Query Schema Documentation

Caption	Name	Base Type	Contraints	Description
Boolean	boolean_t			Boolean value. One of `true` or `false`.
Byte String	bytestring_t	String		Base64 encoded immutable byte sequence.
Datetime	datetime_t	String	`^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(Z\|[\+-]\d{2}:\d{2})?$`	The Internet Date/Time format as defined in RFC-3339. For example `1985-04-12T23:20:50.52Z`.
Email Address	email_t	String	`^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$`	Email address. For example: `john_doe@example.com`.
Hash	file_hash_t	String	Max Length: 64	Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: `3172ac7e2b55cbb81f04a6e65855a628`.
File Name	file_name_t	String		File name. For example: `text-file.txt`.
Float	float_t			Real floating-point value. For example: `3.14`.
Hostname	hostname_t	String	`^(([a-zA-Z0-9]\|[a-zA-Z0-9][a-zA-Z0-9\-][a-zA-Z0-9])\.)([A-Za-z0-9]\|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$`	Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: `r2-d2.example.com`.
Integer	integer_t			Signed integer value.
IP Address	ip_t	String	Max Length: 40 ((^\s((([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5]).){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5]))\s$)\|(^\s((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}\|:))\|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}\|((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3})\|:))\|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})\|:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3})\|:))\|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})\|((:[0-9A-Fa-f]{1,4})?:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})\|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})\|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})\|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:))\|(:(((:[0-9A-Fa-f]{1,4}){1,7})\|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)(.(25[0-5]\|2[0-4]\d\|1\d\d\|[1-9]?\d)){3}))\|:)))(%.+)?\s$))	Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, `192.168.200.24` or `2001:0db8:85a3:0000:0000:8a2e:0370:7334`.
JSON	json_t			Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See www.json.org.
Long	long_t			8-byte long, signed integer value.
MAC Address	mac_t	String	Max Length: 32 `^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$`	Media Access Control (MAC) address. For example: `18:36:F3:98:4F:9A`.
Port	port_t	Integer	Between 0 and 65535	The TCP/UDP port number. For example: `80` or `22`.
Process Name	process_name_t	String		Process name. For example: `Notepad`.
Resource UID	resource_uid_t	String	Max Length: 64	Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.
String	string_t		Max Length: 65535	UTF-8 encoded byte sequence.
Subnet	subnet_t	String	Max Length: 42	The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example: 192.168.1.0/24 2001:0db8:85a3:0000::/64
Timestamp	timestamp_t	Long		The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example `1618524549901`.
URL String	url_t	String		Uniform Resource Locator (URL) string. For example: `http://www.example.com/download/trouble.exe`.
User Name	username_t	String		User name. For example: `john_doe`.
UUID	uuid_t	String	`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`	128-bit universal unique identifier. For example: `123e4567-e89b-12d3-a456-42661417400`.
Path Name	path_t	String	`^[\pL0-9_]+[\pL0-9 ~!@#%&\-./_]$`	File or folder full path name. For example: `/home/user/tmp/text-file.txt`. Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Object	object_t			Object is an unordered set of name/value pairs. For example: `{ip: 92.24.47.250, type: IP Address}` Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Boolean

boolean_t

Boolean value. One of true or false.

Byte String

bytestring_t

String

Base64 encoded immutable byte sequence.

Datetime

datetime_t

String

^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(Z|[\+-]\d{2}:\d{2})?$

The Internet Date/Time format as defined in RFC-3339. For example 1985-04-12T23:20:50.52Z.

Email Address

email_t

String

^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$

Email address. For example: john_doe@example.com.

Hash

file_hash_t

String

Max Length: 64

Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: 3172ac7e2b55cbb81f04a6e65855a628.

File Name

file_name_t

String

File name. For example: text-file.txt.

Float

float_t

Real floating-point value. For example: 3.14.

Hostname

hostname_t

String

^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$

Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.

Integer

integer_t

Signed integer value.

IP Address

ip_t

String

Max Length: 40

((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))

Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

JSON

json_t

Embedded JSON value. A value can be a string, or a number, or true or false or null, or an object or an array. These structures can be nested. See www.json.org.

Long

long_t

8-byte long, signed integer value.

MAC Address

mac_t

String

Max Length: 32

^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$

Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.

Port

port_t

Integer

Between 0 and 65535

The TCP/UDP port number. For example: 80 or 22.

Process Name

process_name_t

String

Process name. For example: Notepad.

Resource UID

resource_uid_t

String

Max Length: 64

Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.

String

string_t

Max Length: 65535

UTF-8 encoded byte sequence.

Subnet

subnet_t

String

Max Length: 42

The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.

For example:

192.168.1.0/24
2001:0db8:85a3:0000::/64

Timestamp

timestamp_t

Long

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

URL String

url_t

String

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

User Name

username_t

String

User name. For example: john_doe.

UUID

uuid_t

String

[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}

128-bit universal unique identifier. For example: 123e4567-e89b-12d3-a456-42661417400.

Path Name

path_t

String

^[\pL0-9_]+[\pL0-9 ~!@#%&*\-./_]*$

File or folder full path name. For example: /home/user/tmp/text-file.txt.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Object

object_t

Object is an unordered set of name/value pairs. For example: {ip: 92.24.47.250, type: IP Address}

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0