Assessment

assessment

The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera, or capture details of Microsoft Intune configuration policies.

Attributes

CaptionNameTypeDescription
CategorycategoryString

The category that the assessment is part of. For example: Prevention or Windows 10.

DescriptiondescString

The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.

Meets Criteriameets_criteriaBoolean

Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a Datastore is encrypted or not, having encryption would be evaluated as true.

NamenameString

The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.

Assessment PolicypolicyPolicy[]

The details of any policy associated with an assessment.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

Unique IDuidString

The unique identifier of the configuration or signal being assessed. For example: the signal_id.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

Relationships

Assessment shown in context

Inbound Relationships

These objects and events reference Assessment in their attributes:

Outbound Relationships

Assessment references the following objects and events in its attributes:

This page describes ocsf-1.4.0