OSINT
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Related DNS Answers | answers |
DNS Answer[] | Any pertinent DNS answers information related to an indicator or OSINT analysis. |
| MITRE ATT&CK® Details | attacks |
MITRE ATT&CK®[] | MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis. |
| Autonomous System | autonomous_system |
Autonomous System[] | Any pertinent autonomous system information related to an indicator or OSINT analysis. |
| Analyst Comments | comment |
String | Analyst commentary or source commentary about an indicator or OSINT analysis. |
| Confidence | confidence |
String | The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst. |
| Confidence Id | confidence_id |
Integer |
The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.
|
| Related Email | email |
Email[] | Any email information pertinent to an indicator or OSINT analysis. |
| Related Email Authentication | email_auth |
Email Authentication[] | Any email authentication information pertinent to an indicator or OSINT analysis. |
| Kill Chain | kill_chain |
Kill Chain Phase[] | Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis. |
| Geo Location | location |
Geo Location[] | Any pertinent geolocation information related to an indicator or OSINT analysis. |
| Name | name |
String | The name of the entity. |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Related Digital Signatures | signatures |
Digital Signature[] | Any digital signatures or hashes related to an indicator or OSINT analysis. |
| Source URL | src_url |
URL String | The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise. |
| Related Subdomains | subdomains |
String[] | Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis. |
| Traffic Light Protocol | tlp |
String |
The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.
|
| Type | type |
String | The OSINT indicator type. |
| Indicator Type ID | type_id |
Integer |
The OSINT indicator type ID.
|
| Unique ID | uid |
String | The unique identifier of the entity. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| Indicator | value |
String | The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name. |
| Vendor Name | vendor_name |
String | The vendor name of a tool which generates intelligence or provides indicators. |
| Related Vulnerabilities | vulnerabilities |
Vulnerability Details[] | Any vulnerabilities related to an indicator or OSINT analysis. |
| WHOIS | whois |
WHOIS[] | Any pertinent WHOIS information related to an indicator or OSINT analysis. |
Relationships
Inbound Relationships
These objects and events reference OSINT in their attributes:
- Process Remediation Activity
- SMB Activity
- Security Finding
- Module Query
- Device Config State
- Networks Query
- Finding
- Account Change
- Admin Group Query
- Application Lifecycle
- Discovery Result
- File Query
- File Hosting Activity
- Scheduled Job Activity
- Base Event
- Folder Query
- Incident Finding
- Memory Activity
- Data Security Finding
- Email URL Activity
- Software Inventory Info
- Network Remediation Activity
- API Activity
- Network File Activity
- RDP Activity
- Compliance Finding
- Entity Management
- Application Activity
- Job Query
- Email Delivery Activity
- File Remediation Activity
- Email File Activity
- Device Inventory Info
- HTTP Activity
- User Inventory Info
- Datastore Activity
- User Session Query
- User Access Management
- User Query
- FTP Activity
- Operating System Patch State
- Peripheral Device Query
- Authentication
- Network
- Process Query
- Windows Service Activity
- Network Connection Query
- Web Resources Activity
- File System Activity
- Registry Key Query
- Registry Key Activity
- OSINT Inventory Info
- Registry Value Activity
- Authorize Session
- Scan Activity
- Remediation Activity
- Group Management
- SSH Activity
- Service Query
- System Activity
- Event Log Activity
- Tunnel Activity
- DNS Activity
- Kernel Activity
- Network Activity
- Module Activity
- Discovery
- Registry Value Query
- Web Resource Access Activity
- Kernel Object Query
- Process Activity
- Email Activity
- NTP Activity
- Identity & Access Management
- DHCP Activity
- Device Config State Change
- Detection Finding
- Windows Resource Activity
- Prefetch Query
- Kernel Extension Activity
- Vulnerability Finding
Outbound Relationships
OSINT references the following objects and events in its attributes:
- WHOIS
- Unmapped
- MITRE ATT&CK®
- Geo Location
- Autonomous System
- DNS Answer
- Digital Signature
- Vulnerability Details
- Email Authentication
- Kill Chain Phase
This page describes qdm-1.3.2+ocsf-1.3.0
Updated 6 months ago