Check

check

The check object defines a specific, testable compliance verification point that evaluates a target device against a standard, framework, or custom requirement. While checks are typically associated with formal standards (like CIS, NIST, or ISO), they can also represent custom or organizational requirements. When mapped to controls, checks can evaluate specific control_parameters to determine compliance status, but neither the control mapping nor control_parameters are required for a valid check.

Attributes

Caption	Name	Type	Description
Description	`desc`	String	The detailed description of the compliance check, explaining the security requirement, vulnerability, or configuration being assessed. For example, CIS: `The cramfs filesystem type is a compressed read-only Linux filesystem. Removing support for unneeded filesystem types reduces the local attack surface.` or DISA STIG: `Unauthorized access to the information system by foreign entities may result in loss or compromise of data.`
Name	`name`	String	The name or title of the compliance check. For example, CIS: `Ensure mounting of cramfs filesystems is disabled` or DISA STIG: `The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions`.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Severity	`severity`	String	The severity level as defined in the source document. For example CIS Benchmarks, valid values are: `Level 1` (security-forward, essential settings), `Level 2` (security-focused environment, more restrictive), or `Scored/Not Scored` (whether compliance can be automatically checked). For DISA STIG, valid values are: `CAT I` (maps to severity_id 5/Critical), `CAT II` (maps to severity_id 4/High), or `CAT III` (maps to severity_id 3/Medium).
Severity ID	`severity_id`	Integer	The normalized severity identifier that maps severity levels to standard severity levels. For example CIS Benchmark: `Level 2` maps to `4` (High), `Level 1` maps to `3` (Medium). For DISA STIG: `CAT I` maps to `5` (Critical), `CAT II` maps to `4` (High), and `CAT III` maps to `3` (Medium). `0`: Unknown (`UNKNOWN`) `1`: Informational (`INFORMATIONAL`) `2`: Low (`LOW`) `3`: Medium (`MEDIUM`) `4`: High (`HIGH`) `5`: Critical (`CRITICAL`) `6`: Fatal (`FATAL`) `99`: Other (`OTHER`)
Compliance Standards: List	`standards`	String[]	The regulatory or industry standard this check is associated with. E.g., `PCI DSS 3.2.1`, `HIPAA Security Rule`, `NIST SP 800-53 Rev. 5`, or `ISO/IEC 27001:2013`.
Status	`status`	String	The resultant status of the compliance check normalized to the caption of the `status_id` value. For example, CIS Benchmark: `Pass` when all requirements are met, `Fail` when requirements are not met, or DISA STIG: `NotAFinding` (maps to status_id 1/Pass), `Open` (maps to status_id 3/Fail).
Status ID	`status_id`	Integer	The normalized status identifier of the compliance check. `0`: Unknown (`UNKNOWN`) `1`: Pass (`PASS`) `2`: Warning (`WARNING`) `3`: Fail (`FAIL`) `99`: Other (`OTHER`)
Unique ID	`uid`	String	The unique identifier of the compliance check within its standard or framework. For example, CIS Benchmark identifier `1.1.1.1`, DISA STIG identifier `V-230234`, or NIST control identifier `AC-17(2)`.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Version	`version`	String	The check version. For example, CIS Benchmark: `1.1.0` for Amazon Linux 2 or DISA STIG: `V2R1` for Windows 10.

Relationships

Inbound Relationships

These objects and events reference Check in their attributes:

Compliance

Outbound Relationships

Check references the following objects and events in its attributes:

Unmapped

This page describes qdm-1.5.1+ocsf-1.6.0