HTTP Activity
HTTP Activity is a searchable entity at the top of Query's UI.
http_activity (4002)
HTTP Activity events report HTTP connection and traffic information.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Action | action | String |
The normalized caption of action_id.
|
||
| Action ID | action_id | Integer |
The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. Note that 99 'Other' is not an option. No action would equate to 1 'Allowed'. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.
|
||
| Activity ID | activity_id | Integer |
The normalized identifier of the activity that triggered the event.
|
||
| Activity | activity_name | String | The event activity name, as defined by the activity_id. | ||
| Actor | actor | Actor | The actor object describes details about the user/role/process that was the source of the activity. | ||
| API Details | api | API | Describes details about a typical API (Application Programming Interface) call. | ||
| Application Name | app_name | String | The name of the application associated with the event or object. | ||
| MITRE ATT&CK® Details | attacks | MITRE ATT&CK® | An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques identified by a security control or finding. | ||
| Authorization Information | authorizations | Authorization Result | Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event. | ||
| Category | category_name | String | The event category name, as defined by category_uid value. | ||
| Category ID | category_uid | Integer |
The category unique identifier of the event.
|
||
| Class | class_name | String | The event class name, as defined by class_uid value. | ||
| Class ID | class_uid | Integer |
The unique identifier of a class. A class describes the attributes available in an event.
|
||
| Cloud | cloud | Cloud | Describes details about the Cloud environment where the event was originally created or logged. | ||
| Confidence | confidence | Integer |
The confidence of the reported event severity as a percentage: 0%-100%.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Connection Info | connection_info | Network Connection Information | The network connection information. | ||
| Count | count | Integer | 1 | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | |
| Data | data | JSON |
Additional data that is associated with the event.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Device | device | Device | An addressable device, computer system or host. | ||
| Disposition | disposition | String | The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. | ||
| Disposition ID | disposition_id | Integer |
Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.
|
||
| Destination Endpoint | dst_endpoint | Network Endpoint | The responder (server) in a network connection. | ||
| Duration | duration | Integer |
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
|
||
| End Time | end_time | Timestamp | The end time of a time period, or the time of the most recent event included in the aggregate event. | ||
| Enrichments | enrichments | Enrichment |
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
|
||
| File | file | File | The file that is the target of the HTTP activity. | ||
| Firewall Rule | firewall_rule | Firewall Rule | The firewall rule that triggered the event. | ||
| HTTP Cookies | http_cookies | HTTP Cookie | The cookies object describes details about HTTP cookies | ||
| HTTP Request | http_request | HTTP Request | The HTTP Request Object documents attributes of a request made to a web server. | ||
| HTTP Response | http_response | HTTP Response | The HTTP Response from a web server to a requester. | ||
| HTTP Status | http_status | Integer |
The Hypertext Transfer Protocol (HTTP) status code returned to the client.
Deprecated since 1.1.0: Use the |
||
| Load Balancer | load_balancer | Load Balancer | The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. | ||
| Malware | malware | Malware | A list of Malware objects, describing details about the identified malware. | ||
| Message | message | String | The description of the event/finding, as defined by the source. | ||
| Metadata | metadata | Metadata | The metadata associated with the event or a finding. | ||
| Observables | observables | Observable | The observables associated with the event or a finding. | ||
| Proxy | proxy | Network Proxy Endpoint |
The proxy (server) in a network connection.
Deprecated since 1.1.0: Use the |
||
| Proxy Connection Info | proxy_connection_info | Network Connection Information | The connection information from the proxy server to the remote server. | ||
| Proxy Endpoint | proxy_endpoint | Network Proxy Endpoint | The proxy (server) in a network connection. | ||
| Proxy HTTP Request | proxy_http_request | HTTP Request | The HTTP Request from the proxy server to the remote server. | ||
| Proxy HTTP Response | proxy_http_response | HTTP Response | The HTTP Response from the remote server to the proxy server. | ||
| Proxy TLS | proxy_tls | Transport Layer Security (TLS) | The TLS protocol negotiated between the proxy server and the remote server. | ||
| Proxy Traffic | proxy_traffic | Network Traffic | The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique idenifier for the event | ||
| Severity | severity | String | The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source. | ||
| Severity ID | severity_id | Integer |
The normalized identifier of the event/finding severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
|
||
| Source Endpoint | src_endpoint | Network Endpoint | The initiator (client) of the network connection. | ||
| Start Time | start_time | Timestamp | The start time of a time period, or the time of the least recent event included in the aggregate event. | ||
| Status | status | String | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | ||
| Status Code | status_code | String |
The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. |
||
| Status Details | status_detail | String | The status details contains additional information about the event/finding outcome. | ||
| Status ID | status_id | Integer |
The normalized identifier of the event status.
|
||
| Event Time | time | Timestamp | The normalized event occurrence time or the finding creation time. | ||
| Timezone Offset | timezone_offset | Integer |
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
|
||
| TLS | tls | Transport Layer Security (TLS) | The Transport Layer Security (TLS) attributes. | ||
| Traffic | traffic | Network Traffic | The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection. | ||
| Type Name | type_name | String | The event/finding type name, as defined by the type_uid. | ||
| Type ID | type_uid | Long |
The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.
|
||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
References
- HTTP Cookie
- HTTP Request
- HTTP Response
- File
- Network Connection Information
- Network Endpoint
- Network Proxy Endpoint
- Network Endpoint
- Transport Layer Security (TLS)
- Network Traffic
- MITRE ATT&CK®
- Authorization Result
- Firewall Rule
- Malware
- Load Balancer
- Device
- Actor
- Network Proxy Endpoint
- Network Connection Information
- HTTP Request
- HTTP Response
- Network Traffic
- Transport Layer Security (TLS)
- Enrichment
- Metadata
- Observable
- Unmapped
- Cloud
- API
Referenced By
Context
JSON
{
"caption": "HTTP Activity",
"category": "network",
"description": "HTTP Activity events report HTTP connection and traffic information.",
"extends": "network",
"name": "http_activity",
"uid": 2,
"attributes": {
"activity_id": {
"enum": {
"1": {
"caption": "Connect",
"description": "The CONNECT method establishes a tunnel to the server identified by the target resource."
},
"2": {
"caption": "Delete",
"description": "The DELETE method deletes the specified resource."
},
"3": {
"caption": "Get",
"description": "The GET method requests a representation of the specified resource. Requests using GET should only retrieve data."
},
"4": {
"caption": "Head",
"description": "The HEAD method asks for a response identical to a GET request, but without the response body."
},
"5": {
"caption": "Options",
"description": "The OPTIONS method describes the communication options for the target resource."
},
"6": {
"caption": "Post",
"description": "The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server."
},
"7": {
"caption": "Put",
"description": "The PUT method replaces all current representations of the target resource with the request payload."
},
"8": {
"caption": "Trace",
"description": "The TRACE method performs a message loop-back test along the path to the target resource."
},
"0": {
"caption": "Unknown",
"description": "The event activity is unknown."
},
"99": {
"caption": "Other",
"description": "The event activity is not mapped. See the <code>activity_name</code> attribute, which contains a data source specific value."
}
},
"requirement": "required",
"caption": "Activity ID",
"description": "The normalized identifier of the activity that triggered the event.",
"sibling": "activity_name",
"type": "integer_t"
},
"http_cookies": {
"group": "primary",
"requirement": "recommended",
"caption": "HTTP Cookies",
"description": "The cookies object describes details about HTTP cookies",
"is_array": true,
"type": "http_cookie"
},
"http_request": {
"group": "primary",
"requirement": "required",
"caption": "HTTP Request",
"description": "The HTTP Request Object documents attributes of a request made to a web server.",
"type": "http_request"
},
"http_response": {
"group": "primary",
"requirement": "required",
"caption": "HTTP Response",
"description": "The HTTP Response from a web server to a requester.",
"type": "http_response"
},
"http_status": {
"group": "primary",
"@deprecated": {
"message": "Use the <code> http_response.code </code> attribute instead.",
"since": "1.1.0"
},
"caption": "HTTP Status",
"description": "The Hypertext Transfer Protocol (HTTP) <a target='_blank' href='https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml'>status code</a> returned to the client.",
"type": "integer_t"
},
"file": {
"description": "The file that is the target of the HTTP activity.",
"group": "context",
"requirement": "optional",
"caption": "File",
"type": "file"
},
"app_name": {
"group": "context",
"requirement": "optional",
"caption": "Application Name",
"description": "The name of the application associated with the event or object.",
"type": "string_t"
},
"connection_info": {
"group": "primary",
"requirement": "recommended",
"caption": "Connection Info",
"description": "The network connection information.",
"type": "network_connection_info"
},
"dst_endpoint": {
"description": "The responder (server) in a network connection.",
"group": "primary",
"requirement": "required",
"caption": "Destination Endpoint",
"type": "network_endpoint"
},
"proxy": {
"group": "primary",
"requirement": "recommended",
"@deprecated": {
"message": "Use the <code> proxy_endpoint </code> attribute instead.",
"since": "1.1.0"
},
"caption": "Proxy",
"description": "The proxy (server) in a network connection.",
"type": "network_proxy"
},
"src_endpoint": {
"description": "The initiator (client) of the network connection.",
"group": "primary",
"requirement": "required",
"caption": "Source Endpoint",
"type": "network_endpoint"
},
"tls": {
"group": "primary",
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
"type": "tls"
},
"traffic": {
"group": "primary",
"requirement": "recommended",
"caption": "Traffic",
"description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.",
"type": "network_traffic"
},
"action": {
"caption": "Action",
"description": "The normalized caption of <code>action_id</code>.",
"requirement": "optional",
"type": "string_t"
},
"action_id": {
"caption": "Action ID",
"description": "The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of <code>1</code> 'Allowed' or <code>2</code> 'Denied' in most cases. Note that <code>99</code> 'Other' is not an option. No action would equate to <code>1</code> 'Allowed'. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The action was unknown. The <code>disposition_id</code> attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'."
},
"1": {
"caption": "Allowed",
"description": "The activity was allowed. The <code>disposition_id</code> attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc."
},
"2": {
"caption": "Denied",
"description": "The attempted activity was denied. The <code>disposition_id</code> attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc."
},
"99": {
"caption": "Other",
"description": "The action was not mapped. See the <code>action</code> attribute, which contains a data source specific value."
}
},
"requirement": "required",
"type": "integer_t",
"sibling": "action"
},
"attacks": {
"requirement": "optional",
"caption": "MITRE ATT&CK\u00ae Details",
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK\u00ae</a> objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
"is_array": true,
"type": "attack"
},
"authorizations": {
"requirement": "optional",
"caption": "Authorization Information",
"description": "Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.",
"is_array": true,
"type": "authorization"
},
"disposition": {
"requirement": "optional",
"caption": "Disposition",
"description": "The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"disposition_id": {
"requirement": "recommended",
"enum": {
"99": {
"caption": "Other",
"description": "The disposition is not listed. The <code>disposition</code> attribute should be populated with a source specific caption."
},
"0": {
"caption": "Unknown",
"description": "The disposition was not known."
},
"1": {
"caption": "Allowed",
"description": "Granted access or allowed the action to the protected resource."
},
"2": {
"caption": "Blocked",
"description": "Denied access or blocked the action to the protected resource."
},
"3": {
"caption": "Quarantined",
"description": "A suspicious file or other content was moved to a benign location."
},
"4": {
"caption": "Isolated",
"description": "A session was isolated on the network or within a browser."
},
"5": {
"caption": "Deleted",
"description": "A file or other content was deleted."
},
"6": {
"caption": "Dropped",
"description": "The request was detected as a threat and resulted in the connection being dropped."
},
"7": {
"caption": "Custom Action",
"description": "A custom action was executed such as running of a command script. Use the <code>message</code> attribute of the base class for details."
},
"8": {
"caption": "Approved",
"description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from <code>1</code> 'Allowed'."
},
"9": {
"caption": "Restored",
"description": "A quarantined file or other content was restored to its original location."
},
"10": {
"caption": "Exonerated",
"description": "Requires reboot to finish the operation."
},
"11": {
"caption": "Corrected",
"description": "A corrupt file or configuration was corrected."
},
"12": {
"caption": "Partially Corrected",
"description": "A corrupt file or configuration was partially corrected."
},
"13": {
"caption": "Uncorrected",
"description": "A corrupt file or configuration was not corrected."
},
"14": {
"caption": "Delayed",
"description": "No longer suspicious (re-scored)."
},
"15": {
"caption": "Detected",
"description": "Marked with extended attributes."
},
"16": {
"caption": "No Action",
"description": "The outcome of an operation had no action taken."
},
"17": {
"caption": "Logged",
"description": "The operation or action was logged without further action."
},
"18": {
"caption": "Tagged",
"description": "A file or other entity was marked with extended attributes."
},
"19": {
"caption": "Alert",
"description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
},
"20": {
"caption": "Count",
"description": "Counted the request or activity but did not determine whether to allow it or block it."
},
"21": {
"caption": "Reset",
"description": "The request was detected as a threat and resulted in the connection being reset."
},
"22": {
"caption": "Captcha",
"description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
},
"23": {
"caption": "Challenge",
"description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
},
"24": {
"caption": "Access Revoked",
"description": "The requestor's access has been revoked due to security policy enforcements. Note: use the <code>Host</code> profile if the <code>User</code> or <code>Actor</code> requestor is not present in the event class."
},
"25": {
"caption": "Rejected",
"description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from <code>2</code> 'Blocked'."
},
"26": {
"caption": "Unauthorized",
"description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than <code>2</code> 'Blocked' and can be complemented with the <code>authorizations</code> attribute for more detail."
},
"27": {
"caption": "Error",
"description": "An error occurred during the processing of the activity or request. Use the <code>message</code> attribute of the base class for details."
}
},
"caption": "Disposition ID",
"description": "Describes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.",
"sibling": "disposition",
"type": "integer_t"
},
"firewall_rule": {
"requirement": "optional",
"caption": "Firewall Rule",
"description": "The firewall rule that triggered the event.",
"type": "firewall_rule"
},
"malware": {
"requirement": "optional",
"caption": "Malware",
"description": "A list of Malware objects, describing details about the identified malware.",
"is_array": true,
"type": "malware"
},
"load_balancer": {
"requirement": "recommended",
"caption": "Load Balancer",
"description": "The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.",
"type": "load_balancer"
},
"device": {
"requirement": "recommended",
"caption": "Device",
"description": "An addressable device, computer system or host.",
"type": "device"
},
"actor": {
"requirement": "optional",
"caption": "Actor",
"description": "The actor object describes details about the user/role/process that was the source of the activity.",
"type": "actor"
},
"proxy_endpoint": {
"description": "The proxy (server) in a network connection.",
"requirement": "optional",
"caption": "Proxy Endpoint",
"type": "network_proxy"
},
"proxy_connection_info": {
"description": "The connection information from the proxy server to the remote server.",
"requirement": "recommended",
"caption": "Proxy Connection Info",
"type": "network_connection_info"
},
"proxy_http_request": {
"description": "The HTTP Request from the proxy server to the remote server.",
"requirement": "optional",
"caption": "Proxy HTTP Request",
"type": "http_request"
},
"proxy_http_response": {
"description": "The HTTP Response from the remote server to the proxy server.",
"requirement": "optional",
"caption": "Proxy HTTP Response",
"type": "http_response"
},
"proxy_traffic": {
"description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
"requirement": "recommended",
"caption": "Proxy Traffic",
"type": "network_traffic"
},
"proxy_tls": {
"description": "The TLS protocol negotiated between the proxy server and the remote server.",
"requirement": "recommended",
"caption": "Proxy TLS",
"type": "tls"
},
"enrichments": {
"group": "context",
"requirement": "optional",
"caption": "Enrichments",
"description": "The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>",
"is_array": true,
"type": "enrichment"
},
"message": {
"group": "primary",
"requirement": "recommended",
"caption": "Message",
"description": "The description of the event/finding, as defined by the source.",
"type": "string_t"
},
"metadata": {
"group": "context",
"requirement": "required",
"caption": "Metadata",
"description": "The metadata associated with the event or a finding.",
"type": "metadata"
},
"observables": {
"group": "primary",
"requirement": "recommended",
"caption": "Observables",
"description": "The observables associated with the event or a finding.",
"is_array": true,
"type": "observable"
},
"raw_data": {
"group": "context",
"requirement": "optional",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"severity": {
"group": "classification",
"requirement": "optional",
"caption": "Severity",
"description": "The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
"type": "string_t"
},
"severity_id": {
"group": "classification",
"requirement": "required",
"caption": "Severity ID",
"description": "<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.",
"enum": {
"99": {
"caption": "Other",
"description": "The event/finding severity is not mapped. See the <code>severity</code> attribute, which contains a data source specific value."
},
"0": {
"caption": "Unknown",
"description": "The event severity is not known."
},
"1": {
"caption": "Informational",
"description": "Informational message. No action required."
},
"2": {
"caption": "Low",
"description": "The user decides if action is needed."
},
"3": {
"caption": "Medium",
"description": "Action is required but the situation is not serious at this time."
},
"4": {
"caption": "High",
"description": "Action is required immediately."
},
"5": {
"caption": "Critical",
"description": "Action is required immediately and the scope is broad."
},
"6": {
"caption": "Fatal",
"description": "An error occurred but it is too late to take remedial action."
}
},
"sibling": "severity",
"type": "integer_t"
},
"status": {
"group": "primary",
"requirement": "recommended",
"caption": "Status",
"description": "The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"status_code": {
"group": "primary",
"requirement": "recommended",
"caption": "Status Code",
"description": "The event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.",
"type": "string_t"
},
"status_detail": {
"group": "primary",
"requirement": "recommended",
"caption": "Status Details",
"description": "The status details contains additional information about the event/finding outcome.",
"type": "string_t"
},
"status_id": {
"group": "primary",
"requirement": "recommended",
"caption": "Status ID",
"description": "The normalized identifier of the event status.",
"enum": {
"99": {
"caption": "Other",
"description": "The event status is not mapped. See the <code>status</code> attribute, which contains a data source specific value."
},
"0": {
"caption": "Unknown",
"description": "The status is unknown."
},
"1": {
"caption": "Success"
},
"2": {
"caption": "Failure"
}
},
"sibling": "status",
"type": "integer_t"
},
"unmapped": {
"group": "context",
"requirement": "optional",
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"activity_name": {
"requirement": "optional",
"caption": "Activity",
"description": "The event activity name, as defined by the activity_id.",
"type": "string_t"
},
"category_name": {
"requirement": "optional",
"caption": "Category",
"description": "The event category name, as defined by category_uid value.",
"type": "string_t"
},
"category_uid": {
"enum": {
"4": {
"caption": "Network Activity",
"description": "Network Activity events."
}
},
"requirement": "required",
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"sibling": "category_name",
"type": "integer_t"
},
"class_name": {
"requirement": "optional",
"caption": "Class",
"description": "The event class name, as defined by class_uid value.",
"type": "string_t"
},
"class_uid": {
"enum": {
"4002": {
"caption": "HTTP Activity",
"description": "HTTP Activity events report HTTP connection and traffic information."
}
},
"requirement": "required",
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"sibling": "class_name",
"type": "integer_t"
},
"type_name": {
"requirement": "optional",
"caption": "Type Name",
"description": "The event/finding type name, as defined by the type_uid.",
"type": "string_t"
},
"type_uid": {
"requirement": "required",
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.",
"sibling": "type_name",
"type": "long_t",
"enum": {
"400201": {
"caption": "HTTP Activity: Connect"
},
"400202": {
"caption": "HTTP Activity: Delete"
},
"400203": {
"caption": "HTTP Activity: Get"
},
"400204": {
"caption": "HTTP Activity: Head"
},
"400205": {
"caption": "HTTP Activity: Options"
},
"400206": {
"caption": "HTTP Activity: Post"
},
"400207": {
"caption": "HTTP Activity: Put"
},
"400208": {
"caption": "HTTP Activity: Trace"
},
"400200": {
"caption": "HTTP Activity: Unknown"
},
"400299": {
"caption": "HTTP Activity: Other"
}
}
},
"count": {
"requirement": "optional",
"caption": "Count",
"description": "The number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.",
"type": "integer_t",
"default": 1
},
"duration": {
"requirement": "optional",
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.",
"type": "integer_t"
},
"end_time": {
"description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
"requirement": "optional",
"caption": "End Time",
"type": "timestamp_t"
},
"start_time": {
"description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
"requirement": "optional",
"caption": "Start Time",
"type": "timestamp_t"
},
"time": {
"requirement": "required",
"caption": "Event Time",
"description": "The normalized event occurrence time or the finding creation time.",
"type": "timestamp_t"
},
"timezone_offset": {
"requirement": "recommended",
"caption": "Timezone Offset",
"description": "The number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.",
"type": "integer_t"
},
"cloud": {
"requirement": "required",
"group": "primary",
"caption": "Cloud",
"description": "Describes details about the Cloud environment where the event was originally created or logged.",
"type": "cloud"
},
"api": {
"requirement": "optional",
"group": "context",
"caption": "API Details",
"description": "Describes details about a typical API (Application Programming Interface) call.",
"type": "api"
},
"data": {
"description": "Additional data that is associated with the event.",
"requirement": "optional",
"caption": "Data",
"type": "json_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"confidence": {
"group": "classification",
"requirement": "optional",
"caption": "Confidence",
"description": "The confidence of the reported event severity as a percentage: 0%-100%.",
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"record_id": {
"description": "Unique idenifier for the event",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
}
},
"profiles": [
"host",
"network_proxy",
"security_control",
"load_balancer"
]
}