Observable

observable

The observable object is a pivot element that contains related information found in many places in the event.

Attributes

CaptionNameTypeDescription
NamenameStringThe full name of the observable attribute. The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name.
Raw Dataraw_dataJSONGroup:context

The event data as received from the event source.
Record IDrecord_idStringGroup:primary

Unique identifier for the object
Reputation ScoresreputationReputation[]Contains the original and normalized reputation scores.
TypetypeStringThe observable value type name.
Type IDtype_idIntegerThe observable value type identifier.
  • 0: Unknown (UNKNOWN)
  • 99: Other (OTHER)
  • 28: Registry Key (REGISTRY_KEY)
  • 29: Registry Value (REGISTRY_VALUE)
  • 43: Registry Value Object: name (REGISTRY_VALUE_OBJECT_NAME)
  • 34: Account Object: name (ACCOUNT_OBJECT_NAME)
  • 35: Account Object: uid (ACCOUNT_OBJECT_UID)
  • 44: Advisory Object: uid (ADVISORY_OBJECT_UID)
  • 27: Container (CONTAINER)
  • 18: CVE Object: uid (CVE_OBJECT_UID)
  • 17: CWE Object: uid (CWE_OBJECT_UID)
  • 20: Endpoint (ENDPOINT)
  • 47: Device Object: uid (DEVICE_OBJECT_UID)
  • 22: Email (EMAIL)
  • 40: Email Object: subject (EMAIL_OBJECT_SUBJECT)
  • 41: Email Object: uid (EMAIL_OBJECT_UID)
  • 24: File (FILE)
  • 30: Fingerprint (FINGERPRINT)
  • 32: Group Object: name (GROUP_OBJECT_NAME)
  • 33: Group Object: uid (GROUP_OBJECT_UID)
  • 26: Geo Location (GEO_LOCATION)
  • 25: Linux Process (LINUX_PROCESS)
  • 39: Linux Process Object: uid (LINUX_PROCESS_OBJECT_UID)
  • 38: Resource Details Object: name (RESOURCE_DETAILS_OBJECT_NAME)
  • 23: Uniform Resource Locator (UNIFORM_RESOURCE_LOCATOR)
  • 21: User (USER)
  • 31: User Object: uid (USER_OBJECT_UID)
  • 13: Command Line (COMMAND_LINE)
  • 14: Country (COUNTRY)
  • 19: User Credential ID (USER_CREDENTIAL_ID)
  • 42: Message UID (MESSAGE_UID)
  • 15: Process ID (PROCESS_ID)
  • 36: Script Content (SCRIPT_CONTENT)
  • 37: Serial Number (SERIAL_NUMBER)
  • 16: HTTP User-Agent (HTTP_USER_AGENT)
  • 5: Email Address (EMAIL_ADDRESS)
  • 8: Hash (HASH)
  • 7: File Name (FILE_NAME)
  • 45: File Path (FILE_PATH)
  • 1: Hostname (HOSTNAME)
  • 2: IP Address (IP_ADDRESS)
  • 3: MAC Address (MAC_ADDRESS)
  • 11: Port (PORT)
  • 9: Process Name (PROCESS_NAME)
  • 10: Resource UID (RESOURCE_UID)
  • 12: Subnet (SUBNET)
  • 6: URL String (URL_STRING)
  • 4: User Name (USER_NAME)
  • 46: Registry Key Path (REGISTRY_KEY_PATH)
UnmappedunmappedUnmapped[]Data from the source that was not mapped into the schema.
ValuevalueStringThe value associated with the observable attribute. The meaning of the value depends on the observable type.If the name refers to a scalar attribute, then the value is the value of the attribute.If the name refers to an object attribute, then the value is not populated.

Relationships

Observable shown in context

Inbound Relationships

These objects and events reference Observable in their attributes:

Outbound Relationships

Observable references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0


Did this page help you?