OSINT
osint
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Related DNS Answers | answers |
DNS Answer[] | Any pertinent DNS answers information related to an indicator or OSINT analysis. |
MITRE ATT&CK® Details | attacks |
MITRE ATT&CK®[] | MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis. |
Autonomous System | autonomous_system |
Autonomous System[] | Any pertinent autonomous system information related to an indicator or OSINT analysis. |
Analyst Comments | comment |
String | Analyst commentary or source commentary about an indicator or OSINT analysis. |
Confidence | confidence |
String | The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst. |
Confidence ID | confidence_id |
Integer |
The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.
|
Related Email | email |
Email[] |
Entity:EMAIL Any email information pertinent to an indicator or OSINT analysis. |
Related Email Authentication | email_auth |
Email Authentication[] | Any email authentication information pertinent to an indicator or OSINT analysis. |
Related File | file |
File[] |
Entity:FILE Any pertinent file information related to an indicator or OSINT analysis. |
Kill Chain | kill_chain |
Kill Chain Phase[] | Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis. |
Geo Location | location |
Geo Location[] |
Entity:GEO_LOCATION Any pertinent geolocation information related to an indicator or OSINT analysis. |
Name | name |
String | The name of the entity. |
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Related Analytics | related_analytics |
Analytic[] | Any analytics related to an indicator or OSINT analysis. |
Reputation Scores | reputation |
Reputation[] | Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis. |
Related Script Data | script |
Script[] | Any pertinent script information related to an indicator or OSINT analysis. |
Related Digital Signatures | signatures |
Digital Signature[] | Any digital signatures or hashes related to an indicator or OSINT analysis. |
Source URL | src_url |
URL String |
Entity:URL_STRING The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise. |
Related Subdomains | subdomains |
String[] | Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis. |
Related Subnet | subnet |
Subnet |
Entity:SUBNET A CIDR or network block related to an indicator or OSINT analysis. |
Traffic Light Protocol | tlp |
String |
The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.
|
Type | type |
String | The OSINT indicator type. |
Indicator Type ID | type_id |
Integer |
The OSINT indicator type ID.
|
Unique ID | uid |
String | The unique identifier of the entity. |
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Indicator | value |
String | The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name. |
Vendor Name | vendor_name |
String | The vendor name of a tool which generates intelligence or provides indicators. |
Related Vulnerabilities | vulnerabilities |
Vulnerability Details[] | Any vulnerabilities related to an indicator or OSINT analysis. |
WHOIS | whois |
WHOIS[] | Any pertinent WHOIS information related to an indicator or OSINT analysis. |
Relationships
Inbound Relationships
These objects and events reference OSINT in their attributes:
- Kernel Object Query
- Web Resource Access Activity
- Email URL Activity
- Discovery
- Web Resources Activity
- Network Connection Query
- Kernel Activity
- Memory Activity
- Script Activity
- Authentication
- Group Management
- Software Inventory Info
- Unmanned Systems
- NTP Activity
- Job Query
- Registry Key Activity
- Authorize Session
- Detection Finding
- User Session Query
- Module Query
- Scheduled Job Activity
- Device Inventory Info
- Process Remediation Activity
- Remediation Activity
- Network Remediation Activity
- User Access Management
- API Activity
- DHCP Activity
- Device Config State Change
- Drone Flights Activity
- Admin Group Query
- Security Finding
- Prefetch Query
- Email File Activity
- Networks Query
- Network Activity
- Network File Activity
- File System Activity
- Event Log Activity
- Compliance Finding
- File Query
- User Inventory Info
- File Remediation Activity
- Application Activity
- HTTP Activity
- Module Activity
- Application Lifecycle
- Datastore Activity
- FTP Activity
- Base Event
- Vulnerability Finding
- Cloud Resources Inventory Info
- Registry Value Query
- Tunnel Activity
- Network
- Windows Resource Activity
- Peripheral Device Query
- Airborne Broadcast Activity
- Process Activity
- Device Config State
- Kernel Extension Activity
- User Query
- System Activity
- Email Activity
- Operating System Patch State
- RDP Activity
- Application Error
- Startup Item Query
- Registry Key Query
- Service Query
- Entity Management
- DNS Activity
- Registry Value Activity
- Process Query
- Data Security Finding
- File Hosting Activity
- Folder Query
- SMB Activity
- Finding
- Incident Finding
- Windows Service Activity
- Scan Activity
- SSH Activity
- Account Change
- Identity & Access Management
- Discovery Result
- OSINT Inventory Info
Outbound Relationships
OSINT references the following objects and events in its attributes:
- Analytic
- Autonomous System
- Email Authentication
- Unmapped
- File
- MITRE ATT&CK®
- Geo Location
- Script
- Vulnerability Details
- WHOIS
- Digital Signature
- Reputation
- Kill Chain Phase
- DNS Answer
This page describes ocsf-1.4.0
Updated 11 days ago