Data Security
Data Security is a searchable entity at the top of Query's UI.
data_security
The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Category | category | String | The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc. | ||
| Category ID | category_id | Integer |
The normalized identifier of the data classification category.
|
||
| Confidentiality | confidentiality | String | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | ||
| Confidentiality ID | confidentiality_id | Integer |
The normalized identifier of the file content confidentiality indicator.
|
||
| Data Lifecycle State | data_lifecycle_state | String | The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc. | ||
| Data Lifecycle State ID | data_lifecycle_state_id | Integer |
The stage or state that the data was in when it was assessed or scanned by a data security tool.
|
||
| Data Type | data_type | String |
The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.
Deprecated since 1.2.0: Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0 |
||
| Data Type ID | data_type_id | Integer |
The category or type of sensitive data as assessed or scanned by a data security tool (e.g., Personal, Govermental, Financial).
Deprecated since 1.2.0: Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0
|
||
| Detection Pattern | detection_pattern | String | Specific pattern, algorithm, fingerpint, or model used for detection. | ||
| Detection System | detection_system | String | The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc. | ||
| Detection System ID | detection_system_id | Integer |
The type of data security tool or system that the finding, detection, or alert originated from.
|
||
| Pattern Match | pattern_match | String | A text, binary, file name, or datastore that matched against a detection rule. | ||
| Policy | policy | Policy | Details about the policy that triggered the finding. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
Referenced By
Context
JSON
{
"caption": "Data Security",
"description": "The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).",
"extends": "data_classification",
"name": "data_security",
"attributes": {
"data_lifecycle_state": {
"requirement": "optional",
"caption": "Data Lifecycle State",
"description": "The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.",
"type": "string_t"
},
"data_lifecycle_state_id": {
"requirement": "recommended",
"caption": "Data Lifecycle State ID",
"description": "The stage or state that the data was in when it was assessed or scanned by a data security tool.",
"sibling": "data_lifecycle_state",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is not mapped. See the <code>data_lifecycle_state</code> attribute, which contains a data source specific value."
},
"1": {
"caption": "Data at-Rest",
"description": "The data was stored on physical or logcial media and was not actively moving through the network nor was being processed. E.g., data stored in a database, PDF files in a file share, or EHR records in object storage."
},
"2": {
"caption": "Data in-Transit",
"description": "The data was actively moving through the network or from one physical or logical location to another. E.g., emails being send, data replication or Change Data Capture (CDC) streams, or sensitive data processed on an API."
},
"3": {
"caption": "Data in-Use",
"description": "The data was being processed, accessed, or read by a system, making it active in memory or CPU. E.g., sensitive data in a Business Intelligence tool, ePHI being processed in an EHR application or a user viewing data stored in a spreadsheet or PDF."
},
"99": {
"caption": "Other",
"description": "The data lifecycle state is not mapped. See the <code>data_lifecycle_state</code> attribute, which contains a data source specific value."
}
}
},
"detection_pattern": {
"requirement": "recommended",
"caption": "Detection Pattern",
"description": "Specific pattern, algorithm, fingerpint, or model used for detection.",
"type": "string_t"
},
"detection_system": {
"requirement": "optional",
"caption": "Detection System",
"description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.",
"type": "string_t"
},
"detection_system_id": {
"requirement": "recommended",
"caption": "Detection System ID",
"description": "The type of data security tool or system that the finding, detection, or alert originated from.",
"sibling": "detection_system",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is not mapped. See the <code>detection_system</code> attribute, which contains a data source specific value."
},
"1": {
"caption": "Endpoint",
"description": "A dedicated agent or sensor installed on a device, either a dedicated data security tool or an Endpoint Detection & Response (EDR) tool that can detect sensitive data and/or enforce data security policies. E.g., Forcepoint DLP, Symantec DLP, Microsoft Defender for Endpoint (MDE)."
},
"2": {
"caption": "DLP Gateway",
"description": "A Data Loss Prevention (DLP) gateway that is positioned in-line of an information store such as a network share, a database, or otherwise that can detect sensitive data and/or enforce data security policies."
},
"3": {
"caption": "Mobile Device Management",
"description": "A Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tool that can detect sensitive data and/or enforce data security policies on mobile devices (e.g., cellphones, tablets, End User Devices [EUDs])."
},
"4": {
"caption": "Data Discovery & Classification",
"description": "A tool that actively identifies and classifies sensitive data in digitial media and information stores in accordance with a policy or automated functionality. E.g, Amazon Macie, Microsoft Purview."
},
"5": {
"caption": "Secure Web Gateway",
"description": "A Secure Web Gateway (SWG) is any tool that can detect sensitive data and/or enforce data security policies at a network-edge such as within a proxy or firewall service."
},
"6": {
"caption": "Secure Email Gateway",
"description": "A Secure Email Gateway (SEG) is any tool that can detect sensitive data and/or enforce data security policies within email systems. E.g., Microsoft Defender for Office, Google Workspaces."
},
"7": {
"caption": "Digital Rights Management",
"description": "A Digital Rights Management (DRM) or a dedicated Information Rights Management (IRM) are tools which can detect sensitive data and/or enforce data security policies on digitial media via policy or user access rights."
},
"8": {
"caption": "Cloud Access Security Broker",
"description": "A Cloud Access Security Broker (CASB) that can detect sensitive data and/or enforce data security policies in-line to cloud systems such as the public cloud or Software-as-a-Service (SaaS) tool. E.g., Forcepoint CASB, SkyHigh Security."
},
"9": {
"caption": "Database Activity Monitoring",
"description": "A Database Activity Monitoring (DAM) tool that can detect sensitive data and/or enforce data security policies as part of a dedicated database or warehouse monitoring solution."
},
"10": {
"caption": "Application-Level DLP",
"description": "A built in Data Loss Prevention (DLP) or other data security capability within a tool or platform such as an Enterprise Resource Planning (ERP) or Customer Relations Management (CRM) tool that can detect sensitive data and/or enforce data security policies."
},
"11": {
"caption": "Developer Security",
"description": "Any Developer Security tool such as an Infrastrucre-as-Securty (IAC) scanner, Secrets Detection, or Secure Software Development Lifecycle (SSDLC) tool that can detect sensitive data and/or enforce data security policies. E.g., TruffleHog, GitGuardian, Git-Secrets."
},
"12": {
"caption": "Data Security Posture Management",
"description": "A Data Security Posture Management (DSPM) tool is a continuous monitoring and data discovery solution that can detect sensitive data and/or enforce data security policies for local and cloud environments. E.g., Cyera, Sentra, IBM Polar Security."
},
"99": {
"caption": "Other",
"description": "Any other type of detection system or a multi-variate system made up of several other systems."
}
}
},
"pattern_match": {
"requirement": "optional",
"caption": "Pattern Match",
"description": "A text, binary, file name, or datastore that matched against a detection rule.",
"type": "string_t"
},
"policy": {
"description": "Details about the policy that triggered the finding.",
"requirement": "recommended",
"caption": "Policy",
"type": "policy"
},
"category": {
"description": "The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.",
"requirement": "optional",
"caption": "Category",
"type": "string_t"
},
"category_id": {
"description": "The normalized identifier of the data classification category.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is not mapped. See the <code>data_type</code> attribute, which contains a data source specific value."
},
"1": {
"caption": "Personal",
"description": "Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc."
},
"2": {
"caption": "Governmental",
"description": "Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc."
},
"3": {
"caption": "Financial",
"description": "Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc."
},
"4": {
"caption": "Business",
"description": "Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar."
},
"5": {
"caption": "Military and Law Enforcement",
"description": "Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data."
},
"6": {
"caption": "Security",
"description": "Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc."
},
"99": {
"caption": "Other",
"description": "Any other type of data classification or a multi-variate classification made up of several other classification categories."
}
},
"requirement": "recommended",
"caption": "Category ID",
"sibling": "category",
"type": "integer_t"
},
"confidentiality": {
"requirement": "optional",
"caption": "Confidentiality",
"description": "The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"confidentiality_id": {
"requirement": "recommended",
"caption": "Confidentiality ID",
"description": "The normalized identifier of the file content confidentiality indicator.",
"sibling": "confidentiality",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The confidentiality is unknown."
},
"1": {
"caption": "Not Confidential"
},
"2": {
"caption": "Confidential"
},
"3": {
"caption": "Secret"
},
"4": {
"caption": "Top Secret"
},
"5": {
"caption": "Private"
},
"6": {
"caption": "Restricted"
},
"99": {
"caption": "Other",
"description": "The confidentiality is not mapped. See the <code>confidentiality</code> attribute, which contains a data source specific value."
}
}
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"data_type_id": {
"requirement": "recommended",
"caption": "Data Type ID",
"description": "The category or type of sensitive data as assessed or scanned by a data security tool (e.g., Personal, Govermental, Financial).",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is not mapped. See the <code>data_type</code> attribute, which contains a data source specific value."
},
"1": {
"caption": "Personal",
"description": "Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc."
},
"2": {
"caption": "Governmental",
"description": "Any sensitive government identification number related to a person or other classified material. E.g., Passport numbers, driver license numbers, business identification, taxation identifiers, etc."
},
"3": {
"caption": "Financial",
"description": "Any financially-related sensitive information or Cardholder Data (CHD). E.g., banking account numbers, credit card numbers, International Banking Account Numbers (IBAN), SWIFT codes, etc."
},
"4": {
"caption": "Business",
"description": "Any business-specific sensitive data such as intellectual property, trademarks, copyrights, human resource data, Board of Directors meeting minutes, and similar."
},
"5": {
"caption": "Military and Law Enforcement",
"description": "Any mission-specific sensitive data for military, law enforcement, or other government agencies such as specifically classified data, weapon systems information, or other planning data."
},
"6": {
"caption": "Security",
"description": "Any sensitive security-related data such as passwords, passkeys, IP addresses, API keys, credentials and similar secrets. E.g., AWS Access Secret Key, SaaS API Keys, user passwords, database credentials, etc."
},
"99": {
"caption": "Other",
"description": "Any other type of data classification or a multi-variate classification made up of several other classification categories."
}
},
"sibling": "data_type",
"type": "integer_t",
"@deprecated": {
"since": "1.2.0",
"message": "Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0"
}
},
"data_type": {
"caption": "Data Type",
"requirement": "optional",
"description": "The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.",
"type": "string_t",
"@deprecated": {
"since": "1.2.0",
"message": "Deprecated in upgrade from qdm-1.1.0 to qdm-1.2.0"
}
}
},
"constraints": {
"at_least_one": [
"data_lifecycle_state_id",
"detection_pattern",
"detection_system_id",
"policy"
]
}
}