Evidence Artifacts

evidences

A collection of evidence artifacts associated to the activity/activities that triggered a security detection.

Attributes

Caption	Name	Type	Description
Actor	`actor`	Actor[]	Describes details about the user/role/process that was the source of the activity that triggered the detection.
API Details	`api`	API[]	Describes details about the API call associated to the activity that triggered the detection.
Connection Info	`connection_info`	Network Connection Information[]	Describes details about the network connection associated to the activity that triggered the detection.
Container	`container`	Container[]	Entity:`CONTAINER` Describes details about the container associated to the activity that triggered the detection.
Data	`data`	JSON	Additional evidence data that is not accounted for in the specific evidence attributes. `Use only when absolutely necessary.`
Database	`database`	Database[]	Describes details about the database associated to the activity that triggered the detection.
Databucket	`databucket`	Databucket[]	Describes details about the databucket associated to the activity that triggered the detection.
Device	`device`	Device[]	An addressable device, computer system or host associated to the activity that triggered the detection.
Destination Endpoint	`dst_endpoint`	Network Endpoint[]	Describes details about the destination of the network activity that triggered the detection.
Email	`email`	Email[]	Entity:`EMAIL` The email object associated to the activity that triggered the detection.
File	`file`	File[]	Entity:`FILE` Describes details about the file associated to the activity that triggered the detection.
HTTP Request	`http_request`	HTTP Request[]	Describes details about the http request associated to the activity that triggered the detection.
HTTP Response	`http_response`	HTTP Response[]	Describes details about the http response associated to the activity that triggered the detection.
JA4+ Fingerprints	`ja4_fingerprint_list`	JA4+ Fingerprint[]	Describes details about the JA4+ fingerprints that triggered the detection.
Job	`job`	Job[]	Describes details about the scheduled job that was associated with the activity that triggered the detection.
Name	`name`	String	The naming convention or type identifier of the evidence associated with the security detection. For example, the `@odata.type` from Microsoft Graph Alerts V2 or `display_name` from CrowdStrike Falcon Incident Behaviors.
Process	`process`	Linux Process[]	Entity:`PROCESS` Describes details about the process associated to the activity that triggered the detection.
DNS Query	`query`	DNS Query[]	Describes details about the DNS query associated to the activity that triggered the detection.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Registry Key	`reg_key`	Registry Key[]	Entity:`REGISTRY_KEY` Describes details about the registry key that triggered the detection.
Registry Value	`reg_value`	Registry Value[]	Entity:`REGISTRY_VALUE` Describes details about the registry value that triggered the detection.
Cloud Resources	`resources`	Resource Details[]	Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use `Affected Resources` at the top-level of the finding.
Script	`script`	Script[]	Describes details about the script that was associated with the activity that triggered the detection.
Source Endpoint	`src_endpoint`	Network Endpoint[]	Describes details about the source of the network activity that triggered the detection.
TLS	`tls`	Transport Layer Security (TLS)[]	Describes details about the Transport Layer Security (TLS) activity that triggered the detection.
Unique ID	`uid`	String	The unique identifier of the evidence associated with the security detection. For example, the `activity_id` from CrowdStrike Falcon Alerts or `behavior_id` from CrowdStrike Falcon Incident Behaviors.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
URL	`url`	Uniform Resource Locator[]	Entity:`UNIFORM_RESOURCE_LOCATOR` The URL object that pertains to the event or object associated to the activity that triggered the detection.
User	`user`	User[]	Entity:`USER` Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.
Verdict	`verdict`	String	The normalized verdict of the evidence associated with the security detection.
Verdict ID	`verdict_id`	Integer	The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a `verdict` enumeration for each type of `evidence` associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding. `0`: Unknown (`UNKNOWN`) `1`: False Positive (`FALSE_POSITIVE`) `10`: Duplicate (`DUPLICATE`) `2`: True Positive (`TRUE_POSITIVE`) `3`: Disregard (`DISREGARD`) `4`: Suspicious (`SUSPICIOUS`) `5`: Benign (`BENIGN`) `6`: Test (`TEST`) `7`: Insufficient Data (`INSUFFICIENT_DATA`) `8`: Security Risk (`SECURITY_RISK`) `9`: Managed Externally (`MANAGED_EXTERNALLY`) `99`: Other (`OTHER`)
Windows Service	`win_service`	Windows Service[]	Describes details about the Windows service that triggered the detection.

Relationships

Inbound Relationships

These objects and events reference Evidence Artifacts in their attributes:

Outbound Relationships

Evidence Artifacts references the following objects and events in its attributes:

This page describes ocsf-1.4.0