Events
Events represent activities related to OCSF Objects and typically come from log data. Events are things that happened, and therefore, they are all verbs with a timestamp.
Categories
- Application Activity
- Discovery
- Findings
- Identity & Access Management
- Network Activity
- System Activity
Application Activity::Application Activity events report detailed information about the behavior of applications and services. |
|||
| Event | Name | Searchable | Description |
|---|---|---|---|
| API Activity | api_activity | API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail) | |
| Application Activity | application | The base event is a generic concrete event and it also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema. | |
| Application Lifecycle | application_lifecycle | Application Lifecycle events report installation, removal, start, stop of an application or service. | |
| Datastore Activity | datastore_activity | Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3). | |
| File Hosting Activity | file_hosting | File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive. | |
| Scan Activity | scan_activity | Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved. | |
| Web Resource Access Activity | web_resource_access_activity |
Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.
Deprecated since 1.0.0: Use the |
|
| Web Resources Activity | web_resources_activity | Web Resources Activity events describe actions executed on a set of Web Resources. | |
Discovery::Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects. |
|||
| Event | Name | Searchable | Description |
| Device Config State | config_state | Device Config State events report device configuration data and CIS Benchmark results. | |
| Device Config State Change | device_config_state_change | Device Config State Change events report state changes that impact the security of the device. | |
| Discovery | discovery | The Discovery event is a generic event that defines a set of attributes available in Discovery category events. As a generic event, it could be used to log events that are not otherwise defined by the Discovery specific event classes. | |
| Discovery Result | discovery_result | Discovery Result events report the results of a discovery request. | |
| Device Inventory Info | inventory_info | Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices. | |
| Operating System Patch State | patch_state | Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles. | |
| Prefetch Info | prefetch_info | Prefetch Info events report information about Windows prefetch files. | |
| Registry Key Info | registry_key_info | Registry Key Info events report information about discovered Windows registry keys. | |
| Registry Value Info | registry_value_info | Registry Value Info events report information about discovered Windows registry values. | |
| User Inventory Info | user_inventory | User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries. | |
Findings::Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products. |
|||
| Event | Name | Searchable | Description |
| Compliance Finding | compliance_finding |
Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.
|
|
| Data Security Finding | data_security_finding | A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. | |
| Detection Finding | detection_finding |
A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the product is a security control, the security_control profile should be applied and its attacks information should be duplicated into the finding_info object.
|
|
| Finding | finding | The Finding event is a generic event that defines a set of attributes available in the Findings category. | |
| Incident Finding | incident_finding | An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics. | |
| Security Finding | security_finding |
Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
Deprecated since 1.1.0: Use the new specific classes according to the use-case: |
|
| Vulnerability Finding | vulnerability_finding | The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. | |
Identity & Access Management::Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. |
|||
| Event | Name | Searchable | Description |
| Account Change | account_change | Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked. | |
| Authentication | authentication | Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise. | |
| Authorize Session | authorize_session | Authorize Session events report privileges or groups assigned to a new user session, usually at login time. | |
| Entity Management | entity_management | Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity. | |
| Group Management | group_management | Group Management events report management updates to a group, including updates to membership and permissions. | |
| Identity & Access Management | iam | The Identity & Access Management event is a generic event that defines a set of attributes available in the access control events. As a generic event, it could be used to log events that are not otherwise defined by the IAM category. | |
| User Access Management | user_access | User Access Management events report management updates to a user's privileges. | |
Network Activity::Network Activity events. |
|||
| Event | Name | Searchable | Description |
| DHCP Activity | dhcp_activity | DHCP Activity events report MAC to IP assignment via DHCP from a client or server. | |
| DNS Activity | dns_activity | DNS Activity events report DNS queries and answers as seen on the network. | |
| Email Activity | email_activity | Email events report activities of emails. | |
| Email Delivery Activity | email_delivery_activity |
Email Delivery events report the delivery status of emails.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Email File Activity | email_file_activity | Email File Activity events report files within emails. | |
| Email URL Activity | email_url_activity | Email URL Activity events report URLs within an email. | |
| FTP Activity | ftp_activity | File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network. | |
| HTTP Activity | http_activity | HTTP Activity events report HTTP connection and traffic information. | |
| Network | network | Network event is a generic event that defines a set of attributes available in the Network category. | |
| Network Activity | network_activity | Network Activity events report network connection and traffic activity. | |
| Network File Activity | network_file_activity |
Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.
Deprecated since 1.1.0: Use the new class: |
|
| NTP Activity | ntp_activity | The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network. | |
| RDP Activity | rdp_activity | Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network. | |
| SMB Activity | smb_activity | Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network. | |
| SSH Activity | ssh_activity | SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol. | |
System Activity::System Activity events. |
|||
| Event | Name | Searchable | Description |
| File System Activity | file_activity | File System Activity events report when a process performs an action on a file or folder. | |
| Kernel Activity | kernel_activity | Kernel Activity events report when an process creates, reads, or deletes a kernel resource. | |
| Kernel Extension Activity | kernel_extension | Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel | |
| Memory Activity | memory_activity | Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP). | |
| Module Activity | module_activity |
Module Activity events report when a process loads or unloads the module.
|
|
| Process Activity | process_activity | Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise. | |
| Registry Key Activity | registry_key_activity | Registry Key Activity events report when a process performs an action on a Windows registry key. | |
| Registry Value Activity | registry_value_activity | Registry Value Activity events reports when a process performs an action on a Windows registry value. | |
| Windows Resource Activity | resource_activity | Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise. | |
| Scheduled Job Activity | scheduled_job_activity | Scheduled Job Activity events report activities related to scheduled jobs or tasks. | |
| System Activity | system | The System Activity event is a generic event that defines a set of attributes available in the system activity events. As a generic event, it could be used to log events that are not otherwise defined by the System Activity category. | |