Objects

OCSF Objects are cybersecurity entities that exist, such as a File, User, Device, etc. Each object has its set of attributes that Query can extract and set from the federated search results coming from multiple disparate data sources.

Object Name Searchable Description
Account account The Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise.
Actor actor The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
Affected Code affected_code The Affected Code object describes details about a code block identified as vulnerable.
Affected Software Package affected_package The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.
Agent agent An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.
Analytic analytic The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
API api The API, or Application Programming Interface, object represents information pertaining to an API request and response.
MITRE ATT&CK® attack The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK® Matrix.
Authentication Factor auth_factor An Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.
Authorization Result authorization The Authorization Result object provides details about the authorization outcome and associated policies related to activity.
Autonomous System autonomous_system An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
Digital Certificate certificate The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. Defined by D3FEND d3f:Certificate.
CIS Benchmark cis_benchmark The CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security. See also Getting to Know the CIS Benchmarks.
CIS Benchmark Result cis_benchmark_result The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result. CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
CIS Control cis_control The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The CIS Controls are defined by the Center for Internet Security.
CIS CSC cis_csc The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC). Prioritized set of actions to protect your organization and data from cyber-attack vectors.
Cloud cloud The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.
Compliance compliance The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.
Container container The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
CVE cve The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE). There is one CVE Record for each vulnerability in the catalog.
CVSS Score cvss The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
CWE cwe The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.
MITRE D3FEND™ Tactic d3f_tactic The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by D3FENDTM Matrix.
MITRE DEFEND™ Technique d3f_technique The MITRE DEFEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by D3FENDTM Matrix.
MITRE D3FEND™ d3fend The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.
Data Classification data_classification The Data Classification object includes information about data classification levels and data category types.
Data Security data_security The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).
Database database The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.
Databucket databucket The databucket object is a basic container that holds data, typically organized through the use of data partitions.
DCE/RPC dce_rpc The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments. Defined by D3FEND d3f:RemoteProcedureCall.
Device device The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
Device Hardware Info device_hw_info The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
Digital Signature digital_signature The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.
Display display The Display object contains information about the physical or virtual display connected to a computer system.
DNS Answer dns_answer The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation. It encapsulates the relevant details and data returned by the DNS server in response to a query.
DNS Query dns_query The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX). Defined by D3FEND d3f:DNSLookup.
Domain Contact domain_contact The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.
Domain Information domain_info The registration information pertaining to a domain.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Domain Threat Intelligence domain_intelligence Insights from threat intelligence platforms about domains
Email email The Email object describes the email metadata such as sender, recipients, and direction.
Email Authentication email_auth The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.
Endpoint endpoint The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.
Endpoint Connection endpoint_connection The Endpoint Connection object contains information detailing a connection attempt to an endpoint.
Enrichment enrichment The Enrichment object provides inline enrichment data for specific attributes of interest within an event. It serves as a mechanism to enhance or supplement the information associated with the event by adding additional relevant details or context.
EPSS epss The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (EPSS).
Windows Evidence Artifacts evidences Extends the evidences object to add Windows specific fields
Schema Extension extension The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
Feature feature The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
File file The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.
File Threat Intelligence file_intelligence Insights from threat intelligence platforms about files
Finding finding The Finding object describes metadata related to a security finding generated by a security tool or system.

Deprecated since 1.0.0: Use the new finding_info object.

Finding Information finding_info The Finding Information object describes metadata related to a security finding generated by a security tool or system.
Fingerprint fingerprint The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data.
Firewall Rule firewall_rule The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.
Group group The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.
HASSH hassh The HASSH object contains SSH network fingerprinting values for specific client/server implementations. It provides a standardized way of identifying and categorizing SSH connections based on their unique characteristics and behavior.
HTTP Cookie http_cookie The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user's web browser. This data is then stored by the browser and sent back to the server with subsequent requests, allowing the server to remember and track certain information about the user's browsing session or preferences.
HTTP Header http_header TThe HTTP Header object represents the headers sent in an HTTP request or response. HTTP headers are key-value pairs that convey additional information about the HTTP message, including details about the content, caching, authentication, encoding, and other aspects of the communication.
HTTP Request http_request The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
HTTP Response http_response The HTTP Response object contains detailed information about the response sent from a web server to the requester. It encompasses attributes and metadata that describe the response status, headers, body content, and other relevant information.
Identity Provider idp The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services.
Image image The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
IP Threat Intelligence ip_intelligence Insights from threat intelligence platforms about IP Addresses
JA4+ Fingerprint ja4_fingerprint The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.
Job job The Job object provides information about a scheduled job or task, including its name, command line, and state. It encompasses attributes that describe the properties and status of the scheduled job.
KB Article kb_article The KB Article object contains metadata that describes the patch or update.
Kernel Resource kernel The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system. Defined by D3FEND d3f:Kernel.
Kernel Extension kernel_driver The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel. Defined by D3FEND d3f:KernelModule.
Keyboard Information keyboard_info The Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard.
Kill Chain Phase kill_chain_phase The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain®.
LDAP Person ldap_person The additional LDAP attributes that describe a person.
Load Balancer load_balancer The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.
Geo Location location The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Logger logger The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.
Malware malware The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
Managed Entity managed_entity The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.
Metadata metadata The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
Metric metric The Metric object defines a simple name/value pair entity for a metric.
Module module The Module object describes the load attributes of a module.
Network Connection Information network_connection_info The Network Connection Information object describes characteristics of a network connection. Defined by D3FEND d3f:NetworkSession.
Network Endpoint network_endpoint The network endpoint object describes source or destination of a network connection.
Network Interface network_interface The Network Interface object describes the type and associated attributes of a network interface.
Network Proxy Endpoint network_proxy The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource. Defined by D3FEND d3f:ProxyServer.
Network Traffic network_traffic The Network Traffic object describes characteristics of network traffic. Network traffic refers to data moving across a network at a given point of time. Defined by D3FEND d3f:NetworkTraffic.
Object object An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
Observable observable The observable object is a pivot element that contains related information found in many places in the event.
Organization organization The Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs.
Operating System (OS) os The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
OSINT osint The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
Software Package package The Software Package object describes details about a software package. Defined by D3FEND d3f:SoftwarePackage.
Peripheral Device peripheral_device The peripheral device object describes the identity, vendor and model of a peripheral device.
Policy policy The policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

Linux Process process Extends the process object to add Linux specific fields
Product product The Product object describes characteristics of a software product.
Query Information query_info The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a query must be written using a specific syntax.
Registry Key reg_key The registry key object describes a Windows registry key. Defined by D3FEND d3f:WindowsRegistryKey.
Registry Value reg_value The registry value object describes a Windows registry value.
Related Event related_event The Related Event object describes an OCSF event related to a finding.
Related Findings related_findings Related Findings object describes findings related to a finding as identified by the security product.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Remediation remediation The Remediation object describes the recommended remediation steps to address identified issue(s).
Reputation reputation The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).
Request Elements request The Request Elements object describes characteristics of an API request.
Resource resource The resource object describes a managed resource.

Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0

Resource Details resource_details The Resource Details object describes details about resources that were affected by the activity/event.
Response Elements response The Response Elements object describes characteristics of an API response.
RPC Interface rpc_interface The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.
Rule rule The Rule object describes characteristics of a rule associated with a policy or an event.
Subject Alternative Name san The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate
Scan scan The Scan object describes characteristics of a proactive scan.
Security State security_state The Security State object describes the security related state of a managed entity.
Service service The Service object describes characteristics of a service, e.g. AWS EC2.
Session session The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session.
MITRE ATT&CK® Sub Technique sub_technique The MITRE ATT&CK® Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.
Table table The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.
MITRE ATT&CK® Tactic tactic The MITRE ATT&CK® Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK® Matrix.
MITRE ATT&CK® Technique technique The MITRE ATT&CK® Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.
Threat Intelligence threat_intelligence Insights from threat intelligence platforms
Ticket ticket The Ticket object represents ticket in the customer's systems like Salesforce, jira etc.
Time Span timespan The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may may be populated since each member is of integral type. In that case type_id if present should be set to Other.
Transport Layer Security (TLS) tls The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.
TLS Extension tls_extension The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.
Unmapped unmapped The Unmapped object contains an unmapped datum along with a label and type.
Uniform Resource Locator url The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL.
URL Threat Intelligence url_intelligence Insights from threat intelligence platforms about URLs
User user The user object describes the identity of a user.
Vulnerability Details vulnerability The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.
Web Resource web_resource The Web Resource object describes characteristics of a web resource that was affected by the activity/event.
WHOIS whois The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.
Windows Resource win_resource The Windows resource object describes a resource object managed by Windows, such as mutant or timer.
Windows Service win_service The Windows Service object describes a Windows service.