Query Evidence
query_evidence
The resulting evidence information that was queried.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Connection Info | connection_info | Network Connection Information[] | Group:primaryThe network connection information related to a Network Connection query type. |
| File | file | File[] | Entity:FILEGroup: primaryThe file that is the target of the query when query_type_id indicates a File query. |
| Folder | folder | File[] | Entity:FILEGroup: primaryThe folder that is the target of the query when query_type_id indicates a Folder query. |
| Group | group | Group[] | Group:primaryThe administrative group that is the target of the query when query_type_id indicates an Admin Group query. |
| Job | job | Job[] | Group:primaryThe job object that pertains to the event when query_type_id indicates a Job query. |
| Kernel | kernel | Kernel Resource[] | Group:primaryThe kernel object that pertains to the event when query_type_id indicates a Kernel query. |
| Module | module | Module[] | Group:primaryThe module that pertains to the event when query_type_id indicates a Module query. |
| Network Interfaces | network_interfaces | Network Interface[] | Group:primaryThe physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query. |
| Peripheral Device | peripheral_device | Peripheral Device[] | Group:primaryThe peripheral device that triggered the event when query_type_id indicates a Peripheral Device query. |
| Process | process | Linux Process[] | Entity:LINUX_PROCESSGroup: primaryThe process that pertains to the event when query_type_id indicates a Process query. |
| Query Type | query_type | String | Group:classificationThe normalized caption of query_type_id or the source-specific query type. |
| Query Type ID | query_type_id | Integer | Group:classificationThe normalized type of system query performed against a device or system component.
|
| Registry Key | reg_key | Registry Key[] | Group:primaryThe registry key object describes a Windows registry key. |
| Registry Value | reg_value | Registry Value[] | Group:primaryThe registry key object describes a Windows registry value. |
| Service | service | Service[] | Group:primaryThe service that pertains to the event when query_type_id indicates a Service query. |
| Session | session | Session[] | Group:primaryThe authenticated user or service session when query_type_id indicates a Session query. |
| Startup Item | startup_item | Startup Item[] | Group:primaryThe startup item object that pertains to the event when query_type_id indicates a Startup Item query. |
| Network Connection State | state | String | Group:contextThe state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. |
| TCP State ID | tcp_state_id | Integer | Group:contextThe state of the TCP socket for the network connection.
|
| User | user | User[] | Entity:USERGroup: primaryThe user that pertains to the event when query_type_id indicates a User query. |
| Users | users | User[] | Entity:USERGroup: contextThe users that belong to the administrative group when query_type_id indicates a Users query. |
Relationships
Inbound Relationships
These objects and events reference Query Evidence in their attributes:
Outbound Relationships
Query Evidence references the following objects and events in its attributes:
- Registry Value
- Group
- User
- Module
- Network Interface
- Peripheral Device
- Registry Key
- Kernel Resource
- Linux Process
- Session
- Startup Item
- Service
- File
- Network Connection Information
- Job
This page describes qdm-1.5.1+ocsf-1.6.0