Classes
The OCSF event classes.
| Name | Caption | ID | Description |
|---|---|---|---|
| base_event | Base Event [0] | 0 | The base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema. |
| file_activity | File System Activity [1001] | 1001 | File System Activity events report when a process performs an action on a file or folder. |
| kernel_extension_activity | Kernel Extension Activity [1002] | 1002 | Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel |
| kernel_activity | Kernel Activity [1003] | 1003 | Kernel Activity events report when an process creates, reads, or deletes a kernel resource. |
| memory_activity | Memory Activity [1004] | 1004 | Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP). |
| module_activity | Module Activity [1005] | 1005 | Module Activity events report when a process loads or unloads the module. |
| scheduled_job_activity | Scheduled Job Activity [1006] | 1006 | Scheduled Job Activity events report activities related to scheduled jobs or tasks. |
| process_activity | Process Activity [1007] | 1007 | Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise. |
| event_log_actvity | Event Log Activity [1008] | 1008 | Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data. |
| script_activity | Script Activity [1009] | 1009 | Script Activity events report when a process executes a script. |
| security_finding | Security Finding [2001] | 2001 | Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products DEPRECATED since v1.1.0 Use the new specific classes according to the use-case: Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding, Data Security Finding. |
| vulnerability_finding | Vulnerability Finding [2002] | 2002 | The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding. |
| compliance_finding | Compliance Finding [2003] | 2003 | Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding. |
| detection_finding | Detection Finding [2004] | 2004 | A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding. |
| incident_finding | Incident Finding [2005] | 2005 | An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics. Note: Incident Finding implicitly includes the incident profile and it should be added to the metadata.profiles[] array. |
| data_security_finding | Data Security Finding [2006] | 2006 | A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding. |
| application_security_posture_finding | Application Security Posture Finding [2007] | 2007 | The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding. |
| account_change | Account Change [3001] | 3001 | Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked. |
| authentication | Authentication [3002] | 3002 | Authentication events report authentication session activities, including user attempts to log on or log off, regardless of success, as well as other key stages within the authentication process. These events are typically generated by authentication services, such as Kerberos, OIDC, or SAML, and may include information about the user, the authentication method used, and the status of the authentication attempt. |
| authorize_session | Authorize Session [3003] | 3003 | Authorize Session events report privileges or groups assigned to a new user session, usually at login time. |
| entity_management | Entity Management [3004] | 3004 | Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity. |
| user_access | User Access Management [3005] | 3005 | User Access Management events report management updates to a user's privileges. |
| group_management | Group Management [3006] | 3006 | Group Management events report management updates to a group, including updates to membership and permissions. |
| network_activity | Network Activity [4001] | 4001 | Network Activity events report network connection and traffic activity. |
| http_activity | HTTP Activity [4002] | 4002 | HTTP Activity events report HTTP connection and traffic information. |
| dns_activity | DNS Activity [4003] | 4003 | DNS Activity events report DNS queries and answers as seen on the network. |
| dhcp_activity | DHCP Activity [4004] | 4004 | DHCP Activity events report MAC to IP assignment via DHCP from a client or server. |
| rdp_activity | RDP Activity [4005] | 4005 | Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network. |
| smb_activity | SMB Activity [4006] | 4006 | Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network. |
| ssh_activity | SSH Activity [4007] | 4007 | SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol. |
| ftp_activity | FTP Activity [4008] | 4008 | File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network. |
| email_activity | Email Activity [4009] | 4009 | Email Activity events report SMTP protocol and email activities including those with embedded URLs and files. See the Email object for details. |
| network_file_activity | Network File Activity [4010] | 4010 | Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive. DEPRECATED since v1.1.0 Use the new class: 'File Hosting Activity' in the 'Application' category. |
| email_file_activity | Email File Activity [4011] | 4011 | Email File Activity events report files within emails. DEPRECATED since v1.3.0 Use the Email Activity class with the email.files[] array instead. |
| email_url_activity | Email URL Activity [4012] | 4012 | Email URL Activity events report URLs within an email. DEPRECATED since v1.3.0 Use the Email Activity class with the email.urls[] array instead. |
| ntp_activity | NTP Activity [4013] | 4013 | The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network. |
| tunnel_activity | Tunnel Activity [4014] | 4014 | Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions. |
| inventory_info | Device Inventory Info [5001] | 5001 | Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices. |
| config_state | Device Config State [5002] | 5002 | Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results. DEPRECATED since v1.5.0 Use Compliance Finding class. |
| user_inventory | User Inventory Info [5003] | 5003 | User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries. |
| patch_state | Operating System Patch State [5004] | 5004 | Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles. |
| kernel_object_query | Kernel Object Query [5006] | 5006 | Kernel Object Query events report information about discovered kernel resources. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| file_query | File Query [5007] | 5007 | File Query events report information about files that are present on the system. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| folder_query | Folder Query [5008] | 5008 | Folder Query events report information about folders that are present on the system. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| admin_group_query | Admin Group Query [5009] | 5009 | Admin Group Query events report information about administrative groups. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| job_query | Job Query [5010] | 5010 | Job Query events report information about scheduled jobs. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| module_query | Module Query [5011] | 5011 | Module Query events report information about loaded modules. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| network_connection_query | Network Connection Query [5012] | 5012 | Network Connection Query events report information about active network connections. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| networks_query | Networks Query [5013] | 5013 | Networks Query events report information about network adapters. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| peripheral_device_query | Peripheral Device Query [5014] | 5014 | Peripheral Device Query events report information about peripheral devices. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| process_query | Process Query [5015] | 5015 | Process Query events report information about running processes. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| service_query | Service Query [5016] | 5016 | Service Query events report information about running services. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| session_query | User Session Query [5017] | 5017 | User Session Query events report information about existing user sessions. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| user_query | User Query [5018] | 5018 | User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| device_config_state_change | Device Config State Change [5019] | 5019 | Device Config State Change events report state changes that impact the security of the device. |
| software_info | Software Inventory Info [5020] | 5020 | Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices. |
| osint_inventory_info | OSINT Inventory Info [5021] | 5021 | OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores. |
| startup_item_query | Startup Item Query [5022] | 5022 | Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically. DEPRECATED since v1.5.0 Use the Live Evidence Info class. |
| cloud_resources_inventory_info | Cloud Resources Inventory Info [5023] | 5023 | Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise. |
| evidence_info | Live Evidence Info [5040] | 5040 | Data collected directly from devices that represents forensic information pulled, queried, or discovered from devices that may indicate malicious activity. It contains a number of child objects, each representing a distinct evidence domain (network connections, file artifacts, registry entries, etc.). When mapping raw telemetry data users should select Query Evidence and then the appropriate child object that best matches the evidence type. |
| web_resources_activity | Web Resources Activity [6001] | 6001 | Web Resources Activity events describe actions executed on a set of Web Resources. |
| application_lifecycle | Application Lifecycle [6002] | 6002 | Application Lifecycle events report installation, removal, start, stop of an application or service. |
| api_activity | API Activity [6003] | 6003 | API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail) |
| web_resource_access_activity | Web Resource Access Activity [6004] | 6004 | Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP. DEPRECATED since v1.0.0 Use the Web Resources Activity class with the Security Control and/or Network Proxy profile instead. |
| datastore_activity | Datastore Activity [6005] | 6005 | Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3). |
| file_hosting | File Hosting Activity [6006] | 6006 | File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, Google Drive, or network file share services. |
| scan_activity | Scan Activity [6007] | 6007 | Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved. |
| application_error | Application Error [6008] | 6008 | Application Error events describe issues with an applications. The error message should be put in the event's message attribute. The metadata.product attribute can be used to capture the originating application information. The host profile can used to include the generating device information. This class is helpful (and originally intended for) applications that generate and/or handle OCSF events. This class can also be used for errors in upstream products and services. |
| remediation_activity | Remediation Activity [7001] | 7001 | Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. |
| file_remediation_activity | File Remediation Activity [7002] | 7002 | File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File. |
| process_remediation_activity | Process Remediation Activity [7003] | 7003 | Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation. |
| network_remediation_activity | Network Remediation Activity [7004] | 7004 | Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering. |
| drone_flights_activity | Drone Flights Activity [8001] | 8001 | Drone Flights Activity events report the activity of Unmanned Aerial Systems (UAS), their Operators, and mission-planning and authorization metadata as reported by the UAS platforms themselves, by Counter-UAS (CUAS) systems, or other remote monitoring or sensing infrastructure. Based on the Remote ID defined in Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a |
| airborne_broadcast_activity | Airborne Broadcast Activity [8002] | 8002 | Airborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers. Based on the ADS-B standards described in Code of Federal Regulations (CFR) Title 14 Chapter I Subchapter F Part 91 and in other general Federal Aviation Administration (FAA) supplemental orders and guidance described here. |
| win/registry_key_activity | Registry Key Activity [201001] win | 201001 | Registry Key Activity events report when a process performs an action on a Windows registry key. |
| win/registry_value_activity | Registry Value Activity [201002] win | 201002 | Registry Value Activity events reports when a process performs an action on a Windows registry value. |
| win/windows_resource_activity | Windows Resource Activity [201003] win | 201003 | Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise. |
| win/windows_service_activity | Windows Service Activity [201004] win | 201004 | Windows Service Activity events report when a process interacts with the Service Control Manager. |
| win/registry_key_query | Registry Key Query [205004] win | 205004 | Registry Key Query events report information about discovered Windows registry keys. DEPRECATED since v1.5.0 Use the Evidence Info class with the Query Evidence object populated with Registry Key instead. |
| win/registry_value_query | Registry Value Query [205005] win | 205005 | Registry Value Query events report information about discovered Windows registry values. DEPRECATED since v1.5.0 Use the Evidence Info class with the Query Evidence object populated with Registry Value instead. |
| win/prefetch_query | Prefetch Query [205019] win | 205019 | Prefetch Query events report information about Windows prefetch files. DEPRECATED since v1.5.0 Use the Evidence Info class with the Query Evidence object populated with File instead. |