Evidence Artifacts
evidences
A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Actor | actor | Actor[] | Describes details about the user/role/process that was the source of the activity that triggered the detection. |
API Details | api | API[] | Describes details about the API call associated to the activity that triggered the detection. |
Connection Info | connection_info | Network Connection Information[] | Describes details about the network connection associated to the activity that triggered the detection. |
Container | container | Container[] | Entity: |
Data | data | JSON | Additional evidence data that is not accounted for in the specific evidence attributes. |
Database | database | Database[] | Describes details about the database associated to the activity that triggered the detection. |
Databucket | databucket | Databucket[] | Describes details about the databucket associated to the activity that triggered the detection. |
Device | device | Device[] | An addressable device, computer system or host associated to the activity that triggered the detection. |
Destination Endpoint | dst_endpoint | Network Endpoint[] | Describes details about the destination of the network activity that triggered the detection. |
email | Email[] | Entity: | |
File | file | File[] | Entity: |
HTTP Request | http_request | HTTP Request[] | Describes details about the http request associated to the activity that triggered the detection. |
HTTP Response | http_response | HTTP Response[] | Describes details about the http response associated to the activity that triggered the detection. |
JA4+ Fingerprints | ja4_fingerprint_list | JA4+ Fingerprint[] | Describes details about the JA4+ fingerprints that triggered the detection. |
Job | job | Job[] | Describes details about the scheduled job that was associated with the activity that triggered the detection. |
Name | name | String | The naming convention or type identifier of the evidence associated with the security detection. For example, the |
Process | process | Linux Process[] | Entity: |
DNS Query | query | DNS Query[] | Describes details about the DNS query associated to the activity that triggered the detection. |
Raw Data | raw_data | JSON | Group: |
Record ID | record_id | String | Group: |
Registry Key | reg_key | Registry Key[] | Entity: |
Registry Value | reg_value | Registry Value[] | Entity: |
Cloud Resources | resources | Resource Details[] | Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use |
Script | script | Script[] | Describes details about the script that was associated with the activity that triggered the detection. |
Source Endpoint | src_endpoint | Network Endpoint[] | Describes details about the source of the network activity that triggered the detection. |
TLS | tls | Transport Layer Security (TLS)[] | Describes details about the Transport Layer Security (TLS) activity that triggered the detection. |
Unique ID | uid | String | The unique identifier of the evidence associated with the security detection. For example, the |
Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
URL | url | Uniform Resource Locator[] | Entity: |
User | user | User[] | Entity: |
Verdict | verdict | String | The normalized verdict of the evidence associated with the security detection. |
Verdict ID | verdict_id | Integer | The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a
|
Windows Service | win_service | Windows Service[] | Describes details about the Windows service that triggered the detection. |
Relationships
Inbound Relationships
These objects and events reference Evidence Artifacts in their attributes:
Outbound Relationships
Evidence Artifacts references the following objects and events in its attributes:
- HTTP Request
- DNS Query
- Network Connection Information
- Actor
- Device
- Registry Key
- Network Endpoint
- Linux Process
- User
- Resource Details
- Script
- Job
- JA4+ Fingerprint
- API
- Container
- Transport Layer Security (TLS)
- Registry Value
- Unmapped
- File
- Database
- Windows Service
- Databucket
- HTTP Response
- Uniform Resource Locator
This page describes ocsf-1.4.0
Updated 15 days ago