AppleAccount.

AWSAccount.

AWSIAMRole.

AWSIAMUser.

AzureADAccount.

GCPAccount.

LDAPAccount.

LinuxAccount.

MacOSAccount.

Other.

Unknown.

WindowsAccount.

Allowed.

Denied.

Other.

Unknown.

Load.

Other.

Unknown.

Unload.

Application.

OperatingSystem.

Other.

Unknown.

Backup_Recovery.

ConfigurationManagement.

DataLossPrevention.

EndpointDetectionandResponse.

LogForwarding.

MobileDeviceManagement.

Other.

PerformanceMonitoring_Observability.

RemoteAccess.

Unknown.

VulnerabilityManagement.

SystemActivity.

ModuleActivity.

Base.

Environmental.

Temporal.

Critical.

High.

Info.

Low.

Medium.

Other.

Browser.

CNC.

DCS.

Desktop.

EnergyMonitoringSystem.

Firewall.

Hub.

IDS.

ImagingEquipment.

IOT.

IPS.

Laptop.

LightingControls.

LoadBalancer.

MedicalDevice.

Mobile.

Other.

PLC.

Router.

SCADA.

ScientificEquipment.

Server.

Switch.

Tablet.

TransportationDevice.

Unknown.

Virtual.

Authenticode.

DSA.

ECDSA.

Other.

RSA.

Unknown.

Expired.

Other.

Pending.

Revoked.

Suspended.

Unknown.

Valid.

AccessRevoked.

Alert.

Allowed.

Approved.

Blocked.

Captcha.

Challenge.

Corrected.

Count.

CustomAction.

Delayed.

Deleted.

Detected.

Dropped.

Error.

Exonerated.

Isolated.

Logged.

NoAction.

Other.

PartiallyCorrected.

Quarantined.

Rejected.

Reset.

Restored.

Tagged.

Unauthorized.

Uncorrected.

Unknown.

AuthenticData.

AuthoritativeAnswer.

CheckingDisabled.

Other.

RecursionAvailable.

RecursionDesired.

TruncatedResponse.

Unknown.

Abuse.

Administrative.

Billing.

Other.

Registrant.

Technical.

Unknown.

Confidential.

NotConfidential.

Other.

Private.

Restricted.

Secret.

TopSecret.

Unknown.

BlockDevice.

CharacterDevice.

Folder.

LocalSocket.

NamedPipe.

Other.

RegularFile.

SymbolicLink.

Unknown.

CTPH.

MD5.

Other.

quickXorHash.

SHA_1.

SHA_256.

SHA_512.

TLSH.

Unknown.

Installed.

InstalledPendingReboot.

NotInstalled.

Other.

Unknown.

ActionsonObjectives.

Command_Control.

Delivery.

Exploitation.

Installation.

Other.

Reconnaissance.

Unknown.

Weaponization.

Adware.

Backdoor.

Bootkit.

Bot.

DDOS.

Downloader.

Dropper.

Exploit_Kit.

Keylogger.

Other.

Ransomware.

Remote_Access_Trojan.

Resource_Exploitation.

Rogue_Security_Software.

Rootkit.

Screen_Capture.

Spyware.

Trojan.

Unknown.

Virus.

Webshell.

Wiper.

Worm.

Mapped.

NonStandard.

NonStandardBacked.

Other.

ShellCode.

Standard.

Unknown.

Mobile.

Other.

Tunnel.

Unknown.

Wired.

Wireless.

Container.

Email.

EmailAddress.

Endpoint.

File.

FileName.

Fingerprint.

GeoLocation.

Hash.

Hostname.

IPAddress.

MACAddress.

Other.

Port.

Process.

ProcessName.

ResourceUID.

Subnet.

UniformResourceLocator.

Unknown.

URLString.

User.

UserName.

AIX.

Android.

HP_UX.

iOS.

iPadOS.

Linux.

macOS.

Other.

Solaris.

Unknown.

Windows.

WindowsMobile.

High.

Low.

Medium.

Other.

Unknown.

TLP_AMBER.

TLP_AMBER_STRICT.

TLP_CLEAR.

TLP_GREEN.

TLP_RED.

DigitalCertificate.

Domain.

Email.

EmailAddress.

Hash.

Hostname.

IPAddress.

Other.

Unknown.

URL.

UserAgent.

Vulnerability.

Application.

OperatingSystem.

Other.

Unknown.

High.

Low.

Medium.

Other.

Protected.

System.

Unknown.

Untrusted.

ExerciseCaution.

LeansSafe.

Malicious.

MaynotbeSafe.

Other.

PossiblyMalicious.

ProbablyMalicious.

ProbablySafe.

Safe.

Suspicious_Risky.

Unknown.

VerySafe.

Critical.

Fatal.

High.

Informational.

Low.

Medium.

Other.

Unknown.

Failure.

Other.

Success.

Unknown.

Days.

Hours.

Milliseconds.

Minutes.

Months.

Other.

Seconds.

Unknown.

Weeks.

Years.

ModuleActivity_Load.

ModuleActivity_Other.

ModuleActivity_Unknown.

ModuleActivity_Unload.

Enabled.

NotEnabled.

Other.

Unknown.

Critical.

High.

Info.

Low.

Medium.

Other.

Admin.

Other.

System.

Unknown.

User.

Active.

Deprovisioned.

Locked.

Other.

Pending.

Suspended.

Unknown.

Other.

Signed.

Unknown.

Unsigned.

The Account object contains details about the account that initiated or performed a specific activity within a system or application.

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

The Affected Code object describes details about a code block identified as vulnerable.

The Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.

An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action.

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

The <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> object describes the tactic, technique & sub-technique associated to an attack as defined in <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.

The Authorization Result object provides details about the authorization outcome and associated policies related to activity.

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.

The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key.

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

The Container object describes an instance of a specific container.

The Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>).

The Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack.

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.

The Device Hardware Information object contains details and specifications of the physical components that make up a device.

The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.

The Display object contains information about the physical or virtual display connected to a computer system.

The DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation.

The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.

The Email object describes the email metadata such as sender, recipients, and direction.

The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.

The Enrichment object provides inline enrichment data for specific attributes of interest within an event.

The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited.

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event.

The Feature object provides information about the software product feature that generated a specific event.

The File object represents the metadata associated with a file stored in a computer system.

The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content.

The Firewall Rule object represents a specific rule within a firewall policy or event.

The Group object represents a collection or association of entities, such as users, policies, or devices.

The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications.

The Image object provides a description of a specific Virtual Machine (VM) or Container image.

The KB Article object contains metadata that describes the patch or update.

The Keyboard Information object contains details and attributes related to a computer or device keyboard.

The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker.

The additional LDAP attributes that describe a person.

The Geo Location object describes a geographical location, usually associated with an IP address.

The Logger object represents the device and product where events are stored with times for receipt and transmission.

The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.

The Metadata object describes the metadata associated with the event.

The Metric object defines a simple name/value pair entity for a metric.

The Module object describes the load attributes of a module.

Module Activity events report when a process loads or unloads the <code>module</code>.

The Network Interface object describes the type and associated attributes of a network interface.

The observable object is a pivot element that contains related information found in many places in the event.

The Organization object describes characteristics of an organization or company and its division if any.

The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information.

The Software Package object describes details about a software package.

The Policy object describes the policies that are applicable.

The Process object describes a running instance of a launched program.

The Product object describes characteristics of a software product.

The Remediation object describes the recommended remediation steps to address identified issue(s).

The Reputation object describes the reputation/risk score of an entity (e.g.

The Request Elements object describes characteristics of an API request.

The Response Elements object describes characteristics of an API response.

The Service object describes characteristics of a service, <code> e.g.

The Session object describes details about an authenticated session.

The MITRE ATT&CK® Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.

The MITRE ATT&CK® Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.

The MITRE ATT&CK® Technique object describes the technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.

The Time Span object represents different time period durations.

The User object describes the characteristics of a user/person or a security principal.

The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.

The resources of a WHOIS record for a given domain.

AccountTypeId is an enum, and the following values are allowed.

ActionId is an enum, and the following values are allowed.

ActivityId is an enum, and the following values are allowed.

AffectedPackageTypeId is an enum, and the following values are allowed.

AgentTypeId is an enum, and the following values are allowed.

CategoryUid is an enum, and the following values are allowed.

ClassUid is an enum, and the following values are allowed.

CvssDepth is an enum, and the following values are allowed.

DeviceRiskLevelId is an enum, and the following values are allowed.

DeviceTypeId is an enum, and the following values are allowed.

DigitalSignatureAlgorithmId is an enum, and the following values are allowed.

DigitalSignatureStateId is an enum, and the following values are allowed.

DispositionId is an enum, and the following values are allowed.

DnsAnswerFlagIds is an enum, and the following values are allowed.

DomainContactTypeId is an enum, and the following values are allowed.

Email address.

FileConfidentialityId is an enum, and the following values are allowed.

File name.

FileTypeId is an enum, and the following values are allowed.

FingerprintAlgorithmId is an enum, and the following values are allowed.

Hash.

Unique name assigned to a device connected to a computer network.

Internet Protocol address (IP address), in either IPv4 or IPv6 format.

KbArticleInstallStateId is an enum, and the following values are allowed.

KillChainPhasePhaseId is an enum, and the following values are allowed.

Media Access Control (MAC) address.

MalwareClassificationIds is an enum, and the following values are allowed.

ModuleLoadTypeId is an enum, and the following values are allowed.

NetworkInterfaceTypeId is an enum, and the following values are allowed.

An unordered collection of attributes.

ObservableTypeId is an enum, and the following values are allowed.

OsintConfidenceId is an enum, and the following values are allowed.

OsintTlp is an enum, and the following values are allowed.

OsintTypeId is an enum, and the following values are allowed.

OsTypeId is an enum, and the following values are allowed.

PackageTypeId is an enum, and the following values are allowed.

The TCP/UDP port number.

ProcessIntegrityId is an enum, and the following values are allowed.

Process name.

ReputationScoreId is an enum, and the following values are allowed.

Resource unique identifier.

SeverityId is an enum, and the following values are allowed.

StatusId is an enum, and the following values are allowed.

The subnet represented in a CIDR notation, using the format network_address/prefix_length.

TimespanTypeId is an enum, and the following values are allowed.

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC.

TypeUid is an enum, and the following values are allowed.

Uniform Resource Locator (URL) string.

UserMfaStatusId is an enum, and the following values are allowed.

User name.

UserRiskLevelId is an enum, and the following values are allowed.

UserTypeId is an enum, and the following values are allowed.

UserUserStatusId is an enum, and the following values are allowed.

WhoisDnssecStatusId is an enum, and the following values are allowed.