AppleAccount.

AWSAccount.

AWSIAMRole.

AWSIAMUser.

AzureADAccount.

GCPAccount.

LDAPAccount.

LinuxAccount.

MacOSAccount.

Other.

Unknown.

WindowsAccount.

Allowed.

Denied.

Other.

Unknown.

Inject.

Launch.

Open.

Other.

SetUserID.

Terminate.

Unknown.

SystemActivity.

ProcessActivity.

Base.

Environmental.

Temporal.

Critical.

High.

Info.

Low.

Medium.

Browser.

CNC.

DCS.

Desktop.

EnergyMonitoringSystem.

Firewall.

Hub.

ImagingEquipment.

IOT.

Laptop.

LightingControls.

MedicalDevice.

Mobile.

Other.

PLC.

SCADA.

ScientificEquipment.

Server.

Switch.

Tablet.

TransportationDevice.

Unknown.

Virtual.

Authenticode.

DSA.

ECDSA.

Other.

RSA.

Unknown.

AccessRevoked.

Alert.

Allowed.

Approved.

Blocked.

Captcha.

Challenge.

Corrected.

Count.

CustomAction.

Delayed.

Deleted.

Detected.

Dropped.

Error.

Exonerated.

Isolated.

Logged.

NoAction.

Other.

PartiallyCorrected.

Quarantined.

Rejected.

Reset.

Restored.

Tagged.

Unauthorized.

Uncorrected.

Unknown.

Confidential.

NotConfidential.

Other.

Secret.

TopSecret.

Unknown.

BlockDevice.

CharacterDevice.

Folder.

LocalSocket.

NamedPipe.

Other.

RegularFile.

SymbolicLink.

Unknown.

CTPH.

MD5.

Other.

quickXorHash.

SHA_1.

SHA_256.

SHA_512.

TLSH.

Unknown.

LoadLibrary.

Other.

RemoteThread.

Unknown.

Adware.

Backdoor.

Bootkit.

Bot.

DDOS.

Downloader.

Dropper.

Exploit_Kit.

Keylogger.

Other.

Ransomware.

Remote_Access_Trojan.

Resource_Exploitation.

Rogue_Security_Software.

Rootkit.

Screen_Capture.

Spyware.

Trojan.

Unknown.

Virus.

Webshell.

Wiper.

Worm.

Mapped.

NonStandard.

NonStandardBacked.

Other.

ShellCode.

Standard.

Unknown.

Mobile.

Other.

Tunnel.

Unknown.

Wired.

Wireless.

Container.

Email.

EmailAddress.

Endpoint.

File.

FileName.

Fingerprint.

GeoLocation.

Hash.

Hostname.

IPAddress.

MACAddress.

Other.

Process.

ProcessName.

ResourceUID.

UniformResourceLocator.

Unknown.

URLString.

User.

UserName.

AIX.

Android.

HP_UX.

iOS.

iPadOS.

Linux.

macOS.

Other.

Solaris.

Unknown.

Windows.

WindowsMobile.

High.

Low.

Medium.

Other.

Protected.

System.

Unknown.

Untrusted.

ExerciseCaution.

LeansSafe.

Malicious.

MaynotbeSafe.

Other.

PossiblyMalicious.

ProbablyMalicious.

ProbablySafe.

Safe.

Suspicious_Risky.

Unknown.

VerySafe.

Critical.

Fatal.

High.

Informational.

Low.

Medium.

Other.

Unknown.

Failure.

Other.

Success.

Unknown.

ProcessActivity_Inject.

ProcessActivity_Launch.

ProcessActivity_Open.

ProcessActivity_Other.

ProcessActivity_SetUserID.

ProcessActivity_Terminate.

ProcessActivity_Unknown.

Enabled.

NotEnabled.

Other.

Unknown.

Admin.

Other.

System.

Unknown.

User.

Active.

Deprovisioned.

Locked.

Other.

Pending.

Suspended.

Unknown.

The Account object contains details about the account that initiated or performed a specific activity within a system or application.

The Actor object contains details about the user, role, or process that initiated or performed a specific activity.

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

The <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> object describes the tactic, technique & sub-technique associated to an attack as defined in <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix^TM</a>.

The Authorization Result object provides details about the authorization outcome and associated policies related to activity.

The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key.

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

The Container object describes an instance of a specific container.

The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).

The Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack.

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.

The Device Hardware Information object contains details and specifications of the physical components that make up a device.

The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.

The Display object contains information about the physical or virtual display connected to a computer system.

The Enrichment object provides inline enrichment data for specific attributes of interest within an event.

The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited.

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event.

The Feature object provides information about the software product feature that generated a specific event.

The File object represents the metadata associated with a file stored in a computer system.

The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content.

The Firewall Rule object represents a specific rule within a firewall policy or event.

The Group object represents a collection or association of entities, such as users, policies, or devices.

The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications.

The Image object provides a description of a specific Virtual Machine (VM) or Container image.

The Keyboard Information object contains details and attributes related to a computer or device keyboard.

The additional LDAP attributes that describe a person.

The Geo Location object describes a geographical location, usually associated with an IP address.

The Logger object represents the device and product where events are stored with times for receipt and transmission.

The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.

The Metadata object describes the metadata associated with the event.

The Metric object defines a simple name/value pair entity for a metric.

The Module object describes the load attributes of a module.

The Network Interface object describes the type and associated attributes of a network interface.

The observable object is a pivot element that contains related information found in many places in the event.

The Organization object describes characteristics of an organization or company and its division if any.

The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.

The Policy object describes the policies that are applicable.

The Process object describes a running instance of a launched program.

Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.

The Product object describes characteristics of a software product.

The Reputation object describes the reputation/risk score of an entity (e.g.

The Request Elements object describes characteristics of an API request.

The Response Elements object describes characteristics of an API response.

The Service object describes characteristics of a service, <code> e.g.

The Session object describes details about an authenticated session.

The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix^TM</a>.

The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix^TM</a>.

The Technique object describes the technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix^TM</a>.

The User object describes the characteristics of a user/person or a security principal.

AccountTypeId is an enum, and the following values are allowed.

ActionId is an enum, and the following values are allowed.

ActivityId is an enum, and the following values are allowed.

CategoryUid is an enum, and the following values are allowed.

ClassUid is an enum, and the following values are allowed.

CvssDepth is an enum, and the following values are allowed.

DeviceRiskLevelId is an enum, and the following values are allowed.

DeviceTypeId is an enum, and the following values are allowed.

DigitalSignatureAlgorithmId is an enum, and the following values are allowed.

DispositionId is an enum, and the following values are allowed.

Email address.

FileConfidentialityId is an enum, and the following values are allowed.

File name.

FileTypeId is an enum, and the following values are allowed.

FingerprintAlgorithmId is an enum, and the following values are allowed.

Hash.

Unique name assigned to a device connected to a computer network.

InjectionTypeId is an enum, and the following values are allowed.

Internet Protocol address (IP address), in either IPv4 or IPv6 format.

Media Access Control (MAC) address.

MalwareClassificationIds is an enum, and the following values are allowed.

ModuleLoadTypeId is an enum, and the following values are allowed.

NetworkInterfaceTypeId is an enum, and the following values are allowed.

An unordered collection of attributes.

ObservableTypeId is an enum, and the following values are allowed.

OsTypeId is an enum, and the following values are allowed.

The TCP/UDP port number.

ProcessIntegrityId is an enum, and the following values are allowed.

Process name.

ReputationScoreId is an enum, and the following values are allowed.

Resource unique identifier.

SeverityId is an enum, and the following values are allowed.

StatusId is an enum, and the following values are allowed.

The subnet represented in a CIDR notation, using the format network_address/prefix_length.

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC.

TypeUid is an enum, and the following values are allowed.

Uniform Resource Locator (URL) string.

UserMfaStatusId is an enum, and the following values are allowed.

User name.

UserTypeId is an enum, and the following values are allowed.

UserUserStatusId is an enum, and the following values are allowed.