Evidence Artifacts
evidences
A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Actor | actor |
Actor[] | Describes details about the user/role/process that was the source of the activity that triggered the detection. |
| API Details | api |
API[] | Describes details about the API call associated to the activity that triggered the detection. |
| Connection Info | connection_info |
Network Connection Information[] | Describes details about the network connection associated to the activity that triggered the detection. |
| Container | container |
Container[] |
Entity:CONTAINERDescribes details about the container associated to the activity that triggered the detection. |
| Data | data |
JSON |
Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.
|
| Database | database |
Database[] | Describes details about the database associated to the activity that triggered the detection. |
| Databucket | databucket |
Databucket[] | Describes details about the databucket associated to the activity that triggered the detection. |
| Device | device |
Device[] | An addressable device, computer system or host associated to the activity that triggered the detection. |
| Destination Endpoint | dst_endpoint |
Network Endpoint[] | Describes details about the destination of the network activity that triggered the detection. |
email |
Email[] |
Entity:EMAILThe email object associated to the activity that triggered the detection. |
|
| File | file |
File[] |
Entity:FILEDescribes details about the file associated to the activity that triggered the detection. |
| HTTP Request | http_request |
HTTP Request[] | Describes details about the http request associated to the activity that triggered the detection. |
| HTTP Response | http_response |
HTTP Response[] | Describes details about the http response associated to the activity that triggered the detection. |
| JA4+ Fingerprints | ja4_fingerprint_list |
JA4+ Fingerprint[] | Describes details about the JA4+ fingerprints that triggered the detection. |
| Job | job |
Job[] | Describes details about the scheduled job that was associated with the activity that triggered the detection. |
| Name | name |
String |
The naming convention or type identifier of the evidence associated with the security detection. For example, the @odata.type from Microsoft Graph Alerts V2 or display_name from CrowdStrike Falcon Incident Behaviors.
|
| Process | process |
Linux Process[] |
Entity:PROCESSDescribes details about the process associated to the activity that triggered the detection. |
| DNS Query | query |
DNS Query[] | Describes details about the DNS query associated to the activity that triggered the detection. |
| Raw Data | raw_data |
JSON |
Group:contextThe event data as received from the event source. |
| Record ID | record_id |
String |
Group:primaryUnique identifier for the object |
| Registry Key | reg_key |
Registry Key[] |
Entity:REGISTRY_KEYDescribes details about the registry key that triggered the detection. |
| Registry Value | reg_value |
Registry Value[] |
Entity:REGISTRY_VALUEDescribes details about the registry value that triggered the detection. |
| Cloud Resources | resources |
Resource Details[] |
Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use Affected Resources at the top-level of the finding.
|
| Script | script |
Script[] | Describes details about the script that was associated with the activity that triggered the detection. |
| Source Endpoint | src_endpoint |
Network Endpoint[] | Describes details about the source of the network activity that triggered the detection. |
| TLS | tls |
Transport Layer Security (TLS)[] | Describes details about the Transport Layer Security (TLS) activity that triggered the detection. |
| Unique ID | uid |
String |
The unique identifier of the evidence associated with the security detection. For example, the activity_id from CrowdStrike Falcon Alerts or behavior_id from CrowdStrike Falcon Incident Behaviors.
|
| Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
| URL | url |
Uniform Resource Locator[] |
Entity:UNIFORM_RESOURCE_LOCATORThe URL object that pertains to the event or object associated to the activity that triggered the detection. |
| User | user |
User[] |
Entity:USERDescribes details about the user that was the target or somehow else associated with the activity that triggered the detection. |
| Verdict | verdict |
String | The normalized verdict of the evidence associated with the security detection. |
| Verdict ID | verdict_id |
Integer |
The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a verdict enumeration for each type of evidence associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.
|
| Windows Service | win_service |
Windows Service[] | Describes details about the Windows service that triggered the detection. |
Relationships
Inbound Relationships
These objects and events reference Evidence Artifacts in their attributes:
Outbound Relationships
Evidence Artifacts references the following objects and events in its attributes:
- HTTP Request
- DNS Query
- Network Connection Information
- Actor
- Device
- Registry Key
- Network Endpoint
- Linux Process
- User
- Resource Details
- Script
- Job
- JA4+ Fingerprint
- API
- Container
- Transport Layer Security (TLS)
- Registry Value
- Unmapped
- File
- Database
- Windows Service
- Databucket
- HTTP Response
- Uniform Resource Locator
This page describes ocsf-1.4.0
Updated 8 days ago