$", + "type": "string_t", + "type_name": "String" + }, + "integer_t": { + "caption": "Integer", + "description": "Signed integer value." + }, + "ip_t": { + "caption": "IP Address", + "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.", + "max_len": 40, + "observable": 2, + "regex": "((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))", + "type": "string_t", + "type_name": "String" + }, + "json_t": { + "caption": "JSON", + "description": "Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See www.json.org." + }, + "long_t": { + "caption": "Long", + "description": "8-byte long, signed integer value." + }, + "mac_t": { + "caption": "MAC Address", + "description": "Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.", + "max_len": 32, + "observable": 3, + "regex": "^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$", + "type": "string_t", + "type_name": "String" + }, + "object_t": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Object", + "description": "Object is an unordered set of name/value pairs. For example: {ip: 92.24.47.250, type: IP Address}" + }, + "path_t": { + "@deprecated": { + "message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0", + "since": "1.1.0" + }, + "caption": "Path Name", + "description": "File or folder full path name. For example: /home/user/tmp/text-file.txt.", + "regex": "^[\\pL0-9_]+[\\pL0-9 ~!@#%&*\\-./_]*$", + "type": "string_t", + "type_name": "String" + }, + "port_t": { + "caption": "Port", + "description": "The TCP/UDP port number. For example: 80 or 22.", + "observable": 11, + "range": [ + 0, + 65535 + ], + "type": "integer_t", + "type_name": "Integer" + }, + "process_name_t": { + "caption": "Process Name", + "description": "Process name. For example: Notepad.", + "observable": 9, + "type": "string_t", + "type_name": "String" + }, + "resource_uid_t": { + "caption": "Resource UID", + "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.", + "max_len": 64, + "observable": 10, + "type": "string_t", + "type_name": "String" + }, + "string_t": { + "caption": "String", + "description": "UTF-8 encoded byte sequence.", + "max_len": 65535 + }, + "subnet_t": { + "caption": "Subnet", + "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
For example:
  • 192.168.1.0/24
  • 2001:0db8:85a3:0000::/64
", + "max_len": 42, + "observable": 12, + "type": "string_t", + "type_name": "String" + }, + "timestamp_t": { + "caption": "Timestamp", + "description": "The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.", + "type": "long_t", + "type_name": "Long" + }, + "url_t": { + "caption": "URL String", + "description": "Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.", + "observable": 6, + "type": "string_t", + "type_name": "String" + }, + "username_t": { + "caption": "User Name", + "description": "User name. For example: john_doe.", + "observable": 4, + "type": "string_t", + "type_name": "String" + }, + "uuid_t": { + "caption": "UUID", + "description": "128-bit universal unique identifier. For example: 123e4567-e89b-12d3-a456-42661417400.", + "regex": "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}", + "type": "string_t", + "type_name": "String" + } + }, + "version": "1.2.0" +} diff --git a/export/schema.json b/export/schema.json index 093ad8802..2c05008ef 100644 --- a/export/schema.json +++ b/export/schema.json @@ -755,6 +755,7 @@ "caption": "User", "description": "The user that was a target of an activity.", "group": "primary", + "observable": 21, "requirement": "required", "type": "user" }, @@ -762,6 +763,7 @@ "caption": "User Result", "description": "The result of the user account change. It should contain the new values of the changed attributes.", "group": "primary", + "observable": 21, "requirement": "recommended", "type": "user" } @@ -2150,6 +2152,7 @@ "caption": "Logon Process", "description": "The trusted process that validated the authentication credentials.", "group": "context", + "observable": 25, "requirement": "optional", "type": "process" }, @@ -2446,6 +2449,7 @@ "caption": "User", "description": "The subject (user/role or account) to authenticate.", "group": "primary", + "observable": 21, "requirement": "required", "type": "user" } @@ -2849,6 +2853,7 @@ "caption": "User", "description": "The user to which new privileges were assigned.", "group": "primary", + "observable": 21, "requirement": "required", "type": "user" } @@ -4370,6 +4375,7 @@ "caption": "File", "description": "Describes a file that contains classified or sensitive data.", "group": "context", + "observable": 24, "requirement": "recommended", "type": "file" }, @@ -9165,6 +9171,7 @@ "caption": "Email", "description": "The email object.", "group": "primary", + "observable": 22, "requirement": "required", "type": "email" }, @@ -9706,6 +9713,7 @@ "caption": "Email", "description": "The email object.", "group": "primary", + "observable": 22, "requirement": "required", "type": "email" }, @@ -9749,6 +9757,7 @@ "caption": "File", "description": "The email file attachment.", "group": "primary", + "observable": 24, "requirement": "required", "type": "file" }, @@ -9796,6 +9805,7 @@ "caption": "Sender Host Name", "description": "The host name of the receiving email server.", "group": "context", + "observable": 1, "requirement": "optional", "type": "hostname_t" }, @@ -9807,6 +9817,7 @@ "caption": "Sender IP Address", "description": "The IP address of the receiving email server, in either IPv4 or IPv6 format.", "group": "context", + "observable": 2, "requirement": "optional", "type": "ip_t" }, @@ -9825,6 +9836,7 @@ "caption": "Sender Host Name", "description": "The host name of the sending email server.", "group": "context", + "observable": 1, "requirement": "optional", "type": "hostname_t" }, @@ -9836,6 +9848,7 @@ "caption": "Sender IP Address", "description": "The IP address of the sending email server, in either IPv4 or IPv6 format.", "group": "context", + "observable": 2, "requirement": "optional", "type": "ip_t" }, @@ -9993,6 +10006,7 @@ "caption": "URL", "description": "The URL included in the email content.", "group": "primary", + "observable": 23, "requirement": "required", "type": "url" } @@ -10364,6 +10378,7 @@ "caption": "File", "description": "The email file attachment.", "group": "primary", + "observable": 24, "requirement": "required", "type": "file" }, @@ -11132,6 +11147,7 @@ "caption": "URL", "description": "The URL included in the email content.", "group": "primary", + "observable": 23, "requirement": "required", "type": "url" } @@ -11943,6 +11959,7 @@ "caption": "File", "description": "The file that is the target of the activity.", "group": "primary", + "observable": 24, "requirement": "required", "type": "file" }, @@ -11957,6 +11974,7 @@ "caption": "File Result", "description": "The resulting file object when the activity was allowed and successful.", "group": "primary", + "observable": 24, "requirement": "recommended", "type": "file" }, @@ -12438,6 +12456,7 @@ "caption": "File", "description": "The file that is the target of the activity.", "group": "primary", + "observable": 24, "requirement": "required", "type": "file" }, @@ -13455,6 +13474,7 @@ "caption": "File", "description": "The file that is the target of the FTP activity.", "group": "context", + "observable": 24, "requirement": "optional", "type": "file" }, @@ -13510,6 +13530,7 @@ "caption": "Port", "description": "The dynamic port established for impending data transfers.", "group": "primary", + "observable": 11, "requirement": "recommended", "type": "port_t" }, @@ -14171,6 +14192,7 @@ "caption": "User", "description": "A user that was added to or removed from the group.", "group": "primary", + "observable": 21, "requirement": "recommended", "type": "user" } @@ -14561,6 +14583,7 @@ "caption": "File", "description": "The file that is the target of the HTTP activity.", "group": "context", + "observable": 24, "requirement": "optional", "type": "file" }, @@ -15276,6 +15299,7 @@ "caption": "Assignee", "description": "The details of the user assigned to an Incident.", "group": "context", + "observable": 21, "requirement": "optional", "type": "user" }, @@ -15623,6 +15647,7 @@ "caption": "Source URL", "description": "A Url link used to access the original incident.", "group": "primary", + "observable": 6, "requirement": "recommended", "type": "url_t" }, @@ -17693,6 +17718,7 @@ "caption": "Process", "description": "The process that had memory allocated, read/written, or had other manipulation activities performed on it.", "group": "primary", + "observable": 25, "requirement": "required", "type": "process" }, @@ -19691,6 +19717,7 @@ "caption": "URL", "description": "The URL details relevant to the network traffic.", "group": "primary", + "observable": 23, "requirement": "recommended", "type": "url" } @@ -20122,6 +20149,7 @@ "caption": "File", "description": "The file that is the target of the activity.", "group": "primary", + "observable": 24, "requirement": "required", "type": "file" }, @@ -22883,6 +22911,7 @@ "caption": "Process", "description": "The process that was launched, injected into, opened, or terminated.", "group": "primary", + "observable": 25, "requirement": "required", "type": "process" }, @@ -23452,6 +23481,7 @@ "caption": "File", "description": "The file that is the target of the RDP activity.", "group": "context", + "observable": 24, "requirement": "optional", "type": "file" }, @@ -24195,6 +24225,7 @@ "caption": "Previous Registry Key", "description": "The registry key before the mutation", "group": "primary", + "observable": 28, "requirement": "recommended", "type": "reg_key" }, @@ -24671,6 +24702,7 @@ "caption": "Registry Key", "description": "The registry key that pertains to the event.", "group": "primary", + "observable": 28, "requirement": "required", "type": "reg_key" }, @@ -25226,6 +25258,7 @@ "prev_reg_value": { "caption": "Previous Registry Value", "description": "The registry value before the mutation", + "observable": 29, "requirement": "optional", "type": "reg_value" }, @@ -25685,6 +25718,7 @@ "caption": "Registry Value", "description": "The registry value that pertains to the event.", "group": "primary", + "observable": 29, "requirement": "required", "type": "reg_value" }, @@ -27888,6 +27922,7 @@ "caption": "Process", "description": "The process object.", "group": "context", + "observable": 25, "requirement": "optional", "type": "process" }, @@ -28995,6 +29030,7 @@ "caption": "File", "description": "The file that is the target of the SMB activity.", "group": "primary", + "observable": 24, "requirement": "recommended", "type": "file" }, @@ -29774,6 +29810,7 @@ "caption": "File", "description": "The file that is the target of the SSH activity.", "group": "context", + "observable": 24, "requirement": "optional", "type": "file" }, @@ -31285,6 +31322,7 @@ "caption": "User", "description": "The user associated with the tunnel activity.", "group": "primary", + "observable": 21, "requirement": "recommended", "type": "user" } @@ -31673,6 +31711,7 @@ "caption": "User", "description": "User to which privileges were assigned.", "group": "primary", + "observable": 21, "requirement": "required", "type": "user" } @@ -32036,6 +32075,7 @@ "caption": "User", "description": "The user that is being discovered by an inventory process.", "group": "primary", + "observable": 21, "requirement": "required", "type": "user" } @@ -32478,6 +32518,7 @@ "caption": "User", "description": "The user that pertains to the event or object.", "group": "primary", + "observable": 21, "requirement": "required", "type": "user" } @@ -34408,6 +34449,7 @@ "process": { "caption": "Process", "description": "The process that initiated the activity.", + "observable": 25, "requirement": "recommended", "type": "process" }, @@ -34441,6 +34483,7 @@ "user": { "caption": "User", "description": "The user that initiated the activity or the user context from which the activity was initiated.", + "observable": 21, "requirement": "recommended", "type": "user" } @@ -34471,12 +34514,14 @@ "file": { "caption": "File", "description": "Details about the file that contains the affected code block.", + "observable": 24, "requirement": "required", "type": "file" }, "owner": { "caption": "Owner", "description": "Details about the user that owns the affected file.", + "observable": 21, "requirement": "optional", "type": "user" }, @@ -35033,6 +35078,7 @@ "caption": "Email Address", "description": "The email address used in an email-based authentication factor.", "group": "context", + "observable": 5, "requirement": "optional", "type": "email_t" }, @@ -35284,6 +35330,7 @@ }, "caption": "Fingerprint", "description": "The fingerprint of the certificate.", + "observable": 30, "requirement": "required", "type": "fingerprint" }, @@ -35291,6 +35338,7 @@ "caption": "Fingerprints", "description": "The fingerprint list of the certificate.", "is_array": true, + "observable": 30, "requirement": "required", "type": "fingerprint" }, @@ -35679,6 +35727,7 @@ }, "caption": "Resource ID", "description": "The unique identifier of a cloud resource. For example, S3 Bucket name, EC2 Instance Id.", + "observable": 10, "requirement": "optional", "type": "resource_uid_t" }, @@ -35806,6 +35855,7 @@ }, "caption": "Port", "description": "The port exposed by container to allow access of run application remotely.", + "observable": 11, "requirement": "optional", "type": "port_t" }, @@ -35816,12 +35866,14 @@ }, "caption": "Fingerprint", "description": "The SHA256 hash of the container.", + "observable": 30, "requirement": "recommemded", "type": "fingerprint" }, "hash": { "caption": "Hash", "description": "Commit hash of image created for docker or the SHA256 hash of the container. For example: 13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de.", + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, @@ -35951,6 +36003,7 @@ }, "caption": "CWE URL", "description": "Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -36955,6 +37008,7 @@ "src_url": { "caption": "Source URL", "description": "URL pointing to the CWE Specification. For more information see CWE.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -37560,6 +37614,7 @@ "file": { "caption": "File", "description": "A file within a databucket.", + "observable": 24, "requirement": "optional", "type": "file" }, @@ -37752,6 +37807,7 @@ "caption": "Container", "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", "group": "context", + "observable": 27, "requirement": "recommended", "type": "container" }, @@ -37789,6 +37845,7 @@ "hostname": { "caption": "Hostname", "description": "The device hostname.", + "observable": 1, "requirement": "recommended", "type": "hostname_t" }, @@ -37837,6 +37894,7 @@ "ip": { "caption": "IP Address", "description": "The device IP address, in either IPv4 or IPv6 format.", + "observable": 2, "requirement": "recommended", "type": "ip_t" }, @@ -37873,12 +37931,14 @@ "location": { "caption": "Geo Location", "description": "The geographical location of the device.", + "observable": 26, "requirement": "optional", "type": "location" }, "mac": { "caption": "MAC Address", "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, "requirement": "optional", "type": "mac_t" }, @@ -37933,6 +37993,7 @@ "owner": { "caption": "Owner", "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, "requirement": "recommended", "type": "user" }, @@ -38005,6 +38066,7 @@ "subnet": { "caption": "Subnet", "description": "The subnet mask.", + "observable": 12, "requirement": "optional", "type": "subnet_t" }, @@ -38318,6 +38380,7 @@ "digest": { "caption": "Message Digest", "description": "The message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.", + "observable": 30, "requirement": "optional", "type": "fingerprint" }, @@ -38329,6 +38392,7 @@ "caption": "Fingerprints", "description": "An array of digital fingerprint objects.", "is_array": true, + "observable": 30, "requirement": "optional", "type": "fingerprint" }, @@ -38550,6 +38614,7 @@ "hostname": { "caption": "Hostname", "description": "The hostname or domain being queried. For example: www.example.com", + "observable": 1, "requirement": "required", "type": "hostname_t" }, @@ -38785,6 +38850,7 @@ "caption": "Cc", "description": "The email header Cc values, as defined by RFC 5322.", "is_array": true, + "observable": 5, "requirement": "optional", "type": "email_t" }, @@ -38798,6 +38864,7 @@ "delivered_to": { "caption": "Delivered To", "description": "The Delivered-To email header field.", + "observable": 5, "requirement": "optional", "type": "email_t" }, @@ -38850,6 +38917,7 @@ "from": { "caption": "From", "description": "The email header From values, as defined by RFC 5322.", + "observable": 5, "requirement": "required", "type": "email_t" }, @@ -38876,6 +38944,7 @@ "caption": "Recipient Users", "description": "The users receiving the email", "is_array": true, + "observable": 21, "requirement": "optional", "type": "user" }, @@ -38889,12 +38958,14 @@ "reply_to": { "caption": "Reply To", "description": "The email header Reply-To values, as defined by RFC 5322.", + "observable": 5, "requirement": "recommended", "type": "email_t" }, "sender_users": { "caption": "Sender Users", "description": "The user who sent the email", + "observable": 21, "requirement": "optional", "type": "user" }, @@ -38907,6 +38978,7 @@ "smtp_from": { "caption": "SMTP From", "description": "The value of the SMTP MAIL FROM command.", + "observable": 5, "requirement": "recommended", "type": "email_t" }, @@ -38924,6 +38996,7 @@ "caption": "SMTP To", "description": "The value of the SMTP envelope RCPT TO command.", "is_array": true, + "observable": 5, "requirement": "recommended", "type": "email_t" }, @@ -38937,6 +39010,7 @@ "caption": "To", "description": "The email header To values, as defined by RFC 5322.", "is_array": true, + "observable": 5, "requirement": "required", "type": "email_t" }, @@ -38957,6 +39031,7 @@ "caption": "X-Originating-IP", "description": "The X-Originating-IP header identifying the emails originating IP address(es).", "is_array": true, + "observable": 2, "requirement": "optional", "type": "ip_t" } @@ -39064,6 +39139,7 @@ "caption": "Container", "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", "group": "context", + "observable": 27, "requirement": "recommended", "type": "container" }, @@ -39076,6 +39152,7 @@ "hostname": { "caption": "Hostname", "description": "The fully qualified name of the endpoint.", + "observable": 1, "requirement": "recommended", "type": "hostname_t" }, @@ -39106,18 +39183,21 @@ "ip": { "caption": "IP Address", "description": "The IP address of the endpoint, in either IPv4 or IPv6 format.", + "observable": 2, "requirement": "recommended", "type": "ip_t" }, "location": { "caption": "Geo Location", "description": "The geographical location of the endpoint.", + "observable": 26, "requirement": "optional", "type": "location" }, "mac": { "caption": "MAC Address", "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, "requirement": "optional", "type": "mac_t" }, @@ -39143,6 +39223,7 @@ "owner": { "caption": "Owner", "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, "requirement": "recommended", "type": "user" }, @@ -39477,6 +39558,7 @@ "container": { "caption": "Container", "description": "Describes details about the container associated to the activity that triggered the detection.", + "observable": 27, "requirement": "recommended", "type": "container" }, @@ -39507,12 +39589,14 @@ "file": { "caption": "File", "description": "Describes details about the file associated to the activity that triggered the detection.", + "observable": 24, "requirement": "recommended", "type": "file" }, "process": { "caption": "Process", "description": "Describes details about the process associated to the activity that triggered the detection.", + "observable": 25, "requirement": "recommended", "type": "process" }, @@ -39776,6 +39860,7 @@ "caption": "Fingerprints", "description": "An array of digital fingerprint objects.", "is_array": true, + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, @@ -39783,6 +39868,7 @@ "caption": "Hashes", "description": "An array of hash attributes.", "is_array": true, + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, @@ -39985,6 +40071,7 @@ "caption": "Fingerprints", "description": "An array of known fingerprints for the file.", "is_array": true, + "observable": 30, "requirement": "optional", "type": "fingerprint" }, @@ -40276,6 +40363,7 @@ "src_url": { "caption": "Source URL", "description": "The URL pointing to the source of the finding.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -40589,6 +40677,7 @@ "fingerprint": { "caption": "Fingerprint", "description": "The hash of the key exchange, encryption, authentication and compression algorithms.", + "observable": 30, "requirement": "required", "type": "fingerprint" }, @@ -40864,6 +40953,7 @@ "url": { "caption": "URL", "description": "The URL object that pertains to the request.", + "observable": 23, "requirement": "recommended", "type": "url" }, @@ -40884,6 +40974,7 @@ "caption": "X-Forwarded-For", "description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.", "is_array": true, + "observable": 2, "requirement": "optional", "type": "ip_t" } @@ -41115,6 +41206,7 @@ "ip": { "caption": "IP Address", "description": "The IP address, in either IPv4 or IPv6 format.", + "observable": 2, "requirement": "optional", "type": "ip_t" }, @@ -41128,6 +41220,7 @@ "location": { "caption": "Geo Location", "description": "The detailed geographical location usually associated with an IP address.", + "observable": 26, "requirement": "optional", "type": "location" }, @@ -41162,6 +41255,7 @@ "subnet": { "caption": "Subnet", "description": "The subnet mask.", + "observable": 12, "requirement": "optional", "type": "subnet_t" }, @@ -41209,6 +41303,7 @@ "file": { "caption": "File", "description": "The file that pertains to the job.", + "observable": 24, "requirement": "required", "type": "file" }, @@ -41287,6 +41382,7 @@ "user": { "caption": "User", "description": "The user that created the job.", + "observable": 21, "requirement": "optional", "type": "user" } @@ -41363,6 +41459,7 @@ "src_url": { "caption": "Source URL", "description": "The kb article link from the source vendor.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -41483,6 +41580,7 @@ "caption": "File", "description": "The driver/extension file object.", "group": "primary", + "observable": 24, "requirement": "required", "type": "file" }, @@ -41676,6 +41774,7 @@ "caption": "Email Addresses", "description": "A list of additional email addresses for the user.", "is_array": true, + "observable": 5, "requirement": "optional", "type": "email_t" }, @@ -41737,12 +41836,14 @@ "location": { "caption": "Geo Location", "description": "The geographical location associated with a user. This is typically the user's usual work location.", + "observable": 26, "requirement": "optional", "type": "location" }, "manager": { "caption": "Manager", "description": "The user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.", + "observable": 21, "requirement": "optional", "type": "user" }, @@ -42561,6 +42662,7 @@ "file": { "caption": "File", "description": "The module file object.", + "observable": 24, "requirement": "recommended", "type": "file" }, @@ -42857,6 +42959,7 @@ "caption": "Container", "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", "group": "context", + "observable": 27, "requirement": "recommended", "type": "container" }, @@ -42869,6 +42972,7 @@ "hostname": { "caption": "Hostname", "description": "The fully qualified name of the endpoint.", + "observable": 1, "requirement": "recommended", "type": "hostname_t" }, @@ -42900,12 +43004,14 @@ "caption": "Intermediate IP Addresses", "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.", "is_array": true, + "observable": 2, "requirement": "optional", "type": "ip_t" }, "ip": { "caption": "IP Address", "description": "The IP address of the endpoint, in either IPv4 or IPv6 format.", + "observable": 2, "requirement": "recommended", "type": "ip_t" }, @@ -42918,12 +43024,14 @@ "location": { "caption": "Geo Location", "description": "The geographical location of the endpoint.", + "observable": 26, "requirement": "optional", "type": "location" }, "mac": { "caption": "MAC Address", "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, "requirement": "optional", "type": "mac_t" }, @@ -42949,12 +43057,14 @@ "owner": { "caption": "Owner", "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, "requirement": "recommended", "type": "user" }, "port": { "caption": "Port", "description": "The port used for communication within the network connection.", + "observable": 11, "requirement": "recommended", "type": "port_t" }, @@ -43124,18 +43234,21 @@ "hostname": { "caption": "Hostname", "description": "The hostname associated with the network interface.", + "observable": 1, "requirement": "recommended", "type": "hostname_t" }, "ip": { "caption": "IP Address", "description": "The IP address associated with the network interface.", + "observable": 2, "requirement": "recommended", "type": "ip_t" }, "mac": { "caption": "MAC Address", "description": "The MAC address of the network interface.", + "observable": 3, "requirement": "recommended", "type": "mac_t" }, @@ -43263,6 +43376,7 @@ "caption": "Container", "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", "group": "context", + "observable": 27, "requirement": "recommended", "type": "container" }, @@ -43275,6 +43389,7 @@ "hostname": { "caption": "Hostname", "description": "The fully qualified name of the endpoint.", + "observable": 1, "requirement": "recommended", "type": "hostname_t" }, @@ -43306,12 +43421,14 @@ "caption": "Intermediate IP Addresses", "description": "The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.", "is_array": true, + "observable": 2, "requirement": "optional", "type": "ip_t" }, "ip": { "caption": "IP Address", "description": "The IP address of the endpoint, in either IPv4 or IPv6 format.", + "observable": 2, "requirement": "recommended", "type": "ip_t" }, @@ -43324,12 +43441,14 @@ "location": { "caption": "Geo Location", "description": "The geographical location of the endpoint.", + "observable": 26, "requirement": "optional", "type": "location" }, "mac": { "caption": "MAC Address", "description": "The Media Access Control (MAC) address of the endpoint.", + "observable": 3, "requirement": "optional", "type": "mac_t" }, @@ -43355,12 +43474,14 @@ "owner": { "caption": "Owner", "description": "The identity of the service or user account that owns the endpoint or was last logged into it.", + "observable": 21, "requirement": "recommended", "type": "user" }, "port": { "caption": "Port", "description": "The port used for communication within the network connection.", + "observable": 11, "requirement": "recommended", "type": "port_t" }, @@ -44409,6 +44530,7 @@ "caption": "Container", "description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.", "group": "context", + "observable": 27, "requirement": "recommended", "type": "container" }, @@ -44433,6 +44555,7 @@ "file": { "caption": "File", "description": "The process file object.", + "observable": 24, "requirement": "recommended", "type": "file" }, @@ -44513,6 +44636,7 @@ "parent_process": { "caption": "Parent Process", "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.", + "observable": 25, "requirement": "recommended", "type": "process" }, @@ -44577,6 +44701,7 @@ "user": { "caption": "User", "description": "The user under which this process is running.", + "observable": 21, "requirement": "recommended", "type": "user" }, @@ -44671,6 +44796,7 @@ "url_string": { "caption": "URL String", "description": "The URL pointing towards the product.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -45431,6 +45557,7 @@ "caption": "Containers", "description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.", "is_array": true, + "observable": 27, "requirement": "optional", "type": "container" }, @@ -45654,6 +45781,7 @@ "owner": { "caption": "Owner", "description": "The identity of the service or user account that owns the resource.", + "observable": 21, "requirement": "recommended", "type": "user" }, @@ -45730,6 +45858,7 @@ "caption": "Containers", "description": "When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.", "is_array": true, + "observable": 27, "requirement": "optional", "type": "container" }, @@ -46218,6 +46347,7 @@ }, "caption": "File", "description": "The service file object.", + "observable": 24, "requirement": "required", "type": "file" }, @@ -46628,6 +46758,7 @@ "src_url": { "caption": "Source URL", "description": "The versioned permalink of the attack sub technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -46759,6 +46890,7 @@ "src_url": { "caption": "Source URL", "description": "The versioned permalink of the attack tactic, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -46812,6 +46944,7 @@ "src_url": { "caption": "Source URL", "description": "The versioned permalink of the attack technique, as defined by ATT&CK MatrixTM. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.", + "observable": 6, "requirement": "optional", "type": "url_t" }, @@ -46976,12 +47109,14 @@ }, "caption": "JA3 Fingerprint", "description": "The fingerprint of JA3 string.", + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, "ja3_hash": { "caption": "JA3 Hash", "description": "The MD5 hash of a JA3 string.", + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, @@ -47002,12 +47137,14 @@ }, "caption": "JAS3 Fingerprint", "description": "The fingerprint of JAS3 string.", + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, "ja3s_hash": { "caption": "JA3S Hash", "description": "The MD5 hash of a JA3S string.", + "observable": 30, "requirement": "recommended", "type": "fingerprint" }, @@ -47553,6 +47690,7 @@ "hostname": { "caption": "Hostname", "description": "The URL host as extracted from the URL. For example: www.example.com from www.example.com/download/trouble.", + "observable": 1, "requirement": "recommended", "type": "hostname_t" }, @@ -47565,6 +47703,7 @@ "port": { "caption": "Port", "description": "The URL port. For example: 80.", + "observable": 11, "requirement": "recommended", "type": "port_t" }, @@ -47623,6 +47762,7 @@ }, "caption": "URL Text", "description": "The URL. For example: http://www.example.com/download/trouble.exe.", + "observable": 6, "requirement": "required", "type": "url_t" }, @@ -47636,6 +47776,7 @@ "url_string": { "caption": "URL String", "description": "The URL string. See RFC 1738. For example: http://www.example.com/download/trouble.exe. Note: The URL path should not populate the URL string.", + "observable": 6, "requirement": "recommended", "type": "url_t" } @@ -47997,6 +48138,7 @@ "url": { "caption": "URL", "description": "The URL the intelligence applies to.", + "observable": 23, "requirement": "optional", "type": "url" }, @@ -48099,6 +48241,7 @@ "email_addr": { "caption": "Email Address", "description": "The user's primary email address.", + "observable": 5, "requirement": "optional", "type": "email_t" }, @@ -48559,6 +48702,7 @@ "url_string": { "caption": "URL String", "description": "The URL pointing towards the source of the web resource.", + "observable": 6, "requirement": "recommended", "type": "url_t" } diff --git a/extensions/query/extension.json b/extensions/query/extension.json index da35d07ac..194672176 100644 --- a/extensions/query/extension.json +++ b/extensions/query/extension.json @@ -1,6 +1,6 @@ { "caption": "Query Extension", "name": "query", - "version": "1.2.2", + "version": "1.2.3", "uid": 101 }