Evidence Artifacts

evidences

A collection of evidence artifacts associated to the activity/activities that triggered a security detection.

Contents

Attributes

Caption Name Type Is Array Default Description
Actor actor Actor Describes details about the user/role/process that was the source of the activity that triggered the detection.
API Details api API Describes details about the API call associated to the activity that triggered the detection.
Connection Info connection_info Network Connection Information Describes details about the network connection associated to the activity that triggered the detection.
Container container Container Describes details about the container associated to the activity that triggered the detection.
Data data JSON Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.
Database database Database Describes details about the database associated to the activity that triggered the detection.
Databucket databucket Databucket Describes details about the databucket associated to the activity that triggered the detection.
Destination Endpoint dst_endpoint Network Endpoint Describes details about the destination of the network activity that triggered the detection.
File file File Describes details about the file associated to the activity that triggered the detection.
Process process Linux Process Describes details about the process associated to the activity that triggered the detection.
DNS Query query DNS Query Describes details about the DNS query associated to the activity that triggered the detection.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Source Endpoint src_endpoint Network Endpoint Describes details about the source of the network activity that triggered the detection.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Context

Evidence Artifacts

JSON

            
{
  "caption": "Evidence Artifacts",
  "description": "A collection of evidence artifacts associated to the activity/activities that triggered a security detection.",
  "extends": "object",
  "name": "evidences",
  "attributes": {
    "actor": {
      "description": "Describes details about the user/role/process that was the source of the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Actor",
      "type": "actor"
    },
    "api": {
      "description": "Describes details about the API call associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "API Details",
      "type": "api"
    },
    "container": {
      "description": "Describes details about the container associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Container",
      "type": "container"
    },
    "connection_info": {
      "description": "Describes details about the network connection associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Connection Info",
      "type": "network_connection_info"
    },
    "data": {
      "description": "Additional evidence data that is not accounted for in the specific evidence attributes.<code> Use only when absolutely necessary.</code>",
      "requirement": "optional",
      "caption": "Data",
      "type": "json_t"
    },
    "database": {
      "description": "Describes details about the database associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Database",
      "type": "database"
    },
    "databucket": {
      "description": "Describes details about the databucket associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Databucket",
      "type": "databucket"
    },
    "dst_endpoint": {
      "description": "Describes details about the destination of the network activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Destination Endpoint",
      "type": "network_endpoint"
    },
    "file": {
      "description": "Describes details about the file associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "File",
      "type": "file"
    },
    "process": {
      "description": "Describes details about the process associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Process",
      "type": "process"
    },
    "query": {
      "description": "Describes details about the DNS query associated to the activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "DNS Query",
      "type": "dns_query"
    },
    "src_endpoint": {
      "description": "Describes details about the source of the network activity that triggered the detection.",
      "requirement": "recommended",
      "caption": "Source Endpoint",
      "type": "network_endpoint"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  },
  "constraints": {
    "at_least_one": [
      "actor",
      "api",
      "connection_info",
      "data",
      "database",
      "databucket",
      "dst_endpoint",
      "file",
      "process",
      "query",
      "src_endpoint"
    ]
  }
}