Evidence Artifacts

evidences

A collection of evidence artifacts associated to the activity/activities that triggered a security detection.

Attributes

CaptionNameTypeDescription
Actor actor Actor[] Describes details about the user/role/process that was the source of the activity that triggered the detection.
API Details api API[] Describes details about the API call associated to the activity that triggered the detection.
Connection Info connection_info Network Connection Information[] Describes details about the network connection associated to the activity that triggered the detection.
Container container Container[] Entity:CONTAINER
Describes details about the container associated to the activity that triggered the detection.
Data data JSON Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.
Database database Database[] Describes details about the database associated to the activity that triggered the detection.
Databucket databucket Databucket[] Describes details about the databucket associated to the activity that triggered the detection.
Device device Device[] An addressable device, computer system or host associated to the activity that triggered the detection.
Destination Endpoint dst_endpoint Network Endpoint[] Describes details about the destination of the network activity that triggered the detection.
Email email Email[] Entity:EMAIL
The email object associated to the activity that triggered the detection.
File file File[] Entity:FILE
Describes details about the file associated to the activity that triggered the detection.
HTTP Request http_request HTTP Request[] Describes details about the http request associated to the activity that triggered the detection.
HTTP Response http_response HTTP Response[] Describes details about the http response associated to the activity that triggered the detection.
JA4+ Fingerprints ja4_fingerprint_list JA4+ Fingerprint[] Describes details about the JA4+ fingerprints that triggered the detection.
Job job Job[] Describes details about the scheduled job that was associated with the activity that triggered the detection.
Name name String The naming convention or type identifier of the evidence associated with the security detection. For example, the @odata.type from Microsoft Graph Alerts V2 or display_name from CrowdStrike Falcon Incident Behaviors.
Process process Linux Process[] Entity:PROCESS
Describes details about the process associated to the activity that triggered the detection.
DNS Query query DNS Query[] Describes details about the DNS query associated to the activity that triggered the detection.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Registry Key reg_key Registry Key[] Entity:REGISTRY_KEY
Describes details about the registry key that triggered the detection.
Registry Value reg_value Registry Value[] Entity:REGISTRY_VALUE
Describes details about the registry value that triggered the detection.
Cloud Resources resources Resource Details[] Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use Affected Resources at the top-level of the finding.
Script script Script[] Describes details about the script that was associated with the activity that triggered the detection.
Source Endpoint src_endpoint Network Endpoint[] Describes details about the source of the network activity that triggered the detection.
TLS tls Transport Layer Security (TLS)[] Describes details about the Transport Layer Security (TLS) activity that triggered the detection.
Unique ID uid String The unique identifier of the evidence associated with the security detection. For example, the activity_id from CrowdStrike Falcon Alerts or behavior_id from CrowdStrike Falcon Incident Behaviors.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.
URL url Uniform Resource Locator[] Entity:UNIFORM_RESOURCE_LOCATOR
The URL object that pertains to the event or object associated to the activity that triggered the detection.
User user User[] Entity:USER
Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.
Verdict verdict String The normalized verdict of the evidence associated with the security detection.
Verdict ID verdict_id Integer The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a verdict enumeration for each type of evidence associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.
  • 0: Unknown (UNKNOWN)
  • 1: False Positive (FALSE_POSITIVE)
  • 10: Duplicate (DUPLICATE)
  • 2: True Positive (TRUE_POSITIVE)
  • 3: Disregard (DISREGARD)
  • 4: Suspicious (SUSPICIOUS)
  • 5: Benign (BENIGN)
  • 6: Test (TEST)
  • 7: Insufficient Data (INSUFFICIENT_DATA)
  • 8: Security Risk (SECURITY_RISK)
  • 9: Managed Externally (MANAGED_EXTERNALLY)
  • 99: Other (OTHER)
Windows Service win_service Windows Service[] Describes details about the Windows service that triggered the detection.

Relationships

Evidence Artifacts shown in context

Inbound Relationships

These objects and events reference Evidence Artifacts in their attributes:

Outbound Relationships

Evidence Artifacts references the following objects and events in its attributes:

This page describes ocsf-1.4.0