Skip to content

Objects

Complete listing of objects by category.

Identity & Access (13 objects)

Section titled “Identity & Access (13 objects)”
  • Account: The Account object contains details about the account that initiated or performed a specific activity within a system or application.
  • Actor: The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
  • Authentication Factor: An Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.
  • Authorization Result: The Authorization Result object provides details about the authorization outcome and associated policies related to activity.
  • Email Authentication: The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.
  • Group: The Group object represents a collection or association of entities, such as users, policies, or devices.
  • Identity Provider: The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications.
  • LDAP Person: The additional LDAP attributes that describe a person.
  • Organization: The Organization object describes characteristics of an organization or company and its division if any.
  • Policy: The Policy object describes the policies that are applicable.
  • Session: The Session object describes details about an authenticated session. e.g.
  • Ticket: The Ticket object represents ticket in the customer’s systems like Salesforce, jira etc.
  • User: The User object describes the characteristics of a user/person or a security principal.

Process & System (15 objects)

Section titled “Process & System (15 objects)”
  • Agent: An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action.
  • Container: The Container object describes an instance of a specific container.
  • Device: The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
  • Device Hardware Info: The Device Hardware Information object contains details and specifications of the physical components that make up a device.
  • Display: The Display object contains information about the physical or virtual display connected to a computer system.
  • Image: The Image object provides a description of a specific Virtual Machine (VM) or Container image.
  • Kernel Resource: The Kernel Resource object provides information about a specific kernel resource, including its name and type.
  • Kernel Extension: The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.
  • Keyboard Information: The Keyboard Information object contains details and attributes related to a computer or device keyboard.
  • Module: The Module object describes the load attributes of a module.
  • Operating System (OS): The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.
  • OSINT: The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information.
  • Peripheral Device: The peripheral device object describes the identity, vendor and model of a peripheral device.
  • Process: The Process object describes a running instance of a launched program.
  • Service: The Service object describes characteristics of a service, ` e.g.

Network (18 objects)

Section titled “Network (18 objects)”
  • Autonomous System: An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
  • DNS Answer: The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation.
  • DNS Query: The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation.
  • Endpoint: The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network.
  • Endpoint Connection: The Endpoint Connection object contains information detailing a connection attempt to an endpoint.
  • Firewall Rule: The Firewall Rule object represents a specific rule within a firewall policy or event.
  • HTTP Cookie: The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user’s web browser.
  • HTTP Header: TThe HTTP Header object represents the headers sent in an HTTP request or response.
  • HTTP Request: The HTTP Request object represents the attributes of a request made to a web server.
  • HTTP Response: The HTTP Response object contains detailed information about the response sent from a web server to the requester.
  • Load Balancer: The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.
  • Network Connection Information: The Network Connection Information object describes characteristics of a network connection.
  • Network Endpoint: The Network Endpoint object describes characteristics of a network endpoint.
  • Network Interface: The Network Interface object describes the type and associated attributes of a network interface.
  • Network Proxy Endpoint: The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.
  • Network Traffic: The Network Traffic object describes characteristics of network traffic.
  • Transport Layer Security (TLS): The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.
  • TLS Extension: The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.

File & Data (11 objects)

Section titled “File & Data (11 objects)”
  • Affected Software Package: The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.
  • Data Classification: The Data Classification object includes information about data classification levels and data category types.
  • Data Security: The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools’ finding, alert, or detection mechanism(s).
  • Database: The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.
  • Databucket: The databucket object is a basic container that holds data, typically organized through the use of data partitions.
  • Digital Signature: The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.
  • File: The File object represents the metadata associated with a file stored in a computer system.
  • Fingerprint: The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content.
  • HASSH: The HASSH object contains SSH network fingerprinting values for specific client/server implementations.
  • JA4+ Fingerprint: The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.
  • Software Package: The Software Package object describes details about a software package.

Security & Compliance (19 objects)

Section titled “Security & Compliance (19 objects)”
  • Analytic: The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
  • MITRE ATT&CK®: The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK® Matrix.
  • CIS Benchmark: The CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security.
  • CIS Benchmark Result: The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result.
  • CIS Control: The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors.
  • CIS CSC: The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC).
  • Compliance: The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.
  • CVE: The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE).
  • CVSS Score: The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
  • CWE: The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack.
  • MITRE D3FEND™ Tactic: The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by D3FENDTM Matrix.
  • MITRE DEFEND™ Technique: The MITRE DEFEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by D3FENDTM Matrix.
  • MITRE D3FEND™: The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.
  • Finding: The Finding object describes metadata related to a security finding generated by a security tool or system.
  • Finding Information: The Finding Information object describes metadata related to a security finding generated by a security tool or system.
  • Kill Chain Phase: The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker.
  • Malware: The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
  • Rule: The Rule object describes characteristics of a rule associated with a policy or an event.
  • Vulnerability Details: The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.

Cloud & Infrastructure (9 objects)

Section titled “Cloud & Infrastructure (9 objects)”
  • API: The API, or Application Programming Interface, object represents information pertaining to an API request and response.
  • Cloud: The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
  • Job: The Job object provides information about a scheduled job or task, including its name, command line, and state.
  • Managed Entity: The Managed Entity object describes the type and version of an entity, such as a user, device, or policy.
  • Product: The Product object describes characteristics of a software product.
  • Request Elements: The Request Elements object describes characteristics of an API request.
  • Resource Details: The Resource Details object describes details about resources that were affected by the activity/event.
  • Response Elements: The Response Elements object describes characteristics of an API response.
  • Web Resource: The Web Resource object describes characteristics of a web resource that was affected by the activity/event.

Observability (6 objects)

Section titled “Observability (6 objects)”
  • Enrichment: The Enrichment object provides inline enrichment data for specific attributes of interest within an event.
  • Evidence Artifacts: A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
  • Logger: The Logger object represents the device and product where events are stored with times for receipt and transmission.
  • Metric: The Metric object defines a simple name/value pair entity for a metric.
  • Observable: The observable object is a pivot element that contains related information found in many places in the event.
  • Time Span: The Time Span object represents different time period durations.

Windows (4 objects)

Section titled “Windows (4 objects)”
  • Registry Key: The registry key object describes a Windows registry key.
  • Registry Value: The registry value object describes a Windows registry value.
  • Windows Resource: The Windows resource object describes a resource object managed by Windows, such as mutant or timer.
  • Windows Service: The Windows Service object describes a Windows service.

Other (26 objects)

Section titled “Other (26 objects)”
  • Affected Code: The Affected Code object describes details about a code block identified as vulnerable.
  • Digital Certificate: The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key.
  • DCE/RPC: The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.
  • Domain Contact: The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.
  • Email: The Email object describes the email metadata such as sender, recipients, and direction.
  • EPSS: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited.
  • Schema Extension: The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event.
  • Feature: The Feature object provides information about the software product feature that generated a specific event.
  • KB Article: The KB Article object contains metadata that describes the patch or update.
  • Geo Location: The Geo Location object describes a geographical location, usually associated with an IP address.
  • Metadata: The Metadata object describes the metadata associated with the event.
  • Object: An unordered collection of attributes.
  • Query Information: The query info object holds information related to data access within a datastore.
  • Related Event: The Related Event object describes an OCSF event related to a finding.
  • Remediation: The Remediation object describes the recommended remediation steps to address identified issue(s).
  • Reputation: The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).
  • RPC Interface: The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.
  • Subject Alternative Name: The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate
  • Scan: The Scan object describes characteristics of a proactive scan.
  • Security State: The Security State object describes the security related state of a managed entity.
  • MITRE ATT&CK® Sub Technique: The MITRE ATT&CK® Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.
  • Table: The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.
  • MITRE ATT&CK® Tactic: The MITRE ATT&CK® Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK® Matrix.
  • MITRE ATT&CK® Technique: The MITRE ATT&CK® Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix.
  • Uniform Resource Locator: The Uniform Resource Locator(URL) object describes the characteristics of a URL.
  • WHOIS: The resources of a WHOIS record for a given domain.