OSINT
osint
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Related DNS Answers | answers | DNS Answer[] | Any pertinent DNS answers information related to an indicator or OSINT analysis. |
| MITRE ATT&CK® and ATLAS™ Details | attacks | MITRE ATT&CK® & ATLAS™[] | MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis. |
| Autonomous System | autonomous_system | Autonomous System[] | Any pertinent autonomous system information related to an indicator or OSINT analysis. |
| Campaign | campaign | Campaign[] | The campaign object describes details about the campaign that was the source of the activity. |
| Category | category | String | Categorizes the threat indicator based on its functional or operational role. |
| Analyst Comments | comment | String | Analyst commentary or source commentary about an indicator or OSINT analysis. |
| Confidence | confidence | String | The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst. |
| Confidence ID | confidence_id | Integer | The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.
|
| Created Time | created_time | Timestamp | The timestamp when the indicator was initially created or identified. |
| Creator | creator | User[] | Entity: |
| Description | desc | String | A detailed explanation of the indicator, including its context, purpose, and relevance. |
| Detection Pattern | detection_pattern | String | The specific detection pattern or signature associated with the indicator. |
| Detection Pattern | detection_pattern_type | String | The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source. |
| Detection Pattern Type ID | detection_pattern_type_id | Integer | Specifies the type of detection pattern used to identify the associated threat indicator.
|
| Related Email | email | Email[] | Entity: |
| Related Email Authentication | email_auth | Email Authentication[] | Any email authentication information pertinent to an indicator or OSINT analysis. |
| Expiration Time | expiration_time | Timestamp | The expiration date of the indicator, after which it is no longer considered reliable. |
| External ID | external_uid | String | A unique identifier assigned by an external system for cross-referencing. |
| Related File | file | File[] | Entity: |
| Intrusion Sets | intrusion_sets | String[] | A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label. |
| Kill Chain | kill_chain | Kill Chain Phase[] | Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis. |
| Labels | labels | String[] | Tags or keywords associated with the indicator to enhance searchability. |
| Geo Location | location | Geo Location[] | Entity: |
| Malware | malware | Malware[] | A list of Malware objects, describing details about the identified malware. |
| Modified Time | modified_time | Timestamp | The timestamp of the last modification or update to the indicator. |
| Name | name | String | The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name. |
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| References | references | String[] | Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI. |
| Related Analytics | related_analytics | Analytic[] | Any analytics related to an indicator or OSINT analysis. |
| Reputation Scores | reputation | Reputation[] | Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis. |
| Risk Score | risk_score | Integer | A numerical representation of the threat indicator’s risk level. |
| Related Script Data | script | Script[] | Any pertinent script information related to an indicator or OSINT analysis. |
| Severity | severity | String | Represents the severity level of the threat indicator, typically reflecting its potential impact or damage. |
| Severity ID | severity_id | Integer | The normalized severity level of the threat indicator, typically reflecting its potential impact or damage.
|
| Related Digital Signatures | signatures | Digital Signature[] | Any digital signatures or hashes related to an indicator or OSINT analysis. |
| Source URL | src_url | URL String | Entity: |
| Related Subdomains | subdomains | String[] | Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis. |
| Related Subnet | subnet | Subnet | Entity: |
| Threat Actor | threat_actor | Threat Actor[] | A threat actor is an individual or group that conducts malicious cyber activities, often with financial, political, or ideological motives. |
| Traffic Light Protocol | tlp | String | The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.
|
| Type | type | String | The OSINT indicator type. |
| Indicator Type ID | type_id | Integer | The OSINT indicator type ID.
|
| Unique ID | uid | String | The unique identifier for the OSINT object. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
| Uploaded Time | uploaded_time | Timestamp | The timestamp indicating when the associated indicator or intelligence was added to the system or repository. |
| Indicator | value | String | The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name. |
| Vendor Name | vendor_name | String | The vendor name of a tool which generates intelligence or provides indicators. |
| Related Vulnerabilities | vulnerabilities | Vulnerability Details[] | Any vulnerabilities related to an indicator or OSINT analysis. |
| WHOIS | whois | WHOIS[] | Any pertinent WHOIS information related to an indicator or OSINT analysis. |
Relationships
Inbound Relationships
These objects and events reference OSINT in their attributes:
- FTP Activity
- Web Resource Access Activity
- Scan Activity
- Email File Activity
- File System Activity
- Device Config State Change
- User Inventory Info
- Module Query
- Kernel Activity
- IAM Analysis Finding
- Base Event
- SSH Activity
- Group Management
- Registry Value Query
- Data Security Finding
- Email Activity
- File Remediation Activity
- Module Activity
- Windows Service Activity
- Device Inventory Info
- File Hosting Activity
- Authorize Session
- Registry Value Activity
- Application Lifecycle
- DNS Activity
- Account Change
- Airborne Broadcast Activity
- Operating System Patch State
- Incident Finding
- Drone Flights Activity
- DHCP Activity
- Remediation Activity
- Kernel Extension Activity
- User Session Query
- Cloud Resources Inventory Info
- Web Resources Activity
- Script Activity
- File Query
- Detection Finding
- Process Query
- OSINT Inventory Info
- Compliance Finding
- Network Activity
- Entity Management
- Vulnerability Finding
- Admin Group Query
- RDP Activity
- Peripheral Device Query
- Network Connection Query
- Windows Resource Activity
- Application Security Posture Finding
- Live Evidence Info
- Registry Key Activity
- Authentication
- Application Error
- Folder Query
- Datastore Activity
- Tunnel Activity
- Process Remediation Activity
- NTP Activity
- Event Log Activity
- Scheduled Job Activity
- Prefetch Query
- Process Activity
- Memory Activity
- Startup Item Query
- Network File Activity
- Security Finding
- Registry Key Query
- Kernel Object Query
- User Access Management
- Service Query
- Job Query
- API Activity
- HTTP Activity
- Device Config State
- Email URL Activity
- Network Remediation Activity
- Networks Query
- Software Inventory Info
- User Query
- SMB Activity
Outbound Relationships
OSINT references the following objects and events in its attributes:
- Analytic
- Script
- Geo Location
- Reputation
- Autonomous System
- User
- File
- DNS Answer
- MITRE ATT&CK® & ATLAS™
- Vulnerability Details
- Unmapped
- Kill Chain Phase
- Campaign
- Digital Signature
- Malware
- WHOIS
- Email Authentication
- Threat Actor
This page describes qdm-1.5.1+ocsf-1.6.0
Updated 1 day ago