OSINT

osint

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

Attributes

Caption	Name	Type	Description
Related DNS Answers	`answers`	DNS Answer[]	Any pertinent DNS answers information related to an indicator or OSINT analysis.
MITRE ATT&CK® Details	`attacks`	MITRE ATT&CK®[]	MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.
Autonomous System	`autonomous_system`	Autonomous System[]	Any pertinent autonomous system information related to an indicator or OSINT analysis.
Analyst Comments	`comment`	String	Analyst commentary or source commentary about an indicator or OSINT analysis.
Confidence	`confidence`	String	The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.
Confidence ID	`confidence_id`	Integer	The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious. `0`: Unknown (`UNKNOWN`) `1`: Low (`LOW`) `2`: Medium (`MEDIUM`) `3`: High (`HIGH`) `99`: Other (`OTHER`)
Related Email	`email`	Email[]	Entity:`EMAIL` Any email information pertinent to an indicator or OSINT analysis.
Related Email Authentication	`email_auth`	Email Authentication[]	Any email authentication information pertinent to an indicator or OSINT analysis.
Related File	`file`	File[]	Entity:`FILE` Any pertinent file information related to an indicator or OSINT analysis.
Kill Chain	`kill_chain`	Kill Chain Phase[]	Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.
Geo Location	`location`	Geo Location[]	Entity:`GEO_LOCATION` Any pertinent geolocation information related to an indicator or OSINT analysis.
Name	`name`	String	The name of the entity.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Related Analytics	`related_analytics`	Analytic[]	Any analytics related to an indicator or OSINT analysis.
Reputation Scores	`reputation`	Reputation[]	Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.
Related Script Data	`script`	Script[]	Any pertinent script information related to an indicator or OSINT analysis.
Related Digital Signatures	`signatures`	Digital Signature[]	Any digital signatures or hashes related to an indicator or OSINT analysis.
Source URL	`src_url`	URL String	Entity:`URL_STRING` The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.
Related Subdomains	`subdomains`	String[]	Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.
Related Subnet	`subnet`	Subnet	Entity:`SUBNET` A CIDR or network block related to an indicator or OSINT analysis.
Traffic Light Protocol	`tlp`	String	The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared. `AMBER`: TLP:AMBER (`TLPAMBER`) `AMBER STRICT`: TLP:AMBER+STRICT (`TLPAMBER+STRICT`) `CLEAR`: TLP:CLEAR (`TLPCLEAR`) `GREEN`: TLP:GREEN (`TLPGREEN`) `RED`: TLP:RED (`TLPRED`) `WHITE`: TLP:WHITE (`TLPWHITE`)
Type	`type`	String	The OSINT indicator type.
Indicator Type ID	`type_id`	Integer	The OSINT indicator type ID. `0`: Unknown (`UNKNOWN`) `1`: IP Address (`IP_ADDRESS`) `10`: Vulnerability (`VULNERABILITY`) `11`: File (`FILE`) `12`: Registry Key (`REGISTRY_KEY`) `13`: Registry Value (`REGISTRY_VALUE`) `14`: Command Line (`COMMAND_LINE`) `2`: Domain (`DOMAIN`) `3`: Hostname (`HOSTNAME`) `4`: Hash (`HASH`) `5`: URL (`URL`) `6`: User Agent (`USER_AGENT`) `7`: Digital Certificate (`DIGITAL_CERTIFICATE`) `8`: Email (`EMAIL`) `9`: Email Address (`EMAIL_ADDRESS`) `99`: Other (`OTHER`)
Unique ID	`uid`	String	The unique identifier of the entity.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.
Indicator	`value`	String	The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.
Vendor Name	`vendor_name`	String	The vendor name of a tool which generates intelligence or provides indicators.
Related Vulnerabilities	`vulnerabilities`	Vulnerability Details[]	Any vulnerabilities related to an indicator or OSINT analysis.
WHOIS	`whois`	WHOIS[]	Any pertinent WHOIS information related to an indicator or OSINT analysis.

Relationships

Inbound Relationships

These objects and events reference OSINT in their attributes:

Outbound Relationships

OSINT references the following objects and events in its attributes:

This page describes ocsf-1.4.0