# Constants
AppleAccount.
AWSAccount.
AWSIAMRole.
AWSIAMUser.
AzureADAccount.
GCPAccount.
LDAPAccount.
LinuxAccount.
MacOSAccount.
Other.
Unknown.
WindowsAccount.
Allowed.
Denied.
Other.
Unknown.
Close.
Create.
Other.
Unknown.
Update.
Behavioral.
Learning_ML_DL_.
Other.
Rule.
Statistical.
Unknown.
Findings.
DetectionFinding.
High.
Low.
Medium.
Other.
Unknown.
Base.
Environmental.
Temporal.
Critical.
High.
Info.
Low.
Medium.
Browser.
CNC.
DCS.
Desktop.
EnergyMonitoringSystem.
Firewall.
Hub.
ImagingEquipment.
IOT.
Laptop.
LightingControls.
MedicalDevice.
Mobile.
Other.
PLC.
SCADA.
ScientificEquipment.
Server.
Switch.
Tablet.
TransportationDevice.
Unknown.
Virtual.
Authenticode.
DSA.
ECDSA.
Other.
RSA.
Unknown.
AccessRevoked.
Alert.
Allowed.
Approved.
Blocked.
Captcha.
Challenge.
Corrected.
Count.
CustomAction.
Delayed.
Deleted.
Detected.
Dropped.
Error.
Exonerated.
Isolated.
Logged.
NoAction.
Other.
PartiallyCorrected.
Quarantined.
Rejected.
Reset.
Restored.
Tagged.
Unauthorized.
Uncorrected.
Unknown.
DSOMessage.
InverseQuery.
Notify.
Query.
Reserved.
Status.
Update.
Confidential.
NotConfidential.
Other.
Secret.
TopSecret.
Unknown.
BlockDevice.
CharacterDevice.
Folder.
LocalSocket.
NamedPipe.
Other.
RegularFile.
SymbolicLink.
Unknown.
CTPH.
MD5.
Other.
quickXorHash.
SHA_1.
SHA_256.
SHA_512.
TLSH.
Unknown.
Critical.
High.
Low.
Medium.
Other.
Unknown.
ActionsonObjectives.
Command_Control.
Delivery.
Exploitation.
Installation.
Other.
Reconnaissance.
Unknown.
Weaponization.
Adware.
Backdoor.
Bootkit.
Bot.
DDOS.
Downloader.
Dropper.
Exploit_Kit.
Keylogger.
Other.
Ransomware.
Remote_Access_Trojan.
Resource_Exploitation.
Rogue_Security_Software.
Rootkit.
Screen_Capture.
Spyware.
Trojan.
Unknown.
Virus.
Webshell.
Wiper.
Worm.
External.
GatewayVPC.
Inter_regionVPC.
Internal.
Internet_VPCGateway.
InternetGateway.
Intra_regionVPC.
LocalGateway.
Localhost.
Other.
SameVPC.
Unknown.
VirtualPrivateGateway.
Inbound.
Lateral.
Other.
Outbound.
Unknown.
InternetProtocolversion4_IPv4_.
InternetProtocolversion6_IPv6_.
Other.
Unknown.
Browser.
Desktop.
Firewall.
Hub.
IOT.
Laptop.
Mobile.
Other.
Server.
Switch.
Tablet.
Unknown.
Virtual.
Mobile.
Other.
Tunnel.
Unknown.
Wired.
Wireless.
Browser.
Desktop.
Firewall.
Hub.
IOT.
Laptop.
Mobile.
Other.
Server.
Switch.
Tablet.
Unknown.
Virtual.
Container.
Email.
EmailAddress.
Endpoint.
File.
FileName.
Fingerprint.
GeoLocation.
Hash.
Hostname.
IPAddress.
MACAddress.
Other.
Process.
ProcessName.
ResourceUID.
UniformResourceLocator.
Unknown.
URLString.
User.
UserName.
AIX.
Android.
HP_UX.
iOS.
iPadOS.
Linux.
macOS.
Other.
Solaris.
Unknown.
Windows.
WindowsMobile.
High.
Low.
Medium.
Other.
Protected.
System.
Unknown.
Untrusted.
ExerciseCaution.
LeansSafe.
Malicious.
MaynotbeSafe.
Other.
PossiblyMalicious.
ProbablyMalicious.
ProbablySafe.
Safe.
Suspicious_Risky.
Unknown.
VerySafe.
Critical.
High.
Info.
Low.
Medium.
Critical.
Fatal.
High.
Informational.
Low.
Medium.
Other.
Unknown.
InProgress.
New.
Other.
Resolved.
Suppressed.
Unknown.
DetectionFinding_Close.
DetectionFinding_Create.
DetectionFinding_Other.
DetectionFinding_Unknown.
DetectionFinding_Update.
Enabled.
NotEnabled.
Other.
Unknown.
Admin.
Other.
System.
Unknown.
User.
Active.
Deprovisioned.
Locked.
Other.
Pending.
Suspended.
Unknown.
# Structs
The Account object contains details about the account that initiated or performed a specific activity within a system or application.
The Actor object contains details about the user, role, or process that initiated or performed a specific activity.
The Affected Code object describes details about a code block identified as vulnerable.
The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> object describes the tactic, technique & sub-technique associated to an attack as defined in <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.
The Authorization Result object provides details about the authorization outcome and associated policies related to activity.
The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The Container object describes an instance of a specific container.
The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).
The Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack.
A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
The Device Hardware Information object contains details and specifications of the physical components that make up a device.
The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.
The Display object contains information about the physical or virtual display connected to a computer system.
The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation.
The Enrichment object provides inline enrichment data for specific attributes of interest within an event.
The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited.
A collection of evidence artifacts associated to the activity/activities that triggered a security detection.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event.
The Feature object provides information about the software product feature that generated a specific event.
The File object represents the metadata associated with a file stored in a computer system.
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content.
The Firewall Rule object represents a specific rule within a firewall policy or event.
The Group object represents a collection or association of entities, such as users, policies, or devices.
The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications.
The Image object provides a description of a specific Virtual Machine (VM) or Container image.
The KB Article object contains metadata that describes the patch or update.
The Keyboard Information object contains details and attributes related to a computer or device keyboard.
The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker.
The additional LDAP attributes that describe a person.
The Geo Location object describes a geographical location, usually associated with an IP address.
The Logger object represents the device and product where events are stored with times for receipt and transmission.
The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
The Metadata object describes the metadata associated with the event.
The Metric object defines a simple name/value pair entity for a metric.
The Network Connection Information object describes characteristics of a network connection.
The Network Endpoint object describes characteristics of a network endpoint.
The Network Interface object describes the type and associated attributes of a network interface.
The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.
The observable object is a pivot element that contains related information found in many places in the event.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.
The Software Package object describes details about a software package.
The Policy object describes the policies that are applicable.
The Process object describes a running instance of a launched program.
The Product object describes characteristics of a software product.
The Related Event object describes an event related to a finding or detection as identified by the security product.
The Remediation object describes the recommended remediation steps to address identified issue(s).
The Reputation object describes the reputation/risk score of an entity (e.g.
The Request Elements object describes characteristics of an API request.
The Resource Details object describes details about resources that were affected by the activity/event.
The Response Elements object describes characteristics of an API response.
The Service object describes characteristics of a service, <code> e.g.
The Session object describes details about an authenticated session.
The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.
The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.
The Technique object describes the technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.
The User object describes the characteristics of a user/person or a security principal.
The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.
# Type aliases
AccountTypeId is an enum, and the following values are allowed.
ActionId is an enum, and the following values are allowed.
ActivityId is an enum, and the following values are allowed.
AnalyticTypeId is an enum, and the following values are allowed.
CategoryUid is an enum, and the following values are allowed.
ClassUid is an enum, and the following values are allowed.
ConfidenceId is an enum, and the following values are allowed.
CvssDepth is an enum, and the following values are allowed.
DeviceRiskLevelId is an enum, and the following values are allowed.
DeviceTypeId is an enum, and the following values are allowed.
DigitalSignatureAlgorithmId is an enum, and the following values are allowed.
DispositionId is an enum, and the following values are allowed.
DnsQueryOpcodeId is an enum, and the following values are allowed.
Email address.
FileConfidentialityId is an enum, and the following values are allowed.
File name.
FileTypeId is an enum, and the following values are allowed.
FingerprintAlgorithmId is an enum, and the following values are allowed.
Hash.
Unique name assigned to a device connected to a computer network.
ImpactId is an enum, and the following values are allowed.
Internet Protocol address (IP address), in either IPv4 or IPv6 format.
KillChainPhasePhaseId is an enum, and the following values are allowed.
Media Access Control (MAC) address.
MalwareClassificationIds is an enum, and the following values are allowed.
NetworkConnectionInfoBoundaryId is an enum, and the following values are allowed.
NetworkConnectionInfoDirectionId is an enum, and the following values are allowed.
NetworkConnectionInfoProtocolVerId is an enum, and the following values are allowed.
NetworkEndpointTypeId is an enum, and the following values are allowed.
NetworkInterfaceTypeId is an enum, and the following values are allowed.
NetworkProxyTypeId is an enum, and the following values are allowed.
An unordered collection of attributes.
ObservableTypeId is an enum, and the following values are allowed.
OsTypeId is an enum, and the following values are allowed.
The TCP/UDP port number.
ProcessIntegrityId is an enum, and the following values are allowed.
Process name.
ReputationScoreId is an enum, and the following values are allowed.
Resource unique identifier.
RiskLevelId is an enum, and the following values are allowed.
SeverityId is an enum, and the following values are allowed.
StatusId is an enum, and the following values are allowed.
The subnet represented in a CIDR notation, using the format network_address/prefix_length.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC.
TypeUid is an enum, and the following values are allowed.
Uniform Resource Locator (URL) string.
UserMfaStatusId is an enum, and the following values are allowed.
User name.
UserTypeId is an enum, and the following values are allowed.
UserUserStatusId is an enum, and the following values are allowed.