Skip to content

Objects

Complete listing of objects by category.

Identity & Access (17 objects)

Section titled “Identity & Access (17 objects)”
  • Account: The Account object contains details about the account that initiated or performed a specific activity within a system or application.
  • Actor: The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
  • Authentication Factor: An Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.
  • Authentication Token: The Authentication Token object represents standardized authentication tokens, tickets, or assertions that conform to established authentication protocols such as Kerberos, OIDC, and SAML.
  • Authorization Result: The Authorization Result object provides details about the authorization outcome and associated policies related to activity.
  • Email Authentication: The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.
  • Group: The Group object represents a collection or association of entities, such as users, policies, or devices.
  • Identity Provider: The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications.
  • LDAP Person: The additional LDAP attributes that describe a person.
  • Organization: The Organization object describes characteristics of an organization or company and its division if any.
  • Policy: The Policy object describes the policies that are applicable.
  • Session: The Session object describes details about an authenticated session. e.g.
  • SSO: The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.
  • Threat Actor: Threat actor is responsible for the observed malicious activity.
  • Ticket: The Ticket object represents ticket in the customer’s IT Service Management (ITSM) systems like ServiceNow, Jira, etc.
  • Trait: Describes a characteristic or feature of an entity that was observed.
  • User: The User object describes the characteristics of a user/person or a security principal.

Process & System (19 objects)

Section titled “Process & System (19 objects)”
  • Agent: An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action.
  • Application: An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling.
  • Container: The Container object describes an instance of a specific container.
  • Device: The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
  • Device Hardware Info: The Device Hardware Information object contains details and specifications of the physical components that make up a device.
  • Display: The Display object contains information about the physical or virtual display connected to a computer system.
  • Environment Variable: An environment variable.
  • Image: The Image object provides a description of a specific Virtual Machine (VM) or Container image.
  • Kernel Resource: The Kernel Resource object provides information about a specific kernel resource, including its name and type.
  • Kernel Extension: The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.
  • Keyboard Information: The Keyboard Information object contains details and attributes related to a computer or device keyboard.
  • Module: The Module object describes the load attributes of a module.
  • Operating System (OS): The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.
  • OSINT: The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information.
  • Peripheral Device: The peripheral device object describes the identity, vendor and model of a peripheral device.
  • Process: The Process object describes a running instance of a launched program.
  • Process Entity: The Process Entity object provides critical fields for referencing a process.
  • Service: The Service object describes characteristics of a service, ` e.g.
  • Startup Item: The startup item object describes an application component that has associated startup criteria and configurations.

Network (18 objects)

Section titled “Network (18 objects)”
  • Autonomous System: An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
  • DNS Answer: The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation.
  • DNS Query: The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation.
  • Endpoint: The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network.
  • Endpoint Connection: The Endpoint Connection object contains information detailing a connection attempt to an endpoint.
  • Firewall Rule: The Firewall Rule object represents a specific rule within a firewall policy or event.
  • HTTP Cookie: The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user’s web browser.
  • HTTP Header: The HTTP Header object represents the headers sent in an HTTP request or response.
  • HTTP Request: The HTTP Request object represents the attributes of a request made to a web server.
  • HTTP Response: The HTTP Response object contains detailed information about the response sent from a web server to the requester.
  • Load Balancer: The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.
  • Network Connection Information: The Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP.
  • Network Endpoint: The Network Endpoint object describes characteristics of a network endpoint.
  • Network Interface: The Network Interface object describes the type and associated attributes of a physical or virtual network interface.
  • Network Proxy Endpoint: The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.
  • Network Traffic: The Network Traffic object describes characteristics of network traffic.
  • Transport Layer Security (TLS): The Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.
  • TLS Extension: The TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.

File & Data (15 objects)

Section titled “File & Data (15 objects)”
  • Affected Software Package: The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.
  • Data Classification: The Data Classification object includes information about data classification levels and data category types.
  • Data Security: The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools’ finding, alert, or detection mechanism(s).
  • Database: The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.
  • Databucket: The databucket object is a basic container that holds data, typically organized through the use of data partitions.
  • Digital Signature: The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.
  • Encryption Details: Details about the encryption methodology utilized.
  • File: The File object represents the metadata associated with a file stored in a computer system.
  • Fingerprint: The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content.
  • HASSH: The HASSH object contains SSH network fingerprinting values for specific client/server implementations.
  • JA4+ Fingerprint: The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.
  • Software Package: The Software Package object describes details about a software package.
  • Software Bill of Materials: The Software Bill of Materials object describes characteristics of a generated SBOM.
  • Script: The Script object describes a script or command that can be executed by a shell, script engine, or interpreter.
  • Software Component: The Software Component object describes characteristics of a software component within a software package.

Security & Compliance (27 objects)

Section titled “Security & Compliance (27 objects)”
  • Analytic: The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
  • Anomaly: Describes an anomaly or deviation detected in a system.
  • Anomaly Analysis: Describes the analysis of activity patterns and anomalies of target entities to identify potential security threats, performance issues, or other deviations from established baselines.
  • Assessment: The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise.
  • MITRE ATT&CK® & ATLAS™: The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique, sub-technique & mitigation associated to an attack.
  • Baseline: Describes the baseline or expected behavior of a system, service, or component based on historical observations and measurements.
  • Campaign: Campaign represent organized efforts by threat actors to achieve malicious objectives over a period, often characterized by shared tactics, techniques, and procedures (TTPs).
  • Check: The check object defines a specific, testable compliance verification point that evaluates a target device against a standard, framework, or custom requirement.
  • CIS Benchmark: The CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the Center for Internet Security.
  • CIS Benchmark Result: The CIS Benchmark Result object contains information as defined by the Center for Internet Security (CIS) benchmark result.
  • CIS Control: The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors.
  • CIS CSC: The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC).
  • Compliance: The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements or details about custom assessments utilized in a compliance evaluation.
  • CVE: The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (CVE).
  • CVSS Score: The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
  • CWE: The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack.
  • MITRE D3FEND™ Tactic: The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack.
  • MITRE D3FEND™ Technique: The MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure.
  • MITRE D3FEND™: The MITRE D3FEND™ object describes the tactic & technique associated with a countermeasure.
  • Finding: The Finding object describes metadata related to a security finding generated by a security tool or system.
  • Finding Information: The Finding Information object describes metadata related to a security finding generated by a security tool or system.
  • Kill Chain Phase: The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker.
  • Malware: The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
  • Malware Scan Info: The malware scan information object describes characteristics, metadata of a malware scanning job.
  • MITRE Mitigation: The MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack.
  • Rule: The Rule object describes characteristics of a rule associated with a policy or an event.
  • Vulnerability Details: The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.

Cloud & Infrastructure (9 objects)

Section titled “Cloud & Infrastructure (9 objects)”
  • API: The API, or Application Programming Interface, object represents information pertaining to an API request and response.
  • Cloud: The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.
  • Job: The Job object provides information about a scheduled job or task, including its name, command line, and state.
  • Managed Entity: The Managed Entity object describes the type and version of an entity, such as a user, device, or policy.
  • Product: The Product object describes characteristics of a software product.
  • Request Elements: The Request Elements object describes characteristics of an API request.
  • Resource Details: The Resource Details object describes details about resources that were affected by the activity/event.
  • Response Elements: The Response Elements object describes characteristics of an API response.
  • Web Resource: The Web Resource object describes characteristics of a web resource that was affected by the activity/event.

Observability (15 objects)

Section titled “Observability (15 objects)”
  • Enrichment: The Enrichment object provides inline enrichment data for specific attributes of interest within an event.
  • Evidence Artifacts: A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
  • Graph: A graph data structure representation with nodes and edges.
  • Identity Activity Metrics: The Identity Activity Metrics object captures usage patterns, authentication activity, credential usage and other metrics for identities across cloud and on-premises environments.
  • Logger: The Logger object represents the device and product where events are stored with times for receipt and transmission.
  • Metric: The Metric object defines a simple name/value pair entity for a metric.
  • Node: Represents a node or a vertex in a graph structure.
  • Observable: The observable object is a pivot element that contains related information found in many places in the event.
  • Observation: A record of an observed value or event that captures the timing and frequency of its occurrence.
  • Occurrence Details: Details about where in the target entity, specified information was discovered.
  • Query Evidence: The specific resulting evidence information that was queried or discovered.
  • Span: Represents a single unit of work or operation within a distributed trace.
  • Time Span: The Time Span object represents different time period durations.
  • Trace: The trace object contains information about a distributed trace, which is crucial for observability.
  • Transformation Info: The transformation_info object represents the mapping or transformation used.

Windows (4 objects)

Section titled “Windows (4 objects)”
  • Registry Key: The registry key object describes a Windows registry key.
  • Registry Value: The registry value object describes a Windows registry value.
  • Windows Resource: The Windows resource object describes a resource object managed by Windows, such as mutant or timer.
  • Windows Service: The Windows Service object describes a Windows service.

Other (43 objects)

Section titled “Other (43 objects)”
  • Access Analysis Result: The Access Analysis Result object describes access relationships and pathways between identities, resources, focusing on who can access what and through which mechanisms.
  • Additional Restriction: The Additional Restriction object describes supplementary access controls and guardrails that constrain or limit granted permissions beyond the primary policy.
  • Advisory: The Advisory object represents publicly disclosed cybersecurity vulnerabilities defined in a Security advisory. e.g. Microsoft KB Article, `Apple Security Ad
  • Affected Code: The Affected Code object describes details about a code block identified as vulnerable.
  • Aircraft: The Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise.
  • Analysis Target: The analysis target defines the scope of monitored activities, specifying what entity, system or process is analyzed for activity patterns.
  • Digital Certificate: The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key.
  • Classifier Details: The Classifier Details object describes details about the classifier used for data classification.
  • DCE/RPC: The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.
  • Discovery Details: The Discovery Details object describes results of a discovery task/job.
  • Domain Contact: The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.
  • Edge: Represents a connection or relationship between two nodes in a graph.
  • Email: The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files.
  • EPSS: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited.
  • Schema Extension: The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event.
  • Feature: The Feature object provides information about the software product feature that generated a specific event.
  • KB Article: The KB Article object contains metadata that describes the patch or update.
  • Key:Value object: A generic object allowing to define a {key:value} pair.
  • Geo Location: The Geo Location object describes a geographical location, usually associated with an IP address.
  • Long String: This object is a used to capture strings which may be truncated by a security product due to their length.
  • Metadata: The Metadata object describes the metadata associated with the event.
  • Object: An unordered collection of attributes.
  • Permission Analysis Result: The Permission Analysis object describes analysis results of permissions, policies directly associated with an identity (user, role, or service account).
  • Port Information: The Port Information object describes a port and its associated protocol details.
  • Programmatic Credential: The Programmatic Credential object describes service-specific credentials used for direct API access and system integration.
  • Query Information: The query info object holds information related to data access within a datastore.
  • Related Event/Finding: The Related Event object describes an event or another finding related to a finding.
  • Remediation: The Remediation object describes the recommended remediation steps to address identified issue(s).
  • Reputation: The Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).
  • RPC Interface: The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.
  • Subject Alternative Name: The Subject Alternative name (SAN) object describes a SAN secured by a digital certificate
  • Scan: The Scan object describes characteristics of a proactive scan.
  • SCIM: The System for Cross-domain Identity Management (SCIM) Configuration object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms.
  • Security State: The Security State object describes the security related state of a managed entity.
  • MITRE Sub-technique: The MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack.
  • Table: The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.
  • MITRE Tactic: The MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack.
  • MITRE Technique: The MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack.
  • Unmanned Aerial System: The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID.
  • Unmanned System Operating Area: The Unmanned System Operating Area object describes details about a precise area of operations for a UAS flight or mission.
  • Uniform Resource Locator: The Uniform Resource Locator (URL) object describes the characteristics of a URL.
  • Vendor Attributes: The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider.
  • WHOIS: The resources of a WHOIS record for a given domain.