Skip to content

Evidence Artifacts

A collection of evidence artifacts associated to the activity/activities that triggered a security detection.

Attributes

Section titled “Attributes”

actor

  • Type: actor
  • Requirement: recommended

Describes details about the user/role/process that was the source of the activity that triggered the detection.

api

  • Type: api
  • Requirement: recommended

Describes details about the API call associated to the activity that triggered the detection.

connection_info

Describes details about the network connection associated to the activity that triggered the detection.

container

Describes details about the container associated to the activity that triggered the detection.

database

  • Type: database
  • Requirement: recommended

Describes details about the database associated to the activity that triggered the detection.

databucket

Describes details about the databucket associated to the activity that triggered the detection.

device

  • Type: device
  • Requirement: recommended

An addressable device, computer system or host associated to the activity that triggered the detection.

dst_endpoint

Describes details about the destination of the network activity that triggered the detection.

email

  • Type: email
  • Requirement: recommended

The email object associated to the activity that triggered the detection.

file

  • Type: file
  • Requirement: recommended

Describes details about the file associated to the activity that triggered the detection.

http_request

Describes details about the http request associated to the activity that triggered the detection.

http_response

Describes details about the http response associated to the activity that triggered the detection.

ja4_fingerprint_list

Describes details about the JA4+ fingerprints that triggered the detection.

job

  • Type: job
  • Requirement: recommended

Describes details about the scheduled job that was associated with the activity that triggered the detection.

process

  • Type: process
  • Requirement: recommended

Describes details about the process associated to the activity that triggered the detection.

query

Describes details about the DNS query associated to the activity that triggered the detection.

reg_key win

Describes details about the registry key that triggered the detection.

reg_value win

Describes details about the registry value that triggered the detection.

script

  • Type: script
  • Requirement: recommended

Describes details about the script that was associated with the activity that triggered the detection.

src_endpoint

Describes details about the source of the network activity that triggered the detection.

tls

  • Type: tls
  • Requirement: recommended

Describes details about the Transport Layer Security (TLS) activity that triggered the detection.

url

  • Type: url
  • Requirement: recommended

The URL object that pertains to the event or object associated to the activity that triggered the detection.

user

  • Type: user
  • Requirement: recommended

Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.

win_service win

Describes details about the Windows service that triggered the detection.

data

  • Type: json_t
  • Requirement: optional

Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.

Constraints

Section titled “Constraints”

At least one of: actor, api, connection_info, data, database, databucket, device, dst_endpoint, email, file, process, query, src_endpoint, url, user, job, script, reg_key, reg_value, win_service

Used By

Section titled “Used By”