Data Security

data_security

The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).

Attributes

Caption	Name	Type	Description
Category	`category`	String	The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.
Category ID	`category_id`	Integer	The normalized identifier of the data classification category. `0`: Unknown (`UNKNOWN`) `1`: Personal (`PERSONAL`) `2`: Governmental (`GOVERNMENTAL`) `3`: Financial (`FINANCIAL`) `4`: Business (`BUSINESS`) `5`: Military and Law Enforcement (`MILITARY_AND_LAW_ENFORCEMENT`) `6`: Security (`SECURITY`) `99`: Other (`OTHER`)
Classifier Details	`classifier_details`	Classifier Details[]	Describes details about the classifier used for data classification.
Confidentiality	`confidentiality`	String	The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality ID	`confidentiality_id`	Integer	The normalized identifier of the file content confidentiality indicator. `0`: Unknown (`UNKNOWN`) `1`: Not Confidential (`NOT_CONFIDENTIAL`) `2`: Confidential (`CONFIDENTIAL`) `3`: Secret (`SECRET`) `4`: Top Secret (`TOP_SECRET`) `5`: Private (`PRIVATE`) `6`: Restricted (`RESTRICTED`) `99`: Other (`OTHER`)
Data Lifecycle State	`data_lifecycle_state`	String	The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.
Data Lifecycle State ID	`data_lifecycle_state_id`	Integer	The stage or state that the data was in when it was assessed or scanned by a data security tool. `0`: Unknown (`UNKNOWN`) `1`: Data at-Rest (`DATA_AT_REST`) `2`: Data in-Transit (`DATA_IN_TRANSIT`) `3`: Data in-Use (`DATA_IN_USE`) `99`: Other (`OTHER`)
Detection Pattern	`detection_pattern`	String	Specific pattern, algorithm, fingerprint, or model used for detection.
Detection System	`detection_system`	String	The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.
Detection System ID	`detection_system_id`	Integer	The type of data security tool or system that the finding, detection, or alert originated from. `0`: Unknown (`UNKNOWN`) `1`: Endpoint (`ENDPOINT`) `10`: Application-Level DLP (`APPLICATION_LEVEL_DLP`) `11`: Developer Security (`DEVELOPER_SECURITY`) `12`: Data Security Posture Management (`DATA_SECURITY_POSTURE_MANAGEMENT`) `2`: DLP Gateway (`DLP_GATEWAY`) `3`: Mobile Device Management (`MOBILE_DEVICE_MANAGEMENT`) `4`: Data Discovery & Classification (`DATA_DISCOVERY_&_CLASSIFICATION`) `5`: Secure Web Gateway (`SECURE_WEB_GATEWAY`) `6`: Secure Email Gateway (`SECURE_EMAIL_GATEWAY`) `7`: Digital Rights Management (`DIGITAL_RIGHTS_MANAGEMENT`) `8`: Cloud Access Security Broker (`CLOUD_ACCESS_SECURITY_BROKER`) `9`: Database Activity Monitoring (`DATABASE_ACTIVITY_MONITORING`) `99`: Other (`OTHER`)
Discovery Details	`discovery_details`	Discovery Details[]	Details about the data discovered by classification job.
Pattern Match	`pattern_match`	String	A text, binary, file name, or datastore that matched against a detection rule.
Policy	`policy`	Policy[]	Details about the policy that triggered the finding.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Size	`size`	Long	Size of the data classified.
Source URL	`src_url`	URL String	Entity:`URL_STRING` The source URL pointing towards the full classifcation job details.
Status	`status`	String	The resultant status of the classification job normalized to the caption of the `status_id` value. In the case of 'Other', it is defined by the event source.
Status Details	`status_details`	String[]	The contextual description of the `status, status_id` value.
Status ID	`status_id`	Integer	The normalized status identifier of the classification job. `0`: Unknown (`UNKNOWN`) `1`: Complete (`COMPLETE`) `2`: Partial (`PARTIAL`) `3`: Fail (`FAIL`) `99`: Other (`OTHER`)
Total	`total`	Integer	The total count of discovered entities, by the classification job.
Unique ID	`uid`	String	The unique identifier of the classification job.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.

Relationships

Inbound Relationships

These objects and events reference Data Security in their attributes:

Data Security Finding

Outbound Relationships

Data Security references the following objects and events in its attributes:

This page describes ocsf-1.4.0