Security State

security_state

The Security State object describes the security related state of a managed entity.

Attributes

CaptionNameTypeDescription
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Security State state String The security state, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.
Security State ID state_id Integer The security state of the managed entity.
  • 0: Unknown (UNKNOWN)
  • 1: Missing or outdated content (MISSING_OR_OUTDATED_CONTENT)
  • 10: Content is locked (CONTENT_IS_LOCKED)
  • 11: Not installed (NOT_INSTALLED)
  • 12: Writable system partition (WRITABLE_SYSTEM_PARTITION)
  • 13: SafetyNet failure (SAFETYNET_FAILURE)
  • 14: Failed boot verify (FAILED_BOOT_VERIFY)
  • 15: Modified execution environment (MODIFIED_EXECUTION_ENVIRONMENT)
  • 16: SELinux disabled (SELINUX_DISABLED)
  • 17: Elevated privilege shell (ELEVATED_PRIVILEGE_SHELL)
  • 18: iOS file system altered (IOS_FILE_SYSTEM_ALTERED)
  • 19: Open remote access (OPEN_REMOTE_ACCESS)
  • 2: Policy mismatch (POLICY_MISMATCH)
  • 20: OTA updates disabled (OTA_UPDATES_DISABLED)
  • 21: Rooted (ROOTED)
  • 22: Android partition modified (ANDROID_PARTITION_MODIFIED)
  • 23: Compliance failure (COMPLIANCE_FAILURE)
  • 3: In network quarantine (IN_NETWORK_QUARANTINE)
  • 4: Protection off (PROTECTION_OFF)
  • 5: Protection malfunction (PROTECTION_MALFUNCTION)
  • 6: Protection not licensed (PROTECTION_NOT_LICENSED)
  • 7: Unremediated threat (UNREMEDIATED_THREAT)
  • 8: Suspicious reputation (SUSPICIOUS_REPUTATION)
  • 9: Reboot pending (REBOOT_PENDING)
  • 99: Other (OTHER)
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Security State shown in context

Inbound Relationships

These objects and events reference Security State in their attributes:

Outbound Relationships

Security State references the following objects and events in its attributes:

This page describes ocsf-1.4.0