Observable

observable

The observable object is a pivot element that contains related information found in many places in the event.

Attributes

Caption	Name	Type	Description
Name	`name`	String	The full name of the observable attribute. The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Reputation Scores	`reputation`	Reputation[]	Contains the original and normalized reputation scores.
Type	`type`	String	The observable value type name.
Type ID	`type_id`	Integer	The observable value type identifier. `0`: Unknown (`UNKNOWN`) `99`: Other (`OTHER`) `28`: Registry Key (`REGISTRY_KEY`) `29`: Registry Value (`REGISTRY_VALUE`) `43`: Registry Value Object: name (`REGISTRY_VALUE_OBJECT_NAME`) `34`: Account Object: name (`ACCOUNT_OBJECT_NAME`) `35`: Account Object: uid (`ACCOUNT_OBJECT_UID`) `44`: Advisory Object: uid (`ADVISORY_OBJECT_UID`) `27`: Container (`CONTAINER`) `18`: CVE Object: uid (`CVE_OBJECT_UID`) `17`: CWE Object: uid (`CWE_OBJECT_UID`) `20`: Endpoint (`ENDPOINT`) `47`: Device Object: uid (`DEVICE_OBJECT_UID`) `22`: Email (`EMAIL`) `40`: Email Object: subject (`EMAIL_OBJECT_SUBJECT`) `41`: Email Object: uid (`EMAIL_OBJECT_UID`) `24`: File (`FILE`) `30`: Fingerprint (`FINGERPRINT`) `32`: Group Object: name (`GROUP_OBJECT_NAME`) `33`: Group Object: uid (`GROUP_OBJECT_UID`) `26`: Geo Location (`GEO_LOCATION`) `25`: Linux Process (`LINUX_PROCESS`) `39`: Linux Process Object: uid (`LINUX_PROCESS_OBJECT_UID`) `38`: Resource Details Object: name (`RESOURCE_DETAILS_OBJECT_NAME`) `23`: Uniform Resource Locator (`UNIFORM_RESOURCE_LOCATOR`) `21`: User (`USER`) `31`: User Object: uid (`USER_OBJECT_UID`) `13`: Command Line (`COMMAND_LINE`) `14`: Country (`COUNTRY`) `19`: User Credential ID (`USER_CREDENTIAL_ID`) `42`: Message UID (`MESSAGE_UID`) `15`: Process ID (`PROCESS_ID`) `36`: Script Content (`SCRIPT_CONTENT`) `37`: Serial Number (`SERIAL_NUMBER`) `16`: HTTP User-Agent (`HTTP_USER_AGENT`) `5`: Email Address (`EMAIL_ADDRESS`) `8`: Hash (`HASH`) `7`: File Name (`FILE_NAME`) `45`: File Path (`FILE_PATH`) `1`: Hostname (`HOSTNAME`) `2`: IP Address (`IP_ADDRESS`) `3`: MAC Address (`MAC_ADDRESS`) `11`: Port (`PORT`) `9`: Process Name (`PROCESS_NAME`) `10`: Resource UID (`RESOURCE_UID`) `12`: Subnet (`SUBNET`) `6`: URL String (`URL_STRING`) `4`: User Name (`USER_NAME`) `46`: Registry Key Path (`REGISTRY_KEY_PATH`)
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Value	`value`	String	The value associated with the observable attribute. The meaning of the value depends on the observable type.If the name refers to a scalar attribute, then the value is the value of the attribute.If the name refers to an object attribute, then the value is not populated.

Relationships

Inbound Relationships

These objects and events reference Observable in their attributes:

Outbound Relationships

Observable references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0