Guides
Start typing to search…

Entities

Entities are shortcuts to common important fields. Based on OCSF's observables, an entity provides a shortcut to all fields in the schema that represent things like IP addresses, hostnames, or email addresses.

Below is a list of all entities available to FSQL:

EntityFSQL Name(s)Description
Account Object: nameaccount_object_nameObservable by Object-Specific Attribute.Object-specific attribute "name" for the Account Object.
Account Object: uidaccount_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the Account Object.
Advisory Object: uidadvisory_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the Advisory Object.
Command Linecommand_lineObservable by Dictionary Attribute.The full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used.
CountrycountryObservable by Dictionary Attribute.The ISO 3166-1 Alpha-2 country code.

Note: The two letter country code should be capitalized. For example: US or CA.

CVE Object: uidcve_object_uid, cveObservable by Object-Specific Attribute.Object-specific attribute "uid" for the CVE Object.
CWE Object: uidcwe_object_uid, cweObservable by Object-Specific Attribute.Object-specific attribute "uid" for the CWE Object.
Device Object: uiddevice_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the Device Object.
Email Addressemail_address, emailObservable by Dictionary Type.Email address. For example:[email protected].
Email Object: subjectemail_object_subjectObservable by Object-Specific Attribute.Object-specific attribute "subject" for the Email Object.
Email Object: uidemail_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the Email Object.
File Namefile_nameObservable by Dictionary Type.File name. For example:text-file.txt.
File Pathfile_pathObservable by Dictionary Type.The full path to the file. For example: For example:c:\windows\system32\svchost.exe.
Group Object: namegroup_object_nameObservable by Object-Specific Attribute.Object-specific attribute "name" for the Group Object.
Group Object: uidgroup_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the Group Object.
Hashhash, file_hashObservable by Dictionary Type.Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example: MD5: 3172ac7e2b55cbb81f04a6e65855a628.
HostnamehostnameObservable by Dictionary Type.Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com
HTTP User-Agenthttp_user_agent, user_agentObservable by Dictionary Attribute.The request header that identifies the operating system and web browser.
IP Addressip_address, ipObservable by Dictionary Type.Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example:192.168.200.24, 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
Linux Process Object: uidlinux_process_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the Linux Process Object.
MAC Addressmac_address, macObservable by Dictionary Type.Media Access Control (MAC) address. For example:18:36:F3:98:4F:9A.
Message UIDmessage_uidObservable by Dictionary Attribute.The email header Message-ID value, as defined by RFC 5322.
OtherotherThe observable data type is not mapped. See the type attribute, which may contain data source specific value.
PortportObservable by Dictionary Type.The TCP/UDP port number. For example:80,22.
Process IDprocess_id, pidObservable by Dictionary Attribute.The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.
Process Nameprocess_nameObservable by Dictionary Type.Process name. For example:Notepad.
Registry Key Pathregistry_key_pathObservable by Dictionary Type.Full path of registry key.
Registry Value Object: nameregistry_value_object_nameObservable by Object-Specific Attribute.Object-specific attribute "name" for the Registry Value Object.
Resource Details Object: nameresource_details_object_nameObservable by Object-Specific Attribute.Object-specific attribute "name" for the Resource Details Object.
Resource UIDresource_uid, resource_idObservable by Dictionary Type.Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID.
Script Contentscript_contentObservable by Dictionary Attribute.The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.
Serial Numberserial_numberObservable by Dictionary Attribute.The serial number that pertains to the object. See specific usage.
SubnetsubnetObservable by Dictionary Type.The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. For example:192.168.1.0/24,2001:0db8:85a3:0000::/64
UnknownunknownUnknown observable data type.
URL Stringurl_string, urlObservable by Dictionary Type.Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
User Credential IDuser_credential_idObservable by Dictionary Attribute.The unique identifier of the user's credential. For example, AWS Access Key ID.
User Nameuser_name, usernameObservable by Dictionary Type.User name. For example:john_doe.
User Object: uiduser_object_uidObservable by Object-Specific Attribute.Object-specific attribute "uid" for the User Object.

Updated about 5 hours ago