query_evidence
The resulting evidence information that was queried.
| Caption | Name | Type | Description |
|---|
| Connection Info | connection_info | Network Connection Information[] | Group:primary
The network connection information related to a Network Connection query type. |
| File | file | File[] | Entity:FILE
Group:primary
The file that is the target of the query when query_type_id indicates a File query. |
| Folder | folder | File[] | Entity:FILE
Group:primary
The folder that is the target of the query when query_type_id indicates a Folder query. |
| Group | group | Group[] | Group:primary
The administrative group that is the target of the query when query_type_id indicates an Admin Group query. |
| Job | job | Job[] | Group:primary
The job object that pertains to the event when query_type_id indicates a Job query. |
| Kernel | kernel | Kernel Resource[] | Group:primary
The kernel object that pertains to the event when query_type_id indicates a Kernel query. |
| Module | module | Module[] | Group:primary
The module that pertains to the event when query_type_id indicates a Module query. |
| Network Interfaces | network_interfaces | Network Interface[] | Group:primary
The physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query. |
| Peripheral Device | peripheral_device | Peripheral Device[] | Group:primary
The peripheral device that triggered the event when query_type_id indicates a Peripheral Device query. |
| Process | process | Linux Process[] | Entity:LINUX_PROCESS
Group:primary
The process that pertains to the event when query_type_id indicates a Process query. |
| Query Type | query_type | String | Group:classification
The normalized caption of query_type_id or the source-specific query type. |
| Query Type ID | query_type_id | Integer | Group:classification
The normalized type of system query performed against a device or system component. 0: Unknown (UNKNOWN)1: Kernel (KERNEL)2: File (FILE)3: Folder (FOLDER)4: Admin Group (ADMIN_GROUP)5: Job (JOB)6: Module (MODULE)7: Network Connection (NETWORK_CONNECTION)8: Network Interfaces (NETWORK_INTERFACES)9: Peripheral Device (PERIPHERAL_DEVICE)10: Process (PROCESS)11: Service (SERVICE)12: Session (SESSION)13: User (USER)14: Users (USERS)15: Startup Item (STARTUP_ITEM)16: Registry Key (REGISTRY_KEY)17: Registry Value (REGISTRY_VALUE)18: Prefetch (PREFETCH)99: Other (OTHER)
|
| Registry Key | reg_key | Registry Key[] | Group:primary
The registry key object describes a Windows registry key. |
| Registry Value | reg_value | Registry Value[] | Group:primary
The registry key object describes a Windows registry value. |
| Service | service | Service[] | Group:primary
The service that pertains to the event when query_type_id indicates a Service query. |
| Session | session | Session[] | Group:primary
The authenticated user or service session when query_type_id indicates a Session query. |
| Startup Item | startup_item | Startup Item[] | Group:primary
The startup item object that pertains to the event when query_type_id indicates a Startup Item query. |
| Network Connection State | state | String | Group:context
The state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. |
| TCP State ID | tcp_state_id | Integer | Group:context
The state of the TCP socket for the network connection. 0: Unknown (UNKNOWN)1: ESTABLISHED (ESTABLISHED)2: SYN-SENT (SYN_SENT)3: SYN-RECEIVED (SYN_RECEIVED)4: FIN-WAIT-1 (FIN_WAIT_1)5: FIN-WAIT-2 (FIN_WAIT_2)6: TIME-WAIT (TIME_WAIT)7: CLOSED (CLOSED)8: CLOSE-WAIT (CLOSE_WAIT)9: LAST-ACK (LAST_ACK)10: LISTEN (LISTEN)11: CLOSING (CLOSING)
|
| User | user | User[] | Entity:USER
Group:primary
The user that pertains to the event when query_type_id indicates a User query. |
| Users | users | User[] | Entity:USER
Group:context
The users that belong to the administrative group when query_type_id indicates a Users query. |
These objects and events reference Query Evidence in their attributes:
Query Evidence references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0
