OSINT
osint
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Related DNS Answers | answers | DNS Answer[] | Any pertinent DNS answers information related to an indicator or OSINT analysis. |
| MITRE ATT&CK® and ATLAS™ Details | attacks | MITRE ATT&CK® & ATLAS™[] | MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis. |
| Autonomous System | autonomous_system | Autonomous System[] | Any pertinent autonomous system information related to an indicator or OSINT analysis. |
| Campaign | campaign | Campaign[] | The campaign object describes details about the campaign that was the source of the activity. |
| Category | category | String | Categorizes the threat indicator based on its functional or operational role. |
| Analyst Comments | comment | String | Analyst commentary or source commentary about an indicator or OSINT analysis. |
| Confidence | confidence | String | The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst. |
| Confidence ID | confidence_id | Integer | The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.
|
| Created Time | created_time | Timestamp | The timestamp when the indicator was initially created or identified. |
| Creator | creator | User[] | Entity: |
| Description | desc | String | A detailed explanation of the indicator, including its context, purpose, and relevance. |
| Detection Pattern | detection_pattern | String | The specific detection pattern or signature associated with the indicator. |
| Detection Pattern | detection_pattern_type | String | The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source. |
| Detection Pattern Type ID | detection_pattern_type_id | Integer | Specifies the type of detection pattern used to identify the associated threat indicator.
|
| Related Email | email | Email[] | Entity: |
| Related Email Authentication | email_auth | Email Authentication[] | Any email authentication information pertinent to an indicator or OSINT analysis. |
| Expiration Time | expiration_time | Timestamp | The expiration date of the indicator, after which it is no longer considered reliable. |
| External ID | external_uid | String | A unique identifier assigned by an external system for cross-referencing. |
| Related File | file | File[] | Entity: |
| Intrusion Sets | intrusion_sets | String[] | A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label. |
| Kill Chain | kill_chain | Kill Chain Phase[] | Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis. |
| Labels | labels | String[] | Tags or keywords associated with the indicator to enhance searchability. |
| Geo Location | location | Geo Location[] | Entity: |
| Malware | malware | Malware[] | A list of Malware objects, describing details about the identified malware. |
| Modified Time | modified_time | Timestamp | The timestamp of the last modification or update to the indicator. |
| Name | name | String | The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name. |
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| References | references | String[] | Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI. |
| Related Analytics | related_analytics | Analytic[] | Any analytics related to an indicator or OSINT analysis. |
| Reputation Scores | reputation | Reputation[] | Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis. |
| Risk Score | risk_score | Integer | A numerical representation of the threat indicator’s risk level. |
| Related Script Data | script | Script[] | Any pertinent script information related to an indicator or OSINT analysis. |
| Severity | severity | String | Represents the severity level of the threat indicator, typically reflecting its potential impact or damage. |
| Severity ID | severity_id | Integer | The normalized severity level of the threat indicator, typically reflecting its potential impact or damage.
|
| Related Digital Signatures | signatures | Digital Signature[] | Any digital signatures or hashes related to an indicator or OSINT analysis. |
| Source URL | src_url | URL String | Entity: |
| Related Subdomains | subdomains | String[] | Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis. |
| Related Subnet | subnet | Subnet | Entity: |
| Threat Actor | threat_actor | Threat Actor[] | A threat actor is an individual or group that conducts malicious cyber activities, often with financial, political, or ideological motives. |
| Traffic Light Protocol | tlp | String | The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.
|
| Type | type | String | The OSINT indicator type. |
| Indicator Type ID | type_id | Integer | The OSINT indicator type ID.
|
| Unique ID | uid | String | The unique identifier for the OSINT object. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
| Uploaded Time | uploaded_time | Timestamp | The timestamp indicating when the associated indicator or intelligence was added to the system or repository. |
| Indicator | value | String | The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name. |
| Vendor Name | vendor_name | String | The vendor name of a tool which generates intelligence or provides indicators. |
| Related Vulnerabilities | vulnerabilities | Vulnerability Details[] | Any vulnerabilities related to an indicator or OSINT analysis. |
| WHOIS | whois | WHOIS[] | Any pertinent WHOIS information related to an indicator or OSINT analysis. |
Relationships
Inbound Relationships
These objects and events reference OSINT in their attributes:
- RDP Activity
- Device Config State
- File Hosting Activity
- Email File Activity
- Software Inventory Info
- Device Inventory Info
- Kernel Object Query
- Network Activity
- File Query
- Registry Key Query
- Event Log Activity
- Registry Value Query
- User Inventory Info
- SSH Activity
- Service Query
- Drone Flights Activity
- Cloud Resources Inventory Info
- Security Finding
- Entity Management
- Process Query
- Startup Item Query
- Detection Finding
- NTP Activity
- DHCP Activity
- Network File Activity
- Web Resources Activity
- Remediation Activity
- Compliance Finding
- Vulnerability Finding
- Authentication
- Script Activity
- Scan Activity
- File Remediation Activity
- Process Activity
- Networks Query
- Group Management
- Registry Key Activity
- Scheduled Job Activity
- User Query
- Module Query
- DNS Activity
- Module Activity
- Incident Finding
- Airborne Broadcast Activity
- Email URL Activity
- User Access Management
- Network Remediation Activity
- Tunnel Activity
- User Session Query
- Application Error
- SMB Activity
- Network Connection Query
- Peripheral Device Query
- Windows Resource Activity
- Process Remediation Activity
- Windows Service Activity
- Operating System Patch State
- Data Security Finding
- Job Query
- Folder Query
- Prefetch Query
- Admin Group Query
- Device Config State Change
- Datastore Activity
- Email Activity
- Registry Value Activity
- IAM Analysis Finding
- Application Lifecycle
- Authorize Session
- Kernel Activity
- Application Security Posture Finding
- File System Activity
- FTP Activity
- API Activity
- Kernel Extension Activity
- Web Resource Access Activity
- Live Evidence Info
- Account Change
- Memory Activity
- HTTP Activity
- OSINT Inventory Info
- Base Event
Outbound Relationships
OSINT references the following objects and events in its attributes:
- Email Authentication
- Geo Location
- Unmapped
- WHOIS
- Digital Signature
- Campaign
- Reputation
- Threat Actor
- Analytic
- MITRE ATT&CK® & ATLAS™
- Malware
- File
- Script
- Autonomous System
- DNS Answer
- Kill Chain Phase
- User
- Vulnerability Details
This page describes qdm-1.5.1+ocsf-1.6.0
Updated 8 days ago