A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
Attributes
Section titled “Attributes”actor
- Type:
actor - Requirement: recommended
Describes details about the user/role/process that was the source of the activity that triggered the detection.
api
- Type:
api - Requirement: recommended
Describes details about the API call associated to the activity that triggered the detection.
connection_info
- Type:
network_connection_info - Requirement: recommended
Describes details about the network connection associated to the activity that triggered the detection.
dst_endpoint
- Type:
network_endpoint - Requirement: recommended
Describes details about the destination of the network activity that triggered the detection.
file
- Type:
file - Requirement: recommended
Describes details about the file associated to the activity that triggered the detection.
process
- Type:
process - Requirement: recommended
Describes details about the process associated to the activity that triggered the detection.
query
- Type:
dns_query - Requirement: recommended
Describes details about the DNS query associated to the activity that triggered the detection.
src_endpoint
- Type:
network_endpoint - Requirement: recommended
Describes details about the source of the network activity that triggered the detection.
data
- Type:
json_t - Requirement: optional
Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.
Constraints
Section titled “Constraints”At least one of: actor, api, connection_info, data, dst_endpoint, file, process, query, src_endpoint