Skip to content

Objects

Complete listing of objects by category.

Identity & Access (10 objects)

Section titled “Identity & Access (10 objects)”
  • Account: The Account object contains details about the account that initiated or performed a specific activity within a system or application.
  • Actor: The Actor object contains details about the user, role, or process that initiated or performed a specific activity.
  • Authorization Result: The Authorization Result object provides details about the authorization outcome and associated policies related to activity.
  • Email Authentication: The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.
  • Group: The Group object represents a collection or association of entities, such as users, policies, or devices.
  • Identity Provider: The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications.
  • Organization: The Organization object describes characteristics of an organization or company and its division if any.
  • Policy: The Policy object describes the policies that are applicable.
  • Session: The Session object describes details about an authenticated session. e.g.
  • User: The User object describes the characteristics of a user/person or a security principal.

Process & System (12 objects)

Section titled “Process & System (12 objects)”
  • Container: The Container object describes an instance of a specific container.
  • Device: The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
  • Device Hardware Info: The Device Hardware Information object contains details and specifications of the physical components that make up a device.
  • Display: The Display object contains information about the physical or virtual display connected to a computer system.
  • Image: The Image object provides a description of a specific Virtual Machine (VM) or Container image.
  • Kernel Resource: The Kernel Resource object provides information about a specific kernel resource, including its name and type.
  • Kernel Extension: The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.
  • Keyboard Information: The Keyboard Information object contains details and attributes related to a computer or device keyboard.
  • Module: The Module object describes the load attributes of a module.
  • Operating System (OS): The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.
  • Process: The Process object describes a running instance of a launched program.
  • Service: The Service object describes characteristics of a service, ` e.g.

Network (14 objects)

Section titled “Network (14 objects)”
  • DNS Answer: The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation.
  • DNS Query: The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation.
  • Endpoint: The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network.
  • HTTP Cookie: The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user’s web browser.
  • HTTP Header: TThe HTTP Header object represents the headers sent in an HTTP request or response.
  • HTTP Request: The HTTP Request object represents the attributes of a request made to a web server.
  • HTTP Response: The HTTP Response object contains detailed information about the response sent from a web server to the requester.
  • Network Connection Information: The Network Connection Information object describes characteristics of a network connection.
  • Network Endpoint: The Network Endpoint object describes characteristics of a network endpoint.
  • Network Interface: The Network Interface object describes the type and associated attributes of a network interface.
  • Network Proxy Endpoint: The Network Proxy Endpoint describes characteristics of a network proxy.
  • Network Traffic: The Network Traffic object describes characteristics of network traffic.
  • Transport Layer Security (TLS): The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.
  • TLS Extension: The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.

File & Data (5 objects)

Section titled “File & Data (5 objects)”
  • Digital Signature: The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.
  • File: The File object represents the metadata associated with a file stored in a computer system.
  • Fingerprint: The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content.
  • HASSH: The HASSH (Honeypot Attention-Grabbing SSH) object contains SSH network fingerprinting values for specific client/server implementations.
  • Software Package: The Software Package object describes details about a software package.

Security & Compliance (12 objects)

Section titled “Security & Compliance (12 objects)”
  • Analytic: The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
  • Attack: The Attack object describes the technique and associated tactics related to an attack.
  • CIS Benchmark Result: The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result.
  • CIS Control: The CIS Control contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC).
  • Compliance: The Compliance object contains information about compliance requirements related of a finding generated by security tool.
  • CVE: The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE).
  • CVSS Score: The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
  • Finding: The Finding object contains details related to a security finding generated by a security tool or system.
  • Kill Chain: The Kill Chain object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker.
  • Malware: The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
  • Rule: The Rule object describes characteristics of a rule associated with a policy or an event.
  • Vulnerability Details: The Vulnerability Details object describes characteristics of an observed vulnerability.

Cloud & Infrastructure (9 objects)

Section titled “Cloud & Infrastructure (9 objects)”
  • API: The API, or Application Programming Interface, object represents information pertaining to an API request and response.
  • Cloud: The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
  • Job: The Job object provides information about a scheduled job or task, including its name, command line, and state.
  • Managed Entity: The Managed Entity object describes the type and version of an entity, such as a policy or configuration.
  • Product: The Product object describes characteristics of a software product.
  • Request Elements: The Request Elements object describes characteristics of an API request.
  • Resource Details: The Resource Details object describes details about resources that were affected by the activity/event.
  • Response Elements: The Response Elements object describes characteristics of an API response.
  • Web Resource: The Web Resource object describes characteristics of a web resource that was affected by the activity/event.

Observability (3 objects)

Section titled “Observability (3 objects)”
  • Enrichment: The Enrichment object provides inline enrichment data for specific attributes of interest within an event.
  • Metric: The Metric object defines a simple name/value pair entity for a metric.
  • Observable: The observable object is a pivot element that contains related information found in many places in the event.

Windows (3 objects)

Section titled “Windows (3 objects)”
  • Registry Key: The registry key object describes a Windows registry key.
  • Registry Value: The registry value object describes a Windows registry value.
  • Windows Resource: The Windows resource object describes a resource object managed by Windows, such as mutant or timer.

Other (16 objects)

Section titled “Other (16 objects)”
  • Digital Certificate: The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key.
  • DCE/RPC: The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.
  • Email: The Email object describes the email metadata such as sender, recipients, and direction.
  • Schema Extension: The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event.
  • Feature: The Feature object provides information about the software product feature that generated a specific event.
  • Geo Location: The Geo Location object describes a geographical location, usually associated with an IP address.
  • Metadata: The Metadata object describes the metadata associated with the event.
  • Object: An unordered collection of attributes.
  • Related Event: The Related Event object describes an event related to a finding or detection as identified by the security product.
  • Remediation: The Remediation object describes details about recommended remediation strategies.
  • Reputation: The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).
  • RPC Interface: The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.
  • Subject Alternative Name: The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate
  • Tactic: The Tactic object describes the tactic IDs and/or name that are associated with the attack technique, as defined by ATT&CK MatrixTM.
  • Technique: The Technique object describes the technique related to an attack, as defined by ATT&CK MatrixTM.
  • Uniform Resource Locator: The Uniform Resource Locator(URL) object describes the characteristics of a URL.