Query Evidence

query_evidence

The resulting evidence information that was queried.

Attributes

CaptionNameTypeDescription
Connection Infoconnection_infoNetwork Connection Information[]Group:primary

The network connection information related to a Network Connection query type.
FilefileFile[]Entity:FILE
Group:primary

The file that is the target of the query when query_type_id indicates a File query.
FolderfolderFile[]Entity:FILE
Group:primary

The folder that is the target of the query when query_type_id indicates a Folder query.
GroupgroupGroup[]Group:primary

The administrative group that is the target of the query when query_type_id indicates an Admin Group query.
JobjobJob[]Group:primary

The job object that pertains to the event when query_type_id indicates a Job query.
KernelkernelKernel Resource[]Group:primary

The kernel object that pertains to the event when query_type_id indicates a Kernel query.
ModulemoduleModule[]Group:primary

The module that pertains to the event when query_type_id indicates a Module query.
Network Interfacesnetwork_interfacesNetwork Interface[]Group:primary

The physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query.
Peripheral Deviceperipheral_devicePeripheral Device[]Group:primary

The peripheral device that triggered the event when query_type_id indicates a Peripheral Device query.
ProcessprocessLinux Process[]Entity:LINUX_PROCESS
Group:primary

The process that pertains to the event when query_type_id indicates a Process query.
Query Typequery_typeStringGroup:classification

The normalized caption of query_type_id or the source-specific query type.
Query Type IDquery_type_idIntegerGroup:classification

The normalized type of system query performed against a device or system component.
  • 0: Unknown (UNKNOWN)
  • 1: Kernel (KERNEL)
  • 2: File (FILE)
  • 3: Folder (FOLDER)
  • 4: Admin Group (ADMIN_GROUP)
  • 5: Job (JOB)
  • 6: Module (MODULE)
  • 7: Network Connection (NETWORK_CONNECTION)
  • 8: Network Interfaces (NETWORK_INTERFACES)
  • 9: Peripheral Device (PERIPHERAL_DEVICE)
  • 10: Process (PROCESS)
  • 11: Service (SERVICE)
  • 12: Session (SESSION)
  • 13: User (USER)
  • 14: Users (USERS)
  • 15: Startup Item (STARTUP_ITEM)
  • 16: Registry Key (REGISTRY_KEY)
  • 17: Registry Value (REGISTRY_VALUE)
  • 18: Prefetch (PREFETCH)
  • 99: Other (OTHER)
Registry Keyreg_keyRegistry Key[]Group:primary

The registry key object describes a Windows registry key.
Registry Valuereg_valueRegistry Value[]Group:primary

The registry key object describes a Windows registry value.
ServiceserviceService[]Group:primary

The service that pertains to the event when query_type_id indicates a Service query.
SessionsessionSession[]Group:primary

The authenticated user or service session when query_type_id indicates a Session query.
Startup Itemstartup_itemStartup Item[]Group:primary

The startup item object that pertains to the event when query_type_id indicates a Startup Item query.
Network Connection StatestateStringGroup:context

The state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.
TCP State IDtcp_state_idIntegerGroup:context

The state of the TCP socket for the network connection.
  • 0: Unknown (UNKNOWN)
  • 1: ESTABLISHED (ESTABLISHED)
  • 2: SYN-SENT (SYN_SENT)
  • 3: SYN-RECEIVED (SYN_RECEIVED)
  • 4: FIN-WAIT-1 (FIN_WAIT_1)
  • 5: FIN-WAIT-2 (FIN_WAIT_2)
  • 6: TIME-WAIT (TIME_WAIT)
  • 7: CLOSED (CLOSED)
  • 8: CLOSE-WAIT (CLOSE_WAIT)
  • 9: LAST-ACK (LAST_ACK)
  • 10: LISTEN (LISTEN)
  • 11: CLOSING (CLOSING)
UseruserUser[]Entity:USER
Group:primary

The user that pertains to the event when query_type_id indicates a User query.
UsersusersUser[]Entity:USER
Group:context

The users that belong to the administrative group when query_type_id indicates a Users query.

Relationships

Query Evidence shown in context

Inbound Relationships

These objects and events reference Query Evidence in their attributes:

Outbound Relationships

Query Evidence references the following objects and events in its attributes:

This page describes qdm-1.5.1+ocsf-1.6.0