Windows Evidence Artifacts
Extends the evidences object to add Windows specific fields
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Actor | actor |
Actor[] | Describes details about the user/role/process that was the source of the activity that triggered the detection. |
| API Details | api |
API[] | Describes details about the API call associated to the activity that triggered the detection. |
| Connection Info | connection_info |
Network Connection Information[] | Describes details about the network connection associated to the activity that triggered the detection. |
| Container | container |
Container[] | Describes details about the container associated to the activity that triggered the detection. |
| Data | data |
JSON |
Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.
|
| Database | database |
Database[] | Describes details about the database associated to the activity that triggered the detection. |
| Databucket | databucket |
Databucket[] | Describes details about the databucket associated to the activity that triggered the detection. |
| Device | device |
Device[] | An addressable device, computer system or host associated to the activity that triggered the detection. |
| Destination Endpoint | dst_endpoint |
Network Endpoint[] | Describes details about the destination of the network activity that triggered the detection. |
email |
Email[] | The email object associated to the activity that triggered the detection. | |
| File | file |
File[] | Describes details about the file associated to the activity that triggered the detection. |
| Job | job |
Job[] | Describes details about the scheduled job that was associated with the activity that triggered the detection. |
| Process | process |
Linux Process[] | Describes details about the process associated to the activity that triggered the detection. |
| DNS Query | query |
DNS Query[] | Describes details about the DNS query associated to the activity that triggered the detection. |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Registry Key | reg_key |
Registry Key[] | Describes details about the registry key that triggered the detection. |
| Registry Value | reg_value |
Registry Value[] | Describes details about the registry value that triggered the detection. |
| Source Endpoint | src_endpoint |
Network Endpoint[] | Describes details about the source of the network activity that triggered the detection. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| URL | url |
Uniform Resource Locator[] | The URL object that pertains to the event or object associated to the activity that triggered the detection. |
| User | user |
User[] | Describes details about the user that was the target or somehow else associated with the activity that triggered the detection. |
| Windows Service | win_service |
Windows Service[] | Describes details about the Windows service that triggered the detection. |
Relationships
Inbound Relationships
These objects and events reference Windows Evidence Artifacts in their attributes:
Outbound Relationships
Windows Evidence Artifacts references the following objects and events in its attributes:
- Database
- Actor
- Network Connection Information
- Unmapped
- Registry Key
- Network Endpoint
- Windows Service
- DNS Query
- Linux Process
- Registry Value
- File
- API
- Uniform Resource Locator
- Databucket
- Device
- Job
- User
- Container
This page describes qdm-1.3.2+ocsf-1.3.0
Updated about 1 month ago