Objects
OCSF Objects are cybersecurity entities that exist, such as a File, User, Device, etc. Each object has its set of attributes that Query can extract and set from the federated search results coming from multiple disparate data sources.
| Object | Name | Searchable | Description |
|---|---|---|---|
| Account | account | The Account object contains details about the account that initiated or performed a specific activity within a system or application. | |
| Actor | actor | The Actor object contains details about the user, role, or process that initiated or performed a specific activity. | |
| Affected Code | affected_code | The Affected Code object describes details about a code block identified as vulnerable. | |
| Affected Software Package | affected_package | The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities. | |
| Analytic | analytic | The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion. | |
| API | api | The API, or Application Programming Interface, object represents information pertaining to an API request and response. | |
| MITRE ATT&CK® | attack | The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK MatrixTM. | |
| Authorization Result | authorization | The Authorization Result object provides details about the authorization outcome and associated policies related to activity. | |
| Digital Certificate | certificate | The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. Defined by D3FEND d3f:Certificate. | |
| CIS Benchmark | cis_benchmark | The CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security. See also Getting to Know the CIS Benchmarks. | |
| CIS Benchmark Result | cis_benchmark_result | The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result. CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure. | |
| CIS Control | cis_control | The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The CIS Controls are defined by the Center for Internet Security. | |
| CIS CSC | cis_csc | The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC). Prioritized set of actions to protect your organization and data from cyber-attack vectors. | |
| Cloud | cloud | The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc. | |
| Compliance | compliance | The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements. | |
| Container | container | The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd. | |
| CVE | cve | The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE). There is one CVE Record for each vulnerability in the catalog. | |
| CVSS Score | cvss | The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. | |
| CWE | cwe | The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog. | |
| Database | database | The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. | |
| Databucket | databucket | The databucket object is a basic container that holds data, typically organized through the use of data partitions. | |
| DCE/RPC | dce_rpc | The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments. Defined by D3FEND d3f:RemoteProcedureCall. | |
| Device | device | The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host. | |
| Device Hardware Info | device_hw_info | The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device. | |
| Digital Signature | digital_signature | The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application. | |
| Display | display | The Display object contains information about the physical or virtual display connected to a computer system. | |
| DNS Answer | dns_answer | The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation. It encapsulates the relevant details and data returned by the DNS server in response to a query. | |
| DNS Query | dns_query | The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX). Defined by D3FEND d3f:DNSLookup. | |
| Domain Information | domain_info |
The registration information pertaining to a domain.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Domain Threat Intelligence | domain_intelligence | Insights from threat intelligence platforms about domains | |
| The Email object describes the email metadata such as sender, recipients, and direction. | |||
| Email Authentication | email_auth | The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email. | |
| Endpoint | endpoint | The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints. | |
| Endpoint Connection | endpoint_connection | The Endpoint Connection object contains information detailing a connection attempt to an endpoint. | |
| Enrichment | enrichment | The Enrichment object provides inline enrichment data for specific attributes of interest within an event. It serves as a mechanism to enhance or supplement the information associated with the event by adding additional relevant details or context. | |
| EPSS | epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS). | |
| Evidence Artifacts | evidences | A collection of evidence artifacts associated to the activity/activities that triggered a security detection. | |
| Schema Extension | extension | The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file. | |
| Feature | feature | The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature. | |
| File | file | The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File. | |
| File Threat Intelligence | file_intelligence | Insights from threat intelligence platforms about files | |
| Finding | finding |
The Finding object describes metadata related to a security finding generated by a security tool or system.
Deprecated since 1.0.0: Use the new |
|
| Finding Information | finding_info | The Finding Information object describes metadata related to a security finding generated by a security tool or system. | |
| Fingerprint | fingerprint | The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data. | |
| Firewall Rule | firewall_rule | The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall. | |
| Group | group | The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization. | |
| HASSH | hassh | The HASSH object contains SSH network fingerprinting values for specific client/server implementations. It provides a standardized way of identifying and categorizing SSH connections based on their unique characteristics and behavior. | |
| HTTP Cookie | http_cookie | The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user's web browser. This data is then stored by the browser and sent back to the server with subsequent requests, allowing the server to remember and track certain information about the user's browsing session or preferences. | |
| HTTP Header | http_header | TThe HTTP Header object represents the headers sent in an HTTP request or response. HTTP headers are key-value pairs that convey additional information about the HTTP message, including details about the content, caching, authentication, encoding, and other aspects of the communication. | |
| HTTP Request | http_request | The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information. | |
| HTTP Response | http_response | The HTTP Response object contains detailed information about the response sent from a web server to the requester. It encompasses attributes and metadata that describe the response status, headers, body content, and other relevant information. | |
| Identity Provider | idp | The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services. | |
| Image | image | The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage. | |
| IP Threat Intelligence | ip_intelligence | Insights from threat intelligence platforms about IP Addresses | |
| Job | job | The Job object provides information about a scheduled job or task, including its name, command line, and state. It encompasses attributes that describe the properties and status of the scheduled job. | |
| KB Article | kb_article | The KB Article object contains metadata that describes the patch or update. | |
| Kernel Resource | kernel | The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system. Defined by D3FEND d3f:Kernel. | |
| Kernel Extension | kernel_driver | The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel. Defined by D3FEND d3f:KernelModule. | |
| Keyboard Information | keyboard_info | The Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard. | |
| Kill Chain Phase | kill_chain_phase | The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain®. | |
| LDAP Person | ldap_person | The additional LDAP attributes that describe a person. | |
| Load Balancer | load_balancer | The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network. | |
| Geo Location | location | The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation. | |
| Logger | logger | The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination. | |
| Malware | malware | The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network. | |
| Managed Entity | managed_entity | The Managed Entity object describes the type and version of an entity, such as a policy or configuration. | |
| Metadata | metadata | The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata. | |
| Metric | metric | The Metric object defines a simple name/value pair entity for a metric. | |
| Module | module | The Module object describes the load attributes of a module. | |
| Network Connection Information | network_connection_info | The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND d3f:NetworkSession. | |
| Network Endpoint | network_endpoint | The network endpoint object describes source or destination of a network connection. | |
| Network Interface | network_interface | The Network Interface object describes the type and associated attributes of a network interface. | |
| Network Proxy Endpoint | network_proxy | The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource. Defined by D3FEND d3f:ProxyServer. | |
| Network Traffic | network_traffic | The Network Traffic object describes characteristics of network traffic. Network traffic refers to data moving across a network at a given point of time. Defined by D3FEND d3f:NetworkTraffic. | |
| Object | object | An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema. | |
| Observable | observable | The observable object is a pivot element that contains related information found in many places in the event. | |
| Organization | organization | The Organization object describes characteristics of an organization or company and its division if any. | |
| Operating System (OS) | os | The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem. | |
| Software Package | package | The Software Package object describes details about a software package. Defined by D3FEND d3f:SoftwarePackage. | |
| Peripheral Device | peripheral_device | The peripheral device object describes the identity, vendor and model of a peripheral device. | |
| Policy | policy |
The policy object describes the policies that are applicable. Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments. |
|
| Linux Process | process | Extends the process object to add Linux specific fields | |
| Product | product | The Product object describes characteristics of a software product. | |
| Query Information | query_info | The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a query must be written using a specific syntax. | |
| Registry Key | registry_key |
The registry key object describes a Windows registry key.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Registry Value | registry_value |
The registry value object describes a Windows registry value.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Registry Key | registry_key |
The registry key object describes a Windows registry key.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Registry Value | registry_value |
The registry value object describes a Windows registry value.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Related Event | related_event | The Related Event object describes an event related to a finding or detection as identified by the security product. | |
| Related Findings | related_findings |
Related Findings object describes findings related to a finding as identified by the security product.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Remediation | remediation | The Remediation object describes the recommended remediation steps to address identified issue(s). | |
| Reputation | reputation | The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain). | |
| Request Elements | request | The Request Elements object describes characteristics of an API request. | |
| Resource | resource |
The resource object describes a managed resource.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|
| Resource Details | resource_details | The Resource Details object describes details about resources that were affected by the activity/event. | |
| Response Elements | response | The Response Elements object describes characteristics of an API response. | |
| RPC Interface | rpc_interface | The RPC Interface represents the remote procedure call interface used in the DCE/RPC session. | |
| Rule | rule | The Rule object describes characteristics of a rule associated with a policy or an event. | |
| Subject Alternative Name | san | The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate | |
| Scan | scan | The Scan object describes characteristics of a proactive scan. | |
| Security State | security_state | The Security State object describes the security related state of a managed entity. | |
| Service | service |
The Service object describes characteristics of a service, e.g. AWS EC2.
|
|
| Session | session | The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session. | |
| Sub Technique | sub_technique | The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM. | |
| Table | table | The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. | |
| Tactic | tactic | The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM. | |
| Technique | technique | The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM. | |
| Threat Intelligence | threat_intelligence | Insights from threat intelligence platforms | |
| Transport Layer Security (TLS) | tls | The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection. | |
| TLS Extension | tls_extension | The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object. | |
| Uniform Resource Locator | url | The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL. | |
| URL Threat Intelligence | url_intelligence | Insights from threat intelligence platforms about URLs | |
| User | user | The user object describes the identity of a user. | |
| Vulnerability Details | vulnerability | The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components. | |
| Web Resource | web_resource | The Web Resource object describes characteristics of a web resource that was affected by the activity/event. | |
| Windows Resource | win_resource | The Windows resource object describes a resource object managed by Windows, such as mutant or timer. |