Liking cljdoc? Tell your friends :D

Sighting Object

Sighting A single sighting of an indicator

PropertyTypeDescriptionRequired?
confidenceHighMedLowString
countIntegerThe number of times the sighting was seen
idStringGlobally unique URI identifying this object.
observed_timeObservedTime Object
schema_versionStringCTIM schema version for this entity
typeSightingTypeIdentifierString
contextContext ObjectContext including the event type that best fits the type of the sighting
dataSightingDataTable ObjectAn embedded data table for the Sighting.
descriptionMarkdownStringA description of object, which may be detailed.
external_idsString List
external_referencesExternalReference Object ListSpecifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
internalBooleanIs it internal to our network
languageShortStringStringThe human language this object is specified in.
observablesObservable Object ListThe object(s) of interest
relationsObservedRelation Object ListProvide any context we can about where the observable came from
resolutionResolutionString
revisionIntegerA monotonically increasing revision, incremented each time the object is changed.
sensorSensorStringThe OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)
sensor_coordinatesSensorCoordinates Object
severitySeverityString
short_descriptionMedStringStringA single line, short summary of the object.
sourceMedStringString
source_uriString
targetsIdentitySpecification Object ListThe target device. Where the sighting came from.
timestampInst (Date)The time this object was created at, or last modified.
titleShortStringStringA short title for this object, used as primary display and reference value
tlpTLPStringSpecification for how, and to whom, this object can be shared.

Property confidence ∷ HighMedLowString

  • This entry is required

Property context ∷ Context Object

Context including the event type that best fits the type of the sighting

  • This entry is optional

Property count ∷ Integer

The number of times the sighting was seen

  • This entry is required

    • Zero, or a positive integer

Property data ∷ SightingDataTable Object

An embedded data table for the Sighting.

  • This entry is optional

Property description ∷ MarkdownString

A description of object, which may be detailed.

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters

Property external_ids ∷ String List

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property external_references ∷ ExternalReference Object List

Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property id ∷ String

Globally unique URI identifying this object.

  • This entry is required

    • IDs are URIs, for example https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014 for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.

Property internal ∷ Boolean

Is it internal to our network

  • This entry is optional

Property language ∷ ShortStringString

The human language this object is specified in.

  • This entry is optional

    • ShortString String with at most 1024 characters

Property observables ∷ Observable Object List

The object(s) of interest

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property relations ∷ ObservedRelation Object List

Provide any context we can about where the observable came from

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property resolution ∷ ResolutionString

  • This entry is optional

    • Resolution indicates if the sensor that is reporting the Sighting already took action on it, for instance a Firewall blocking the IP
    • Default: detected
    • Allowed Values:
      • allowed
      • blocked
      • contained
      • detected

Property revision ∷ Integer

A monotonically increasing revision, incremented each time the object is changed.

  • This entry is optional

    • Zero, or a positive integer

Property schema_version ∷ String

CTIM schema version for this entity

  • This entry is required

    • A semantic version matching the CTIM version against which this object should be valid.

Property sensor ∷ SensorString

The OpenC2 Actuator name that best fits the device that is creating this sighting (e.g. network.firewall)

  • This entry is optional

    • Sensor The sensor/actuator name that best fits a device

    • Allowed Values:

      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

Property sensor_coordinates ∷ SensorCoordinates Object

  • This entry is optional

Property severity ∷ SeverityString

  • This entry is optional

    • Allowed Values:
      • Critical
      • High
      • Info
      • Low
      • Medium
      • None
      • Unknown

Property short_description ∷ MedStringString

A single line, short summary of the object.

  • This entry is optional

    • MedString String with at most 2048 characters

Property source ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters

Property source_uri ∷ String

  • This entry is optional

    • A URI

Property targets ∷ IdentitySpecification Object List

The target device. Where the sighting came from.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property timestamp ∷ Inst (Date)

The time this object was created at, or last modified.

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property title ∷ ShortStringString

A short title for this object, used as primary display and reference value

  • This entry is optional

    • ShortString String with at most 1024 characters

Property tlp ∷ TLPString

Specification for how, and to whom, this object can be shared.

  • This entry is optional

    • TLP TLP stands for Traffic Light Protocol, which indicates precisely how this resource is intended to be shared, replicated, copied, etc.
    • Default: green
    • Allowed Values:
      • amber
      • green
      • red
      • white

Property type ∷ SightingTypeIdentifierString

  • This entry is required

    • Must equal: "sighting"

ExternalReference Object

ExternalReference External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.

PropertyTypeDescriptionRequired?
source_nameMedStringStringThe source within which the external-reference is defined (system, registry, organization, etc.)
descriptionMarkdownString
external_idStringAn identifier for the external reference content.
hashesString ListSpecifies a dictionary of hashes for the contents of the url.
urlStringA URL reference to an external resource

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters

Property external_id ∷ String

An identifier for the external reference content.

  • This entry is optional

Property hashes ∷ String List

Specifies a dictionary of hashes for the contents of the url.

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property source_name ∷ MedStringString

The source within which the external-reference is defined (system, registry, organization, etc.)

  • This entry is required

    • MedString String with at most 2048 characters

Property url ∷ String

A URL reference to an external resource

  • This entry is optional

    • A URI

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

SightingDataTable Object

SightingDataTable An embedded data table for sightings data.

PropertyTypeDescriptionRequired?
columnsColumnDefinition Object Listan ordered list of column definitions
rowsAnything Listan ordered list of rows
row_countIntegerThe number of rows in the data table.

Property columns ∷ ColumnDefinition Object List

an ordered list of column definitions

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property row_count ∷ Integer

The number of rows in the data table.

  • This entry is optional

Property rows ∷ Anything List List

an ordered list of rows

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

ColumnDefinition Object

PropertyTypeDescriptionRequired?
nameString
typeColumnTypeString
descriptionMarkdownString
requiredBooleanIf true, the row entries for this column cannot contain nulls. Defaults to true
short_descriptionString

Property description ∷ MarkdownString

  • This entry is optional

    • Markdown Markdown string with at most 5000 characters

Property name ∷ String

  • This entry is required

Property required ∷ Boolean

If true, the row entries for this column cannot contain nulls. Defaults to true

  • This entry is optional

Property short_description ∷ String

  • This entry is optional

Property type ∷ ColumnTypeString

  • This entry is required

    • Allowed Values:
      • integer
      • markdown
      • number
      • observable
      • string
      • url

SensorCoordinates Object

SensorCoordinates Describes the device that made the sighting (sensor) and contains identifying observables for the sensor.

PropertyTypeDescriptionRequired?
observablesObservable Object List
typeSensorString
osString

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property os ∷ String

  • This entry is optional

Property type ∷ SensorString

  • This entry is required

    • Sensor The sensor/actuator name that best fits a device

    • Allowed Values:

      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierString
valueString

Property type ∷ ObservableTypeIdentifierString

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • crowdstrike_id
      • cybereason_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_username
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

  • This entry is required

IdentitySpecification Object

IdentitySpecification Describes the target of the sighting and contains identifying observables for the target.

PropertyTypeDescriptionRequired?
observablesObservable Object List
observed_timeObservedTime Object
typeSensorString
osString

Property observables ∷ Observable Object List

  • This entry is required
  • This entry's type is sequential (allows zero or more values)

Property observed_time ∷ ObservedTime Object

  • This entry is required

Property os ∷ String

  • This entry is optional

Property type ∷ SensorString

  • This entry is required

    • Sensor The sensor/actuator name that best fits a device

    • Allowed Values:

      • endpoint
      • endpoint.digital-telephone-handset
      • endpoint.laptop
      • endpoint.pos-terminal
      • endpoint.printer
      • endpoint.sensor
      • endpoint.server
      • endpoint.smart-meter
      • endpoint.smart-phone
      • endpoint.tablet
      • endpoint.workstation
      • network
      • network.bridge
      • network.firewall
      • network.gateway
      • network.guard
      • network.hips
      • network.hub
      • network.ids
      • network.ips
      • network.modem
      • network.nic
      • network.proxy
      • network.router
      • network.security_manager
      • network.sense_making
      • network.sensor
      • network.switch
      • network.vpn
      • network.wap
      • process
      • process.aaa-server
      • process.anti-virus-scanner
      • process.connection-scanner
      • process.directory-service
      • process.dns-server
      • process.email-service
      • process.file-scanner
      • process.location-service
      • process.network-scanner
      • process.remediation-service
      • process.reputation-service
      • process.sandbox
      • process.virtualization-service
      • process.vulnerability-scanner

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierString
valueString

Property type ∷ ObservableTypeIdentifierString

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • crowdstrike_id
      • cybereason_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_username
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierString
valueString

Property type ∷ ObservableTypeIdentifierString

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • crowdstrike_id
      • cybereason_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_username
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

  • This entry is required

ObservedRelation Object

ObservedRelation A relation inside a Sighting.

PropertyTypeDescriptionRequired?
originString
relatedObservable Object
relationObservableRelationTypeString
sourceObservable Object
origin_uriString
relation_infoObject

Property origin ∷ String

  • This entry is required

Property origin_uri ∷ String

  • This entry is optional

    • A URI

Property related ∷ Observable Object

  • This entry is required

Property relation ∷ ObservableRelationTypeString

  • This entry is required

    • Allowed Values:
      • Allocated
      • Allocated_By
      • Attached_To
      • Bound
      • Bound_By
      • Characterized_By
      • Characterizes
      • Child_Of
      • Closed
      • Closed_By
      • Compressed
      • Compressed_By
      • Compressed_From
      • Compressed_Into
      • Connected_From
      • Connected_To
      • Contained_Within
      • Contains
      • Copied
      • Copied_By
      • Copied_From
      • Copied_To
      • Created
      • Created_By
      • Decoded
      • Decoded_By
      • Decompressed
      • Decompressed_By
      • Decrypted
      • Decrypted_By
      • Deleted
      • Deleted_By
      • Deleted_From
      • Downloaded
      • Downloaded_By
      • Downloaded_From
      • Downloaded_To
      • Dropped
      • Dropped_By
      • Encoded
      • Encoded_By
      • Encrypted
      • Encrypted_By
      • Encrypted_From
      • Encrypted_To
      • Extracted_From
      • FQDN_Of
      • Freed
      • Freed_By
      • Hooked
      • Hooked_By
      • Initialized_By
      • Initialized_To
      • Injected
      • Injected_As
      • Injected_By
      • Injected_Into
      • Installed
      • Installed_By
      • Joined
      • Joined_By
      • Killed
      • Killed_By
      • Listened_On
      • Listened_On_By
      • Loaded_From
      • Loaded_Into
      • Locked
      • Locked_By
      • Mapped_By
      • Mapped_Into
      • Merged
      • Merged_By
      • Modified_Properties_Of
      • Monitored
      • Monitored_By
      • Moved
      • Moved_By
      • Moved_From
      • Moved_To
      • Opened
      • Opened_By
      • Packed
      • Packed_By
      • Packed_From
      • Packed_Into
      • Parent_Of
      • Paused
      • Paused_By
      • Previously_Contained
      • Properties_Modified_By
      • Properties_Queried
      • Properties_Queried_By
      • Read_From
      • Read_From_By
      • Received
      • Received_By
      • Received_From
      • Received_Via_Upload
      • Redirects_To
      • Refers_To
      • Related_To
      • Renamed
      • Renamed_By
      • Renamed_From
      • Renamed_To
      • Resolved_To
      • Resumed
      • Resumed_By
      • Root_Domain_Of
      • Searched_For
      • Searched_For_By
      • Sent
      • Sent_By
      • Sent_To
      • Sent_Via_Upload
      • Set_From
      • Set_To
      • Sub-domain_Of
      • Supra-domain_Of
      • Suspended
      • Suspended_By
      • Unhooked
      • Unhooked_By
      • Unlocked
      • Unlocked_By
      • Unpacked
      • Unpacked_By
      • Uploaded
      • Uploaded_By
      • Uploaded_From
      • Uploaded_To
      • Used
      • Used_By
      • Values_Enumerated
      • Values_Enumerated_By
      • Written_To_By
      • Wrote_To

Property relation_info ∷ Object

  • This entry is optional

Property source ∷ Observable Object

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierString
valueString

Property type ∷ ObservableTypeIdentifierString

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • crowdstrike_id
      • cybereason_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_username
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

  • This entry is required

Observable Object

Observable A simple, atomic value which has a consistent identity, and is stable enough to be attributed an intent or nature. This is the classic 'indicator' which might appear in a data feed of bad IPs, or bad Domains. These do not exist as objects within the CTIA storage model, so you never create an observable.

PropertyTypeDescriptionRequired?
typeObservableTypeIdentifierString
valueString

Property type ∷ ObservableTypeIdentifierString

  • This entry is required

    • ObservableTypeIdentifier Observable type names
    • Allowed Values:
      • amp_computer_guid
      • certificate_common_name
      • certificate_issuer
      • certificate_serial
      • cisco_cm_id
      • cisco_mid
      • cisco_uc_id
      • crowdstrike_id
      • cybereason_id
      • device
      • domain
      • email
      • email_messageid
      • email_subject
      • file_name
      • file_path
      • hostname
      • imei
      • imsi
      • ip
      • ipv6
      • mac_address
      • md5
      • ms_machine_id
      • mutex
      • ngfw_id
      • ngfw_name
      • odns_identity
      • odns_identity_label
      • orbital_node_id
      • pki_serial
      • process_args
      • process_hash
      • process_name
      • process_path
      • process_username
      • registry_key
      • registry_name
      • registry_path
      • s1_agent_id
      • serial_number
      • sha1
      • sha256
      • swc_device_id
      • trend_micro_id
      • url
      • user
      • user_agent

Property value ∷ String

  • This entry is required

Object

PropertyTypeDescriptionRequired?
KeywordAnything

Property Keyword ∷ Anything

  • This entry is required

Context Object

PropertyTypeDescriptionRequired?
file_create_eventsFileCreateType Object Lista list of FileCreateType
file_delete_eventsFileDeleteType Object Lista list of FileDeleteType
file_modify_eventsFileModifyType Object Lista list of FileModifyType
file_move_eventsFileMoveType Object Lista list of FileMoveType
http_eventsHTTPType Object Lista list of HTTPType
library_load_eventsLibraryLoadType Object Lista list of LibraryLoadType
netflow_eventsNetflowType Object Lista list of NetflowType
process_create_eventsProcessCreateType Object Lista list of ProcessCreate
registry_create_eventsRegistryCreateType Object Lista list of RegistryCreateType
registry_delete_eventsRegistryDeleteType Object Lista list of RegistryDeleteType
registry_rename_eventsRegistryRenameType Object Lista list of RegistryRenameType
registry_set_eventsRegistrySetType Object Lista list of RegistrySetType

Property file_create_events ∷ FileCreateType Object List

a list of FileCreateType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property file_delete_events ∷ FileDeleteType Object List

a list of FileDeleteType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property file_modify_events ∷ FileModifyType Object List

a list of FileModifyType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property file_move_events ∷ FileMoveType Object List

a list of FileMoveType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property http_events ∷ HTTPType Object List

a list of HTTPType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property library_load_events ∷ LibraryLoadType Object List

a list of LibraryLoadType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property netflow_events ∷ NetflowType Object List

a list of NetflowType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property process_create_events ∷ ProcessCreateType Object List

a list of ProcessCreate

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_create_events ∷ RegistryCreateType Object List

a list of RegistryCreateType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_delete_events ∷ RegistryDeleteType Object List

a list of RegistryDeleteType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_rename_events ∷ RegistryRenameType Object List

a list of RegistryRenameType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

Property registry_set_events ∷ RegistrySetType Object List

a list of RegistrySetType

  • This entry is optional
  • This entry's type is sequential (allows zero or more values)

RegistryRenameType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
registry_old_keyShortStringString
timeObservedTime Object
typeRegistryRenameTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property registry_old_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistryRenameTypeIdentifierString

  • This entry is required

    • Must equal: "RegistryRenameEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryDeleteType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
registry_valueMedStringString
timeObservedTime Object
typeRegistryDeleteTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property registry_value ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistryDeleteTypeIdentifierString

  • This entry is required

    • Must equal: "RegistryDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistrySetType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_dataLongStringString
registry_keyShortStringString
registry_valueMedStringString
timeObservedTime Object
typeRegistrySetTypeIdentifierString
process_guidInteger
process_usernameShortStringString
registry_data_lengthInteger

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property registry_data ∷ LongStringString

  • This entry is required

    • LongString String with at most 5000 characters

Property registry_data_length ∷ Integer

  • This entry is optional

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property registry_value ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistrySetTypeIdentifierString

  • This entry is required

    • Must equal: "RegistrySetEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

RegistryCreateType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
registry_keyShortStringString
timeObservedTime Object
typeRegistryCreateTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property registry_key ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ RegistryCreateTypeIdentifierString

  • This entry is required

    • Must equal: "RegistryCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

HTTPType Object

PropertyTypeDescriptionRequired?
hostShortStringString
methodHTTPMethodString
process_idInteger
process_nameShortStringString
timeObservedTime Object
trafficTraffic Object
typeHTTPTypeIdentifierString
url_portInteger
encryptedBoolean
process_guidInteger
process_usernameShortStringString
queryLongStringString

Property encrypted ∷ Boolean

  • This entry is optional

Property host ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property method ∷ HTTPMethodString

  • This entry is required

    • Allowed Values:
      • CONNECT
      • GET
      • HEAD
      • OPTIONS
      • PATCH
      • POST
      • PUT
      • TRACE

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property query ∷ LongStringString

  • This entry is optional

    • LongString String with at most 5000 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property traffic ∷ Traffic Object

  • This entry is required

Property type ∷ HTTPTypeIdentifierString

  • This entry is required

    • Must equal: "HTTPEvent"

Property url_port ∷ Integer

  • This entry is required

Traffic Object

PropertyTypeDescriptionRequired?
destination_ipString
destination_portInteger
directionTrafficDirectionString
protocolString
source_ipString
source_portInteger
destination_host_nameString
destination_subnetString
source_subnetString

Property destination_host_name ∷ String

  • This entry is optional

Property destination_ip ∷ String

  • This entry is required

Property destination_port ∷ Integer

  • This entry is required

Property destination_subnet ∷ String

  • This entry is optional

Property direction ∷ TrafficDirectionString

  • This entry is required

    • Allowed Values:
      • incoming
      • outgoing

Property protocol ∷ String

  • This entry is required

Property source_ip ∷ String

  • This entry is required

Property source_port ∷ Integer

  • This entry is required

Property source_subnet ∷ String

  • This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

NetflowType Object

PropertyTypeDescriptionRequired?
process_idInteger
process_nameShortStringString
timeObservedTime Object
trafficTraffic Object
typeNetflowTypeIdentifierString
byte_count_inInteger
byte_count_outInteger
flow_timeInst (Date)
parent_process_accountShortStringString
parent_process_account_typeShortStringString
parent_process_argsShortStringString
parent_process_hashShortStringString
parent_process_idInteger
parent_process_nameShortStringString
parent_process_pathShortStringString
process_accountShortStringString
process_account_typeShortStringString
process_argsShortStringString
process_guidInteger
process_hashShortStringString
process_pathShortStringString
process_usernameShortStringString

Property byte_count_in ∷ Integer

  • This entry is optional

Property byte_count_out ∷ Integer

  • This entry is optional

Property flow_time ∷ Inst (Date)

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_account ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_account_type ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_args ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_hash ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_id ∷ Integer

  • This entry is optional

Property parent_process_name ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_path ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_account ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_account_type ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_args ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_hash ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_path ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property traffic ∷ Traffic Object

  • This entry is required

Property type ∷ NetflowTypeIdentifierString

  • This entry is required

    • Must equal: "NetflowEvent"

Traffic Object

PropertyTypeDescriptionRequired?
destination_ipString
destination_portInteger
directionTrafficDirectionString
protocolString
source_ipString
source_portInteger
destination_host_nameString
destination_subnetString
source_subnetString

Property destination_host_name ∷ String

  • This entry is optional

Property destination_ip ∷ String

  • This entry is required

Property destination_port ∷ Integer

  • This entry is required

Property destination_subnet ∷ String

  • This entry is optional

Property direction ∷ TrafficDirectionString

  • This entry is required

    • Allowed Values:
      • incoming
      • outgoing

Property protocol ∷ String

  • This entry is required

Property source_ip ∷ String

  • This entry is required

Property source_port ∷ Integer

  • This entry is required

Property source_subnet ∷ String

  • This entry is optional

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileMoveType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
new_nameShortStringString
old_nameShortStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileMoveTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property new_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property old_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileMoveTypeIdentifierString

  • This entry is required

    • Must equal: "FileMoveEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileModifyType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileModifyTypeIdentifierString
failedBoolean
process_guidInteger
process_usernameShortStringString

Property failed ∷ Boolean

  • This entry is optional

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileModifyTypeIdentifierString

  • This entry is required

    • Must equal: "FileModifyEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileDeleteType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileDeleteTypeIdentifierString
failedBoolean
process_guidInteger
process_usernameShortStringString

Property failed ∷ Boolean

  • This entry is optional

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileDeleteTypeIdentifierString

  • This entry is required

    • Must equal: "FileDeleteEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

FileCreateType Object

PropertyTypeDescriptionRequired?
file_nameShortStringString
file_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeFileCreateTypeIdentifierString
failedBoolean
process_guidInteger
process_usernameShortStringString

Property failed ∷ Boolean

  • This entry is optional

Property file_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property file_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ FileCreateTypeIdentifierString

  • This entry is required

    • Must equal: "FileCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

LibraryLoadType Object

PropertyTypeDescriptionRequired?
dll_library_nameShortStringString
dll_library_pathMedStringString
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeLibraryLoadTypeIdentifierString
process_guidInteger
process_usernameShortStringString

Property dll_library_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property dll_library_path ∷ MedStringString

  • This entry is required

    • MedString String with at most 2048 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ LibraryLoadTypeIdentifierString

  • This entry is required

    • Must equal: "LibraryLoadEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

ProcessCreateType Object

PropertyTypeDescriptionRequired?
creation_timeInst (Date)
process_idInteger
process_nameShortStringString
timeObservedTime Object
typeProcessCreateTypeIdentifierString
parent_creation_timeInst (Date)
parent_process_argsMedStringString
parent_process_dispositionShortStringString
parent_process_guidInteger
parent_process_hashMedStringString
parent_process_idInteger
parent_process_nameShortStringString
parent_process_sizeInteger
parent_process_usernameShortStringString
process_argsMedStringString
process_dispositionShortStringString
process_guidInteger
process_hashMedStringString
process_sizeInteger
process_usernameShortStringString

Property creation_time ∷ Inst (Date)

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_creation_time ∷ Inst (Date)

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property parent_process_args ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters

Property parent_process_disposition ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_guid ∷ Integer

  • This entry is optional

Property parent_process_hash ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters

Property parent_process_id ∷ Integer

  • This entry is optional

Property parent_process_name ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property parent_process_size ∷ Integer

  • This entry is optional

Property parent_process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_args ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters

Property process_disposition ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property process_guid ∷ Integer

  • This entry is optional

Property process_hash ∷ MedStringString

  • This entry is optional

    • MedString String with at most 2048 characters

Property process_id ∷ Integer

  • This entry is required

Property process_name ∷ ShortStringString

  • This entry is required

    • ShortString String with at most 1024 characters

Property process_size ∷ Integer

  • This entry is optional

Property process_username ∷ ShortStringString

  • This entry is optional

    • ShortString String with at most 1024 characters

Property time ∷ ObservedTime Object

  • This entry is required

Property type ∷ ProcessCreateTypeIdentifierString

  • This entry is required

    • Must equal: "ProcessCreateEvent"

ObservedTime Object

ObservedTime Period of time when a cyber observation is valid. start_time must come before end_time (if specified).

PropertyTypeDescriptionRequired?
start_timeInst (Date)Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period
end_timeInst (Date)If the observation was made over a period of time, than this field indicates the end of that period

Property end_time ∷ Inst (Date)

If the observation was made over a period of time, than this field indicates the end of that period

  • This entry is optional

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.

Property start_time ∷ Inst (Date)

Time of the observation. If the observation was made over a period of time, than this field indicates the start of that period

  • This entry is required

    • ISO8601 Timestamp Schema definition for all date or timestamp values. Serialized as a string, the field should follow the rules of the ISO8601 standard.
*Relationship* Object*TargetRecord* Object

Can you improve this documentation? These fine people already did:
Stephen Sloan, Guillaume Erétéo, Matthieu Sprunck, jyoverma, Guillaume Buisson, Scott McLeod, Ag Ibragimov, Craig Brozefsky, Yann Esposito, Yann Esposito (Yogsototh) & Ambrose Bonnaire-SergeantEdit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcutsReport a problemcljdoc on GitHub
× close