Data Security

data_security

The Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).

Attributes

CaptionNameTypeDescription
Category category String The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.
Category ID category_id Integer The normalized identifier of the data classification category.
  • 0: Unknown (UNKNOWN)
  • 1: Personal (PERSONAL)
  • 2: Governmental (GOVERNMENTAL)
  • 3: Financial (FINANCIAL)
  • 4: Business (BUSINESS)
  • 5: Military and Law Enforcement (MILITARY_AND_LAW_ENFORCEMENT)
  • 6: Security (SECURITY)
  • 99: Other (OTHER)
Classifier Details classifier_details Classifier Details[] Describes details about the classifier used for data classification.
Confidentiality confidentiality String The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.
Confidentiality ID confidentiality_id Integer The normalized identifier of the file content confidentiality indicator.
  • 0: Unknown (UNKNOWN)
  • 1: Not Confidential (NOT_CONFIDENTIAL)
  • 2: Confidential (CONFIDENTIAL)
  • 3: Secret (SECRET)
  • 4: Top Secret (TOP_SECRET)
  • 5: Private (PRIVATE)
  • 6: Restricted (RESTRICTED)
  • 99: Other (OTHER)
Data Lifecycle State data_lifecycle_state String The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.
Data Lifecycle State ID data_lifecycle_state_id Integer The stage or state that the data was in when it was assessed or scanned by a data security tool.
  • 0: Unknown (UNKNOWN)
  • 1: Data at-Rest (DATA_AT_REST)
  • 2: Data in-Transit (DATA_IN_TRANSIT)
  • 3: Data in-Use (DATA_IN_USE)
  • 99: Other (OTHER)
Detection Pattern detection_pattern String Specific pattern, algorithm, fingerprint, or model used for detection.
Detection System detection_system String The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.
Detection System ID detection_system_id Integer The type of data security tool or system that the finding, detection, or alert originated from.
  • 0: Unknown (UNKNOWN)
  • 1: Endpoint (ENDPOINT)
  • 10: Application-Level DLP (APPLICATION_LEVEL_DLP)
  • 11: Developer Security (DEVELOPER_SECURITY)
  • 12: Data Security Posture Management (DATA_SECURITY_POSTURE_MANAGEMENT)
  • 2: DLP Gateway (DLP_GATEWAY)
  • 3: Mobile Device Management (MOBILE_DEVICE_MANAGEMENT)
  • 4: Data Discovery & Classification (DATA_DISCOVERY_&_CLASSIFICATION)
  • 5: Secure Web Gateway (SECURE_WEB_GATEWAY)
  • 6: Secure Email Gateway (SECURE_EMAIL_GATEWAY)
  • 7: Digital Rights Management (DIGITAL_RIGHTS_MANAGEMENT)
  • 8: Cloud Access Security Broker (CLOUD_ACCESS_SECURITY_BROKER)
  • 9: Database Activity Monitoring (DATABASE_ACTIVITY_MONITORING)
  • 99: Other (OTHER)
Discovery Details discovery_details Discovery Details[] Details about the data discovered by classification job.
Pattern Match pattern_match String A text, binary, file name, or datastore that matched against a detection rule.
Policy policy Policy[] Details about the policy that triggered the finding.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Size size Long Size of the data classified.
Source URL src_url URL String Entity:URL_STRING
The source URL pointing towards the full classifcation job details.
Status status String The resultant status of the classification job normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
Status Details status_details String[] The contextual description of the status, status_id value.
Status ID status_id Integer The normalized status identifier of the classification job.
  • 0: Unknown (UNKNOWN)
  • 1: Complete (COMPLETE)
  • 2: Partial (PARTIAL)
  • 3: Fail (FAIL)
  • 99: Other (OTHER)
Total total Integer The total count of discovered entities, by the classification job.
Unique ID uid String The unique identifier of the classification job.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Data Security shown in context

Inbound Relationships

These objects and events reference Data Security in their attributes:

Outbound Relationships

Data Security references the following objects and events in its attributes:

This page describes ocsf-1.4.0