Sighting Object
Sighting A sighting indicates that a particular entity or indicator was observed in an environment and can be an indication of a current or potential threat.
| Property | Type | Description | Required? |
|---|---|---|---|
| confidence | HighMedLowString | ✓ | |
| count | Integer | The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents. | ✓ |
| id | String | Globally unique URI identifying this object. | ✓ |
| observed_time | ObservedTime Object | ✓ | |
| schema_version | String | CTIM schema version for this entity. | ✓ |
| type | SightingTypeIdentifierString | ✓ | |
| context | Context Object | Context including the event type that best fits the type of the sighting. | |
| data | SightingDataTable Object | An embedded data table for the Sighting. | |
| description | MarkdownString | A description of object, which may be detailed. | |
| external_ids | String List | It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners. | |
| external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. Similar to external_ids field with major differences: - external_ids field is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. The external_ids field can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. - external_references field, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. The external_references field can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier. | |
| internal | Boolean | If true, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC. Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization. Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known. | |
| language | ShortStringString | The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages. For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting. | |
| observables | Observable Object List | The object(s) of interest. | |
| relations | ObservedRelation Object List | Provide any context we can about where the observable came from. | |
| resolution | ResolutionString | Represents the disposition or actions taken on the associated threat intelligence. | |
| revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
| sensor | SensorString | The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall) | |
| sensor_coordinates | SensorCoordinates Object | ||
| severity | SeverityString | ||
| short_description | MedStringString | A single line, short summary of the object. | |
| source | MedStringString | Represents the source of the intelligence that led to the creation of the entity. | |
| source_uri | String | URI of the source of the intelligence that led to the creation of the entity. | |
| targets | IdentitySpecification Object List | May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise. Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread. | |
| timestamp | Inst (Date) | The time this object was created at, or last modified. | |
| title | ShortStringString | A short title for this object, used as primary display and reference value. | |
| tlp | TLPString | TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization. |
- Reference: SightingType
Property confidence ∷ HighMedLowString
-
This entry is required
- Allowed Values:
- High
- Info
- Low
- Medium
- None
- Unknown
- Reference: HighMedLowVocab
- Allowed Values:
Property context ∷ Context Object
Context including the event type that best fits the type of the sighting.
- This entry is optional
- Context Object Value
- Details: Context Object
Property count ∷ Integer
The number of times an indicator was observed within a certain period of time. For example, if an IP address associated with known malicious activity is observed once within a period of time, it may indicate a low-level threat. However, if the same IP address is observed multiple times within a short time frame, it may indicate a more severe and persistent threat. It can also be used to prioritize security alerts and indicate the urgency of a response. High counts indicate that an indicator is actively being used in a larger campaign, while low counts may indicate isolated incidents.
-
This entry is required
- Zero, or a positive integer.
Property data ∷ SightingDataTable Object
An embedded data table for the Sighting.
- This entry is optional
- SightingDataTable Object Value
- Details: SightingDataTable Object
Property description ∷ MarkdownString
A description of object, which may be detailed.
-
This entry is optional
- Markdown Markdown string with at most 5000 characters.
Property external_ids ∷ String List
It is used to store a list of external identifiers that can be linked to the incident, providing a reliable and manageable way to correlate and group related events across multiple data sources. It is especially useful in larger organizations that rely on multiple security information and event management (SIEM) systems to detect security incidents. For instance, it can be used to track events across different network sensors, intrusion detection and prevention systems (IDPS), or log management platforms. The field can also be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. It can be used to cross-reference with other external tools such as threat intelligence feeds and vulnerability scanners.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
Property external_references ∷ ExternalReference Object List
Specifies a list of external references which refers to non-CTIM information.
Similar to external_ids field with major differences:
-
external_idsfield is used to store a list of external identifiers that can be used to link entities across different data sources. These identifiers are typically standardized and well-known, such as CVE IDs, US-CERT advisories, or other industry-standard threat intelligence feeds. Theexternal_idsfield can be used to facilitate automation and orchestration workflows, where additional information can be shared among incident management systems. -
external_referencesfield, on the other hand, is used to provide a more general mechanism for linking entities to external sources of information. Theexternal_referencesfield can include references to blog posts, articles, external documents, threat intelligence reports, and other sources of information that may not have a standardized format or identifier.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- ExternalReference Object Value
- Details: ExternalReference Object
Property id ∷ String
Globally unique URI identifying this object.
-
This entry is required
- IDs are URIs, for example
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.
- IDs are URIs, for example
Property internal ∷ Boolean
If true, indicates that the sighting was reported from internal sources, such as an organization's own internal security tools or SOC.
Internal sightings are often considered more reliable and actionable than external sightings, which are reported from external sources and may have a lower level of trustworthiness. Internal sightings can provide more context and can help identify potential threats that are unique to a particular environment or organization.
Internal sightings can also help organizations prioritize their security response efforts by identifying threats that are specific to their environment and may not yet be widely known.
- This entry is optional
Property language ∷ ShortStringString
The language field is used to specify the primary language of the affected system or the target of an attack. It can be used to provide additional context and information about the entity. The primary purpose of this field is to help analysts filter and prioritize entities based on their knowledge and expertise of different languages.
For example, if an incident involves an attack on a system in a country where a specific language is predominant, the language field can be used to indicate that language, which can help analysts to quickly identify and respond to incidents that may be geographically or culturally relevant. This information can be used to prioritize incidents based on their potential impact. The language field can also be used to help with correlation of incidents across different systems and regions, as well as to help with data analysis and reporting.
-
This entry is optional
- ShortString String with at most 1024 characters.
Property observables ∷ Observable Object List
The object(s) of interest.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- Observable Object Value
- Details: Observable Object
Property observed_time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property relations ∷ ObservedRelation Object List
Provide any context we can about where the observable came from.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- ObservedRelation Object Value
- Details: ObservedRelation Object
Property resolution ∷ ResolutionString
Represents the disposition or actions taken on the associated threat intelligence.
-
This entry is optional
- Resolution indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP.
- Default: detected
- Allowed Values:
- allowed
- blocked
- contained
- detected
Property revision ∷ Integer
A monotonically increasing revision, incremented each time the object is changed.
-
This entry is optional
- Zero, or a positive integer.
Property schema_version ∷ String
CTIM schema version for this entity.
-
This entry is required
- A semantic version matching the CTIM version against which this object should be valid.
Property sensor ∷ SensorString
The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
-
This entry is optional
- Sensor The sensor/actuator name that best fits a device.
- Allowed Values:
- endpoint
- endpoint.digital-telephone-handset
- endpoint.laptop
- endpoint.pos-terminal
- endpoint.printer
- endpoint.sensor
- endpoint.server
- endpoint.smart-meter
- endpoint.smart-phone
- endpoint.tablet
- endpoint.workstation
- network
- network.bridge
- network.firewall
- network.gateway
- network.guard
- network.hips
- network.hub
- network.ids
- network.ips
- network.modem
- network.nic
- network.proxy
- network.router
- network.security_manager
- network.sense_making
- network.sensor
- network.switch
- network.vpn
- network.wap
- process
- process.aaa-server
- process.anti-virus-scanner
- process.connection-scanner
- process.directory-service
- process.dns-server
- process.email-service
- process.file-scanner
- process.location-service
- process.network-scanner
- process.remediation-service
- process.reputation-service
- process.sandbox
- process.virtualization-service
- process.vulnerability-scanner
Property sensor_coordinates ∷ SensorCoordinates Object
- This entry is optional
- SensorCoordinates Object Value
- Details: SensorCoordinates Object
Property severity ∷ SeverityString
-
This entry is optional
- Allowed Values:
- Critical
- High
- Info
- Low
- Medium
- None
- Unknown
- Allowed Values:
Property short_description ∷ MedStringString
A single line, short summary of the object.
-
This entry is optional
- MedString String with at most 2048 characters.
Property source ∷ MedStringString
Represents the source of the intelligence that led to the creation of the entity.
-
This entry is optional
- MedString String with at most 2048 characters.
Property source_uri ∷ String
URI of the source of the intelligence that led to the creation of the entity.
-
This entry is optional
- A URI
Property targets ∷ IdentitySpecification Object List
May include one or more targets that observed the associated indicator. Targets can include network devices, host devices, or other entities that are capable of detecting indicators of compromise.
Can be used to assess the scope of potential threats, helping analysts understand which devices or components of the network may be vulnerable to attack. For example, if a particular malware strain is detected on several different systems within an organization, the targets field may indicate which systems are affected and which may need to be isolated or patched to prevent further spread.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- IdentitySpecification Object Value
- Details: IdentitySpecification Object
Property timestamp ∷ Inst (Date)
The time this object was created at, or last modified.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property title ∷ ShortStringString
A short title for this object, used as primary display and reference value.
-
This entry is optional
- ShortString String with at most 1024 characters.
Property tlp ∷ TLPString
TLP stands for Traffic Light Protocol, which indicates precisely how a resource is intended to be shared, replicated, copied, etc.
It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know.
For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as red, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as amber or green, indicating that it can be shared more broadly within an organization.
-
This entry is optional
- Default: green
- Allowed Values:
- amber
- green
- red
- white
Property type ∷ SightingTypeIdentifierString
-
This entry is required
- Must equal: "sighting"
ExternalReference Object
ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
| Property | Type | Description | Required? |
|---|---|---|---|
| source_name | MedStringString | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
| description | MarkdownString | ||
| external_id | String | An identifier for the external reference content. | |
| hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
| url | String | A URL reference to an external resource. |
- Reference: External Reference
Property description ∷ MarkdownString
-
This entry is optional
- Markdown Markdown string with at most 5000 characters.
Property external_id ∷ String
An identifier for the external reference content.
- This entry is optional
Property hashes ∷ String List
Specifies a dictionary of hashes for the contents of the url.
- This entry is optional
- This entry's type is sequential (allows zero or more values)
Property source_name ∷ MedStringString
The source within which the external-reference is defined (system, registry, organization, etc.)
-
This entry is required
- MedString String with at most 2048 characters.
Property url ∷ String
A URL reference to an external resource.
-
This entry is optional
- A URI
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
SightingDataTable Object
SightingDataTable An embedded data table for sightings data.
| Property | Type | Description | Required? |
|---|---|---|---|
| columns | ColumnDefinition Object List | an ordered list of column definitions | ✓ |
| rows | Anything List | an ordered list of rows | ✓ |
| row_count | Integer | The number of rows in the data table. |
Property columns ∷ ColumnDefinition Object List
an ordered list of column definitions
- This entry is required
- This entry's type is sequential (allows zero or more values)
- ColumnDefinition Object Value
- Details: ColumnDefinition Object
Property row_count ∷ Integer
The number of rows in the data table.
- This entry is optional
Property rows ∷ Anything List List
an ordered list of rows
- This entry is required
- This entry's type is sequential (allows zero or more values)
ColumnDefinition Object
| Property | Type | Description | Required? |
|---|---|---|---|
| name | String | ✓ | |
| type | ColumnTypeString | ✓ | |
| description | MarkdownString | ||
| required | Boolean | If true, the row entries for this column cannot contain nulls. Defaults to true. | |
| short_description | String |
Property description ∷ MarkdownString
-
This entry is optional
- Markdown Markdown string with at most 5000 characters.
Property name ∷ String
- This entry is required
Property required ∷ Boolean
If true, the row entries for this column cannot contain nulls. Defaults to true.
- This entry is optional
Property short_description ∷ String
- This entry is optional
Property type ∷ ColumnTypeString
-
This entry is required
- Allowed Values:
- integer
- markdown
- number
- observable
- string
- url
- Allowed Values:
SensorCoordinates Object
SensorCoordinates Describes the device that made the sighting (sensor) and contains identifying observables for the sensor.
| Property | Type | Description | Required? |
|---|---|---|---|
| observables | Observable Object List | ✓ | |
| type | SensorString | ✓ | |
| os | String |
Property observables ∷ Observable Object List
- This entry is required
- This entry's type is sequential (allows zero or more values)
- Observable Object Value
- Details: Observable Object
Property os ∷ String
- This entry is optional
Property type ∷ SensorString
-
This entry is required
- Sensor The sensor/actuator name that best fits a device.
- Allowed Values:
- endpoint
- endpoint.digital-telephone-handset
- endpoint.laptop
- endpoint.pos-terminal
- endpoint.printer
- endpoint.sensor
- endpoint.server
- endpoint.smart-meter
- endpoint.smart-phone
- endpoint.tablet
- endpoint.workstation
- network
- network.bridge
- network.firewall
- network.gateway
- network.guard
- network.hips
- network.hub
- network.ids
- network.ips
- network.modem
- network.nic
- network.proxy
- network.router
- network.security_manager
- network.sense_making
- network.sensor
- network.switch
- network.vpn
- network.wap
- process
- process.aaa-server
- process.anti-virus-scanner
- process.connection-scanner
- process.directory-service
- process.dns-server
- process.email-service
- process.file-scanner
- process.location-service
- process.network-scanner
- process.remediation-service
- process.reputation-service
- process.sandbox
- process.virtualization-service
- process.vulnerability-scanner
Observable Object
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
| Property | Type | Description | Required? |
|---|---|---|---|
| type | ObservableTypeIdentifierString | ✓ | |
| value | String | ✓ |
Property type ∷ ObservableTypeIdentifierString
-
This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
- amp_computer_guid
- certificate_common_name
- certificate_issuer
- certificate_serial
- cisco_cm_id
- cisco_mid
- cisco_uc_id
- cortex_agent_id
- crowdstrike_id
- cybereason_id
- darktrace_id
- device
- domain
- email_messageid
- email_subject
- file_name
- file_path
- hostname
- imei
- imsi
- ip
- ipv6
- mac_address
- md5
- meraki_network_id
- meraki_node_sn
- meraki_org_id
- ms_machine_id
- mutex
- ngfw_id
- ngfw_name
- odns_identity
- odns_identity_label
- orbital_node_id
- pki_serial
- process_args
- process_hash
- process_name
- process_path
- process_username
- processor_id
- registry_key
- registry_name
- registry_path
- s1_agent_id
- serial_number
- sha1
- sha256
- swc_device_id
- trend_micro_id
- url
- user
- user_agent
Property value ∷ String
- This entry is required
IdentitySpecification Object
IdentitySpecification Describes the target of the sighting and contains identifying observables for the target.
| Property | Type | Description | Required? |
|---|---|---|---|
| observables | Observable Object List | ✓ | |
| observed_time | ObservedTime Object | ✓ | |
| type | SensorString | ✓ | |
| os | String |
Property observables ∷ Observable Object List
- This entry is required
- This entry's type is sequential (allows zero or more values)
- Observable Object Value
- Details: Observable Object
Property observed_time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property os ∷ String
- This entry is optional
Property type ∷ SensorString
-
This entry is required
- Sensor The sensor/actuator name that best fits a device.
- Allowed Values:
- endpoint
- endpoint.digital-telephone-handset
- endpoint.laptop
- endpoint.pos-terminal
- endpoint.printer
- endpoint.sensor
- endpoint.server
- endpoint.smart-meter
- endpoint.smart-phone
- endpoint.tablet
- endpoint.workstation
- network
- network.bridge
- network.firewall
- network.gateway
- network.guard
- network.hips
- network.hub
- network.ids
- network.ips
- network.modem
- network.nic
- network.proxy
- network.router
- network.security_manager
- network.sense_making
- network.sensor
- network.switch
- network.vpn
- network.wap
- process
- process.aaa-server
- process.anti-virus-scanner
- process.connection-scanner
- process.directory-service
- process.dns-server
- process.email-service
- process.file-scanner
- process.location-service
- process.network-scanner
- process.remediation-service
- process.reputation-service
- process.sandbox
- process.virtualization-service
- process.vulnerability-scanner
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Observable Object
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
| Property | Type | Description | Required? |
|---|---|---|---|
| type | ObservableTypeIdentifierString | ✓ | |
| value | String | ✓ |
Property type ∷ ObservableTypeIdentifierString
-
This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
- amp_computer_guid
- certificate_common_name
- certificate_issuer
- certificate_serial
- cisco_cm_id
- cisco_mid
- cisco_uc_id
- cortex_agent_id
- crowdstrike_id
- cybereason_id
- darktrace_id
- device
- domain
- email_messageid
- email_subject
- file_name
- file_path
- hostname
- imei
- imsi
- ip
- ipv6
- mac_address
- md5
- meraki_network_id
- meraki_node_sn
- meraki_org_id
- ms_machine_id
- mutex
- ngfw_id
- ngfw_name
- odns_identity
- odns_identity_label
- orbital_node_id
- pki_serial
- process_args
- process_hash
- process_name
- process_path
- process_username
- processor_id
- registry_key
- registry_name
- registry_path
- s1_agent_id
- serial_number
- sha1
- sha256
- swc_device_id
- trend_micro_id
- url
- user
- user_agent
Property value ∷ String
- This entry is required
Observable Object
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
| Property | Type | Description | Required? |
|---|---|---|---|
| type | ObservableTypeIdentifierString | ✓ | |
| value | String | ✓ |
Property type ∷ ObservableTypeIdentifierString
-
This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
- amp_computer_guid
- certificate_common_name
- certificate_issuer
- certificate_serial
- cisco_cm_id
- cisco_mid
- cisco_uc_id
- cortex_agent_id
- crowdstrike_id
- cybereason_id
- darktrace_id
- device
- domain
- email_messageid
- email_subject
- file_name
- file_path
- hostname
- imei
- imsi
- ip
- ipv6
- mac_address
- md5
- meraki_network_id
- meraki_node_sn
- meraki_org_id
- ms_machine_id
- mutex
- ngfw_id
- ngfw_name
- odns_identity
- odns_identity_label
- orbital_node_id
- pki_serial
- process_args
- process_hash
- process_name
- process_path
- process_username
- processor_id
- registry_key
- registry_name
- registry_path
- s1_agent_id
- serial_number
- sha1
- sha256
- swc_device_id
- trend_micro_id
- url
- user
- user_agent
Property value ∷ String
- This entry is required
ObservedRelation Object
ObservedRelation A relation inside a Sighting.
| Property | Type | Description | Required? |
|---|---|---|---|
| origin | String | ✓ | |
| related | Observable Object | ✓ | |
| relation | ObservableRelationTypeString | ✓ | |
| source | Observable Object | ✓ | |
| origin_uri | String | ||
| relation_info | Object |
Property origin ∷ String
- This entry is required
Property origin_uri ∷ String
-
This entry is optional
- A URI
Property related ∷ Observable Object
- This entry is required
- Observable Object Value
- Details: Observable Object
Property relation ∷ ObservableRelationTypeString
-
This entry is required
- Allowed Values:
- Allocated
- Allocated_By
- Attached_To
- Bound
- Bound_By
- Characterized_By
- Characterizes
- Child_Of
- Closed
- Closed_By
- Compressed
- Compressed_By
- Compressed_From
- Compressed_Into
- Connected_From
- Connected_To
- Contained_Within
- Contains
- Copied
- Copied_By
- Copied_From
- Copied_To
- Created
- Created_By
- Decoded
- Decoded_By
- Decompressed
- Decompressed_By
- Decrypted
- Decrypted_By
- Deleted
- Deleted_By
- Deleted_From
- Downloaded
- Downloaded_By
- Downloaded_From
- Downloaded_To
- Dropped
- Dropped_By
- Encoded
- Encoded_By
- Encrypted
- Encrypted_By
- Encrypted_From
- Encrypted_To
- Extracted_From
- FQDN_Of
- Freed
- Freed_By
- Hooked
- Hooked_By
- Initialized_By
- Initialized_To
- Injected
- Injected_As
- Injected_By
- Injected_Into
- Installed
- Installed_By
- Joined
- Joined_By
- Killed
- Killed_By
- Listened_On
- Listened_On_By
- Loaded_From
- Loaded_Into
- Locked
- Locked_By
- Mapped_By
- Mapped_Into
- Merged
- Merged_By
- Modified_Properties_Of
- Monitored
- Monitored_By
- Moved
- Moved_By
- Moved_From
- Moved_To
- Opened
- Opened_By
- Packed
- Packed_By
- Packed_From
- Packed_Into
- Parent_Of
- Paused
- Paused_By
- Previously_Contained
- Properties_Modified_By
- Properties_Queried
- Properties_Queried_By
- Read_From
- Read_From_By
- Received
- Received_By
- Received_From
- Received_Via_Upload
- Redirects_To
- Refers_To
- Related_To
- Renamed
- Renamed_By
- Renamed_From
- Renamed_To
- Resolved_To
- Resumed
- Resumed_By
- Root_Domain_Of
- Searched_For
- Searched_For_By
- Sent
- Sent_By
- Sent_To
- Sent_Via_Upload
- Set_From
- Set_To
- Sub-domain_Of
- Supra-domain_Of
- Suspended
- Suspended_By
- Unhooked
- Unhooked_By
- Unlocked
- Unlocked_By
- Unpacked
- Unpacked_By
- Uploaded
- Uploaded_By
- Uploaded_From
- Uploaded_To
- Used
- Used_By
- Values_Enumerated
- Values_Enumerated_By
- Written_To_By
- Wrote_To
- Allowed Values:
Property relation_info ∷ Object
- This entry is optional
- Object Value
- Details: Object
Property source ∷ Observable Object
- This entry is required
- Observable Object Value
- Details: Observable Object
Observable Object
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
| Property | Type | Description | Required? |
|---|---|---|---|
| type | ObservableTypeIdentifierString | ✓ | |
| value | String | ✓ |
Property type ∷ ObservableTypeIdentifierString
-
This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
- amp_computer_guid
- certificate_common_name
- certificate_issuer
- certificate_serial
- cisco_cm_id
- cisco_mid
- cisco_uc_id
- cortex_agent_id
- crowdstrike_id
- cybereason_id
- darktrace_id
- device
- domain
- email_messageid
- email_subject
- file_name
- file_path
- hostname
- imei
- imsi
- ip
- ipv6
- mac_address
- md5
- meraki_network_id
- meraki_node_sn
- meraki_org_id
- ms_machine_id
- mutex
- ngfw_id
- ngfw_name
- odns_identity
- odns_identity_label
- orbital_node_id
- pki_serial
- process_args
- process_hash
- process_name
- process_path
- process_username
- processor_id
- registry_key
- registry_name
- registry_path
- s1_agent_id
- serial_number
- sha1
- sha256
- swc_device_id
- trend_micro_id
- url
- user
- user_agent
Property value ∷ String
- This entry is required
Observable Object
Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.
| Property | Type | Description | Required? |
|---|---|---|---|
| type | ObservableTypeIdentifierString | ✓ | |
| value | String | ✓ |
Property type ∷ ObservableTypeIdentifierString
-
This entry is required
- ObservableTypeIdentifier Observable type names
- Allowed Values:
- amp_computer_guid
- certificate_common_name
- certificate_issuer
- certificate_serial
- cisco_cm_id
- cisco_mid
- cisco_uc_id
- cortex_agent_id
- crowdstrike_id
- cybereason_id
- darktrace_id
- device
- domain
- email_messageid
- email_subject
- file_name
- file_path
- hostname
- imei
- imsi
- ip
- ipv6
- mac_address
- md5
- meraki_network_id
- meraki_node_sn
- meraki_org_id
- ms_machine_id
- mutex
- ngfw_id
- ngfw_name
- odns_identity
- odns_identity_label
- orbital_node_id
- pki_serial
- process_args
- process_hash
- process_name
- process_path
- process_username
- processor_id
- registry_key
- registry_name
- registry_path
- s1_agent_id
- serial_number
- sha1
- sha256
- swc_device_id
- trend_micro_id
- url
- user
- user_agent
Property value ∷ String
- This entry is required
Object
| Property | Type | Description | Required? |
|---|---|---|---|
| Keyword | Anything | ✓ |
Property Keyword ∷ Anything
- This entry is required
Context Object
| Property | Type | Description | Required? |
|---|---|---|---|
| file_create_events | FileCreateType Object List | a list of FileCreateType | |
| file_delete_events | FileDeleteType Object List | a list of FileDeleteType | |
| file_modify_events | FileModifyType Object List | a list of FileModifyType | |
| file_move_events | FileMoveType Object List | a list of FileMoveType | |
| http_events | HTTPType Object List | a list of HTTPType | |
| library_load_events | LibraryLoadType Object List | a list of LibraryLoadType | |
| netflow_events | NetflowType Object List | a list of NetflowType | |
| process_create_events | ProcessCreateType Object List | a list of ProcessCreate | |
| registry_create_events | RegistryCreateType Object List | a list of RegistryCreateType | |
| registry_delete_events | RegistryDeleteType Object List | a list of RegistryDeleteType | |
| registry_rename_events | RegistryRenameType Object List | a list of RegistryRenameType | |
| registry_set_events | RegistrySetType Object List | a list of RegistrySetType |
Property file_create_events ∷ FileCreateType Object List
a list of FileCreateType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- FileCreateType Object Value
- Details: FileCreateType Object
Property file_delete_events ∷ FileDeleteType Object List
a list of FileDeleteType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- FileDeleteType Object Value
- Details: FileDeleteType Object
Property file_modify_events ∷ FileModifyType Object List
a list of FileModifyType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- FileModifyType Object Value
- Details: FileModifyType Object
Property file_move_events ∷ FileMoveType Object List
a list of FileMoveType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- FileMoveType Object Value
- Details: FileMoveType Object
Property http_events ∷ HTTPType Object List
a list of HTTPType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- HTTPType Object Value
- Details: HTTPType Object
Property library_load_events ∷ LibraryLoadType Object List
a list of LibraryLoadType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- LibraryLoadType Object Value
- Details: LibraryLoadType Object
Property netflow_events ∷ NetflowType Object List
a list of NetflowType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- NetflowType Object Value
- Details: NetflowType Object
Property process_create_events ∷ ProcessCreateType Object List
a list of ProcessCreate
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- ProcessCreateType Object Value
- Details: ProcessCreateType Object
Property registry_create_events ∷ RegistryCreateType Object List
a list of RegistryCreateType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- RegistryCreateType Object Value
- Details: RegistryCreateType Object
Property registry_delete_events ∷ RegistryDeleteType Object List
a list of RegistryDeleteType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- RegistryDeleteType Object Value
- Details: RegistryDeleteType Object
Property registry_rename_events ∷ RegistryRenameType Object List
a list of RegistryRenameType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- RegistryRenameType Object Value
- Details: RegistryRenameType Object
Property registry_set_events ∷ RegistrySetType Object List
a list of RegistrySetType
- This entry is optional
- This entry's type is sequential (allows zero or more values)
- RegistrySetType Object Value
- Details: RegistrySetType Object
RegistryRenameType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| registry_key | ShortStringString | ✓ | |
| registry_old_key | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | RegistryRenameTypeIdentifierString | ✓ | |
| process_guid | Integer | ||
| process_username | ShortStringString |
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property registry_key ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property registry_old_key ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ RegistryRenameTypeIdentifierString
-
This entry is required
- Must equal: "RegistryRenameEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
RegistryDeleteType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| registry_key | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | RegistryDeleteTypeIdentifierString | ✓ | |
| process_guid | Integer | ||
| process_username | ShortStringString | ||
| registry_value | MedStringString |
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property registry_key ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property registry_value ∷ MedStringString
-
This entry is optional
- MedString String with at most 2048 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ RegistryDeleteTypeIdentifierString
-
This entry is required
- Must equal: "RegistryDeleteEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
RegistrySetType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| registry_key | ShortStringString | ✓ | |
| registry_value | MedStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | RegistrySetTypeIdentifierString | ✓ | |
| process_guid | Integer | ||
| process_username | ShortStringString | ||
| registry_data | LongStringString | ||
| registry_data_length | Integer |
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property registry_data ∷ LongStringString
-
This entry is optional
- LongString String with at most 5000 characters.
Property registry_data_length ∷ Integer
- This entry is optional
Property registry_key ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property registry_value ∷ MedStringString
-
This entry is required
- MedString String with at most 2048 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ RegistrySetTypeIdentifierString
-
This entry is required
- Must equal: "RegistrySetEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
RegistryCreateType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| registry_key | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | RegistryCreateTypeIdentifierString | ✓ | |
| process_guid | Integer | ||
| process_username | ShortStringString |
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property registry_key ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ RegistryCreateTypeIdentifierString
-
This entry is required
- Must equal: "RegistryCreateEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
HTTPType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| host | ShortStringString | ✓ | |
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| traffic | Traffic Object | ✓ | |
| type | HTTPTypeIdentifierString | ✓ | |
| encrypted | Boolean | ||
| method | HTTPMethodString | ||
| process_guid | Integer | ||
| process_username | ShortStringString | ||
| query | LongStringString | ||
| url_port | Integer |
Property encrypted ∷ Boolean
- This entry is optional
Property host ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property method ∷ HTTPMethodString
-
This entry is optional
- Allowed Values:
- CONNECT
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
- TRACE
- Allowed Values:
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property query ∷ LongStringString
-
This entry is optional
- LongString String with at most 5000 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property traffic ∷ Traffic Object
- This entry is required
- Traffic Object Value
- Details: Traffic Object
Property type ∷ HTTPTypeIdentifierString
-
This entry is required
- Must equal: "HTTPEvent"
Property url_port ∷ Integer
- This entry is optional
Traffic Object
| Property | Type | Description | Required? |
|---|---|---|---|
| destination_ip | String | ✓ | |
| destination_port | Integer | ✓ | |
| direction | TrafficDirectionString | ✓ | |
| protocol | Integer | The IP protocol id | ✓ |
| source_ip | String | ✓ | |
| source_port | Integer | ✓ | |
| destination_host_name | String | ||
| destination_subnet | String | ||
| source_subnet | String |
Property destination_host_name ∷ String
- This entry is optional
Property destination_ip ∷ String
- This entry is required
Property destination_port ∷ Integer
- This entry is required
Property destination_subnet ∷ String
- This entry is optional
Property direction ∷ TrafficDirectionString
-
This entry is required
- Allowed Values:
- incoming
- outgoing
- Allowed Values:
Property protocol ∷ Integer
The IP protocol id
- This entry is required
Property source_ip ∷ String
- This entry is required
Property source_port ∷ Integer
- This entry is required
Property source_subnet ∷ String
- This entry is optional
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
NetflowType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| traffic | Traffic Object | ✓ | |
| type | NetflowTypeIdentifierString | ✓ | |
| byte_count_in | Integer | ||
| byte_count_out | Integer | ||
| flow_time | Inst (Date) | ||
| parent_process_account | ShortStringString | ||
| parent_process_account_type | ShortStringString | ||
| parent_process_args | ShortStringString | ||
| parent_process_hash | ShortStringString | ||
| parent_process_id | Integer | ||
| parent_process_name | ShortStringString | ||
| parent_process_path | ShortStringString | ||
| process_account | ShortStringString | ||
| process_account_type | ShortStringString | ||
| process_args | ShortStringString | ||
| process_guid | Integer | ||
| process_hash | ShortStringString | ||
| process_path | ShortStringString | ||
| process_username | ShortStringString |
Property byte_count_in ∷ Integer
- This entry is optional
Property byte_count_out ∷ Integer
- This entry is optional
Property flow_time ∷ Inst (Date)
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property parent_process_account ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_account_type ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_args ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_hash ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_id ∷ Integer
- This entry is optional
Property parent_process_name ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_path ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_account ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_account_type ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_args ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_hash ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_path ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property traffic ∷ Traffic Object
- This entry is required
- Traffic Object Value
- Details: Traffic Object
Property type ∷ NetflowTypeIdentifierString
-
This entry is required
- Must equal: "NetflowEvent"
Traffic Object
| Property | Type | Description | Required? |
|---|---|---|---|
| destination_ip | String | ✓ | |
| destination_port | Integer | ✓ | |
| direction | TrafficDirectionString | ✓ | |
| protocol | Integer | The IP protocol id | ✓ |
| source_ip | String | ✓ | |
| source_port | Integer | ✓ | |
| destination_host_name | String | ||
| destination_subnet | String | ||
| source_subnet | String |
Property destination_host_name ∷ String
- This entry is optional
Property destination_ip ∷ String
- This entry is required
Property destination_port ∷ Integer
- This entry is required
Property destination_subnet ∷ String
- This entry is optional
Property direction ∷ TrafficDirectionString
-
This entry is required
- Allowed Values:
- incoming
- outgoing
- Allowed Values:
Property protocol ∷ Integer
The IP protocol id
- This entry is required
Property source_ip ∷ String
- This entry is required
Property source_port ∷ Integer
- This entry is required
Property source_subnet ∷ String
- This entry is optional
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
FileMoveType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| file_name | ShortStringString | ✓ | |
| file_path | MedStringString | ✓ | |
| new_name | ShortStringString | ✓ | |
| old_name | ShortStringString | ✓ | |
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | FileMoveTypeIdentifierString | ✓ | |
| process_guid | Integer | ||
| process_username | ShortStringString |
Property file_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property file_path ∷ MedStringString
-
This entry is required
- MedString String with at most 2048 characters.
Property new_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property old_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ FileMoveTypeIdentifierString
-
This entry is required
- Must equal: "FileMoveEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
FileModifyType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| file_name | ShortStringString | ✓ | |
| file_path | MedStringString | ✓ | |
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | FileModifyTypeIdentifierString | ✓ | |
| failed | Boolean | ||
| process_guid | Integer | ||
| process_username | ShortStringString |
Property failed ∷ Boolean
- This entry is optional
Property file_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property file_path ∷ MedStringString
-
This entry is required
- MedString String with at most 2048 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ FileModifyTypeIdentifierString
-
This entry is required
- Must equal: "FileModifyEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
FileDeleteType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| file_name | ShortStringString | ✓ | |
| file_path | MedStringString | ✓ | |
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | FileDeleteTypeIdentifierString | ✓ | |
| failed | Boolean | ||
| process_guid | Integer | ||
| process_username | ShortStringString |
Property failed ∷ Boolean
- This entry is optional
Property file_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property file_path ∷ MedStringString
-
This entry is required
- MedString String with at most 2048 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ FileDeleteTypeIdentifierString
-
This entry is required
- Must equal: "FileDeleteEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
FileCreateType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| file_name | ShortStringString | ✓ | |
| file_path | MedStringString | ✓ | |
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | FileCreateTypeIdentifierString | ✓ | |
| failed | Boolean | ||
| process_guid | Integer | ||
| process_username | ShortStringString |
Property failed ∷ Boolean
- This entry is optional
Property file_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property file_path ∷ MedStringString
-
This entry is required
- MedString String with at most 2048 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ FileCreateTypeIdentifierString
-
This entry is required
- Must equal: "FileCreateEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
LibraryLoadType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| dll_library_name | ShortStringString | ✓ | |
| dll_library_path | MedStringString | ✓ | |
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | LibraryLoadTypeIdentifierString | ✓ | |
| process_guid | Integer | ||
| process_username | ShortStringString |
Property dll_library_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property dll_library_path ∷ MedStringString
-
This entry is required
- MedString String with at most 2048 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ LibraryLoadTypeIdentifierString
-
This entry is required
- Must equal: "LibraryLoadEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
ProcessCreateType Object
| Property | Type | Description | Required? |
|---|---|---|---|
| process_id | Integer | ✓ | |
| process_name | ShortStringString | ✓ | |
| time | ObservedTime Object | ✓ | |
| type | ProcessCreateTypeIdentifierString | ✓ | |
| parent_creation_time | Inst (Date) | ||
| parent_process_args | MedStringString | ||
| parent_process_disposition | ShortStringString | ||
| parent_process_guid | Integer | ||
| parent_process_hash | MedStringString | ||
| parent_process_id | Integer | ||
| parent_process_name | ShortStringString | ||
| parent_process_size | Integer | ||
| parent_process_username | ShortStringString | ||
| process_args | MedStringString | ||
| process_disposition | ShortStringString | ||
| process_guid | Integer | ||
| process_hash | MedStringString | ||
| process_size | Integer | ||
| process_username | ShortStringString |
Property parent_creation_time ∷ Inst (Date)
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property parent_process_args ∷ MedStringString
-
This entry is optional
- MedString String with at most 2048 characters.
Property parent_process_disposition ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_guid ∷ Integer
- This entry is optional
Property parent_process_hash ∷ MedStringString
-
This entry is optional
- MedString String with at most 2048 characters.
Property parent_process_id ∷ Integer
- This entry is optional
Property parent_process_name ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property parent_process_size ∷ Integer
- This entry is optional
Property parent_process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_args ∷ MedStringString
-
This entry is optional
- MedString String with at most 2048 characters.
Property process_disposition ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property process_guid ∷ Integer
- This entry is optional
Property process_hash ∷ MedStringString
-
This entry is optional
- MedString String with at most 2048 characters.
Property process_id ∷ Integer
- This entry is required
Property process_name ∷ ShortStringString
-
This entry is required
- ShortString String with at most 1024 characters.
Property process_size ∷ Integer
- This entry is optional
Property process_username ∷ ShortStringString
-
This entry is optional
- ShortString String with at most 1024 characters.
Property time ∷ ObservedTime Object
- This entry is required
- ObservedTime Object Value
- Details: ObservedTime Object
Property type ∷ ProcessCreateTypeIdentifierString
-
This entry is required
- Must equal: "ProcessCreateEvent"
ObservedTime Object
ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).
| Property | Type | Description | Required? |
|---|---|---|---|
| start_time | Inst (Date) | Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period. | ✓ |
| end_time | Inst (Date) | If the observation was made over a period of time, than this field indicates the end of that period. |
- Reference: ValidTimeType
Property end_time ∷ Inst (Date)
If the observation was made over a period of time, than this field indicates the end of that period.
-
This entry is optional
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Property start_time ∷ Inst (Date)
Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period.
-
This entry is required
- ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
Can you improve this documentation? These fine people already did:
Stephen Sloan, Ag Ibragimov, Guillaume Erétéo, Matthieu Sprunck, jyoverma, Guillaume Buisson, Scott McLeod, Craig Brozefsky, Yann Esposito, t2sw, Yann Esposito (Yogsototh), Mark Herman, Ambrose Bonnaire-Sergeant & Guillaume ERETEOEdit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close