Observable

The full name of the observable attribute. The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

Contains the original and normalized reputation scores.

The observable value type name.

The observable value type identifier.

• 0: Unknown (UNKNOWN)
• 1: Hostname (HOSTNAME)
• 10: Resource UID (RESOURCE_UID)
• 11: Port (PORT)
• 12: Subnet (SUBNET)
• 13: Command Line (COMMAND_LINE)
• 14: Country (COUNTRY)
• 15: Process ID (PROCESS_ID)
• 16: HTTP User-Agent (HTTP_USER_AGENT)
• 17: CWE ID (CWE_ID)
• 18: CVE ID (CVE_ID)
• 19: User Credential ID (USER_CREDENTIAL_ID)
• 2: IP Address (IP_ADDRESS)
• 20: Endpoint (ENDPOINT)
• 21: User (USER)
• 22: Email (EMAIL)
• 23: Uniform Resource Locator (UNIFORM_RESOURCE_LOCATOR)
• 24: File (FILE)
• 25: Process (PROCESS)
• 26: Geo Location (GEO_LOCATION)
• 27: Container (CONTAINER)
• 28: Registry Key (REGISTRY_KEY)
• 29: Registry Value (REGISTRY_VALUE)
• 3: MAC Address (MAC_ADDRESS)
• 30: Fingerprint (FINGERPRINT)
• 31: User Object: uid (USER_OBJECT_UID)
• 32: Group Object: name (GROUP_OBJECT_NAME)
• 33: Group Object: uid (GROUP_OBJECT_UID)
• 34: Account Object: name (ACCOUNT_OBJECT_NAME)
• 35: Account Object: uid (ACCOUNT_OBJECT_UID)
• 36: Script Content (SCRIPT_CONTENT)
• 37: Serial Number (SERIAL_NUMBER)
• 38: Resource Details Object: name (RESOURCE_DETAILS_OBJECT_NAME)
• 4: User Name (USER_NAME)
• 5: Email Address (EMAIL_ADDRESS)
• 6: URL String (URL_STRING)
• 7: File Name (FILE_NAME)
• 8: Hash (HASH)
• 9: Process Name (PROCESS_NAME)
• 99: Other (OTHER)

Data from the source that was not mapped into the schema.

The value associated with the observable attribute. The meaning of the value depends on the observable type.
If the name refers to a scalar attribute, then the value is the value of the attribute.
If the name refers to an object attribute, then the value is not populated.