Query Evidence
query_evidence
The resulting evidence information that was queried.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Connection Info | connection_info |
Network Connection Information[] |
Group:primaryThe network connection information related to a Network Connection query type. |
| File | file |
File[] |
Entity:FILEGroup: primaryThe file that is the target of the query when query_type_id indicates a File query. |
| Folder | folder |
File[] |
Entity:FILEGroup: primaryThe folder that is the target of the query when query_type_id indicates a Folder query. |
| Group | group |
Group[] |
Group:primaryThe administrative group that is the target of the query when query_type_id indicates an Admin Group query. |
| Job | job |
Job[] |
Group:primaryThe job object that pertains to the event when query_type_id indicates a Job query. |
| Kernel | kernel |
Kernel Resource[] |
Group:primaryThe kernel object that pertains to the event when query_type_id indicates a Kernel query. |
| Module | module |
Module[] |
Group:primaryThe module that pertains to the event when query_type_id indicates a Module query. |
| Network Interfaces | network_interfaces |
Network Interface[] |
Group:primaryThe physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query. |
| Peripheral Device | peripheral_device |
Peripheral Device[] |
Group:primaryThe peripheral device that triggered the event when query_type_id indicates a Peripheral Device query. |
| Process | process |
Linux Process[] |
Entity:LINUX_PROCESSGroup: primaryThe process that pertains to the event when query_type_id indicates a Process query. |
| Query Type | query_type |
String |
Group:classificationThe normalized caption of query_type_id or the source-specific query type. |
| Query Type ID | query_type_id |
Integer |
Group:classificationThe normalized type of system query performed against a device or system component.
|
| Registry Key | reg_key |
Registry Key[] |
Group:primaryThe registry key object describes a Windows registry key. |
| Registry Value | reg_value |
Registry Value[] |
Group:primaryThe registry key object describes a Windows registry value. |
| Service | service |
Service[] |
Group:primaryThe service that pertains to the event when query_type_id indicates a Service query. |
| Session | session |
Session[] |
Group:primaryThe authenticated user or service session when query_type_id indicates a Session query. |
| Startup Item | startup_item |
Startup Item[] |
Group:primaryThe startup item object that pertains to the event when query_type_id indicates a Startup Item query. |
| Network Connection State | state |
String |
Group:contextThe state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. |
| TCP State ID | tcp_state_id |
Integer |
Group:contextThe state of the TCP socket for the network connection.
|
| User | user |
User[] |
Entity:USERGroup: primaryThe user that pertains to the event when query_type_id indicates a User query. |
| Users | users |
User[] |
Entity:USERGroup: contextThe users that belong to the administrative group when query_type_id indicates a Users query. |
Relationships
Inbound Relationships
These objects and events reference Query Evidence in their attributes:
Outbound Relationships
Query Evidence references the following objects and events in its attributes:
- Linux Process
- Peripheral Device
- Session
- Kernel Resource
- User
- File
- Registry Key
- Job
- Startup Item
- Network Interface
- Module
- Registry Value
- Service
- Group
- Network Connection Information
This page describes qdm-1.5.1+ocsf-1.6.0
Updated about 7 hours ago