Evidence Artifacts

evidences

A collection of evidence artifacts associated to the activity/activities that triggered a security detection.

Attributes

CaptionNameTypeDescription
ActoractorActor[]

Describes details about the user/role/process that was the source of the activity that triggered the detection.

API DetailsapiAPI[]

Describes details about the API call associated to the activity that triggered the detection.

Connection Infoconnection_infoNetwork Connection Information[]

Describes details about the network connection associated to the activity that triggered the detection.

ContainercontainerContainer[]

Entity:CONTAINER
Describes details about the container associated to the activity that triggered the detection.

DatadataJSON

Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.

DatabasedatabaseDatabase[]

Describes details about the database associated to the activity that triggered the detection.

DatabucketdatabucketDatabucket[]

Describes details about the databucket associated to the activity that triggered the detection.

DevicedeviceDevice[]

An addressable device, computer system or host associated to the activity that triggered the detection.

Destination Endpointdst_endpointNetwork Endpoint[]

Describes details about the destination of the network activity that triggered the detection.

EmailemailEmail[]

Entity:EMAIL
The email object associated to the activity that triggered the detection.

FilefileFile[]

Entity:FILE
Describes details about the file associated to the activity that triggered the detection.

HTTP Requesthttp_requestHTTP Request[]

Describes details about the http request associated to the activity that triggered the detection.

HTTP Responsehttp_responseHTTP Response[]

Describes details about the http response associated to the activity that triggered the detection.

JA4+ Fingerprintsja4_fingerprint_listJA4+ Fingerprint[]

Describes details about the JA4+ fingerprints that triggered the detection.

JobjobJob[]

Describes details about the scheduled job that was associated with the activity that triggered the detection.

NamenameString

The naming convention or type identifier of the evidence associated with the security detection. For example, the @odata.type from Microsoft Graph Alerts V2 or display_name from CrowdStrike Falcon Incident Behaviors.

ProcessprocessLinux Process[]

Entity:PROCESS
Describes details about the process associated to the activity that triggered the detection.

DNS QueryqueryDNS Query[]

Describes details about the DNS query associated to the activity that triggered the detection.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

Registry Keyreg_keyRegistry Key[]

Entity:REGISTRY_KEY
Describes details about the registry key that triggered the detection.

Registry Valuereg_valueRegistry Value[]

Entity:REGISTRY_VALUE
Describes details about the registry value that triggered the detection.

Cloud ResourcesresourcesResource Details[]

Describes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use Affected Resources at the top-level of the finding.

ScriptscriptScript[]

Describes details about the script that was associated with the activity that triggered the detection.

Source Endpointsrc_endpointNetwork Endpoint[]

Describes details about the source of the network activity that triggered the detection.

TLStlsTransport Layer Security (TLS)[]

Describes details about the Transport Layer Security (TLS) activity that triggered the detection.

Unique IDuidString

The unique identifier of the evidence associated with the security detection. For example, the activity_id from CrowdStrike Falcon Alerts or behavior_id from CrowdStrike Falcon Incident Behaviors.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

URLurlUniform Resource Locator[]

Entity:UNIFORM_RESOURCE_LOCATOR
The URL object that pertains to the event or object associated to the activity that triggered the detection.

UseruserUser[]

Entity:USER
Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.

VerdictverdictString

The normalized verdict of the evidence associated with the security detection.

Verdict IDverdict_idInteger

The normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a verdict enumeration for each type of evidence associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.

  • 0: Unknown (UNKNOWN)
  • 1: False Positive (FALSE_POSITIVE)
  • 10: Duplicate (DUPLICATE)
  • 2: True Positive (TRUE_POSITIVE)
  • 3: Disregard (DISREGARD)
  • 4: Suspicious (SUSPICIOUS)
  • 5: Benign (BENIGN)
  • 6: Test (TEST)
  • 7: Insufficient Data (INSUFFICIENT_DATA)
  • 8: Security Risk (SECURITY_RISK)
  • 9: Managed Externally (MANAGED_EXTERNALLY)
  • 99: Other (OTHER)
Windows Servicewin_serviceWindows Service[]

Describes details about the Windows service that triggered the detection.

Relationships

Evidence Artifacts shown in context

Inbound Relationships

These objects and events reference Evidence Artifacts in their attributes:

Outbound Relationships

Evidence Artifacts references the following objects and events in its attributes:

This page describes ocsf-1.4.0