Skip to content

Instantly share code, notes, and snippets.

@chrisberkhout
Last active August 7, 2024 15:22
Show Gist options
  • Save chrisberkhout/1ae2f2a8dcc4f487cc8db6cabee76be7 to your computer and use it in GitHub Desktop.
Save chrisberkhout/1ae2f2a8dcc4f487cc8db6cabee76be7 to your computer and use it in GitHub Desktop.
Build simplifed representations of the the OCSF schema with required attributes only
#!/bin/env python
import json
import urllib.request
import argparse
def by_class(all_fields_to_depth):
url = "https://raw.githubusercontent.com/ocsf/ocsf-lib-py/main/schema_cache/schema-1.3.0.json"
schema = json.loads(urllib.request.urlopen(url).read().decode('utf-8'))
by_class = {}
for class_name, klass in schema["classes"].items():
by_class[class_name] = process_attributes(schema, klass, all_fields_to_depth)
return by_class
def process_attributes(schema, class_or_obj, all_fields_to_depth, current_depth=1):
all_attribs = []
for k, v in class_or_obj["attributes"].items():
if current_depth <= all_fields_to_depth or v["requirement"] == "required":
all_attribs += [(k, v)]
# A profile is an optional overlay on event classes and objects that reference it.
if class_or_obj["profiles"] is not None:
for profile_name in class_or_obj["profiles"]:
if current_depth <= all_fields_to_depth:
all_attribs += schema["profiles"][profile_name]["attributes"].items()
result = {}
for attrib_key, attrib in all_attribs:
if attrib.get("type_name") is not None:
result[attrib_key] = attrib["type_name"]
elif attrib.get("object_type") is not None:
result[attrib_key] = get_obj(schema, attrib["object_type"], all_fields_to_depth, current_depth+1)
else:
exit(f"Found a required attribute without a type_name or object_type: {attrib_key}")
return result
def get_obj(schema, obj_type, all_fields_to_depth, current_depth):
return process_attributes(schema, schema["objects"][obj_type], all_fields_to_depth, current_depth)
def merged(all_fields_to_depth):
merged = {}
for attribs in by_class(all_fields_to_depth).values():
merged = deep_merge(merged, attribs)
return merged
def deep_merge(dict1, dict2):
for key in dict2:
if key in dict1:
if isinstance(dict1[key], dict) and isinstance(dict2[key], dict):
dict1[key] = deep_merge(dict1[key], dict2[key])
elif dict1[key] == dict2[key]:
pass
else:
exit("There are conflicting types for the attribute '{key}'")
else:
dict1[key] = dict2[key]
return dict1
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--by-class', action='store_true', help='Results separated by class (default: False)')
parser.add_argument('--all-fields-to-depth', type=int, default=0, help='Include non-required fields at this depth and higher (default: 0)')
args = parser.parse_args()
if args.by_class:
print(json.dumps(by_class(args.all_fields_to_depth)))
else:
print(json.dumps(merged(args.all_fields_to_depth)))
if __name__ == "__main__":
main()
{
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer",
"email_uid": "String",
"file": {
"name": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"query_result_id": "Integer",
"folder": {
"name": "String",
"type_id": "Integer"
},
"job": {
"name": "String",
"file": {
"name": "String",
"type_id": "Integer"
}
},
"status_id": "Integer",
"finding_info_list": {
"title": "String",
"uid": "String"
},
"session": {},
"reg_key": {
"path": "String"
},
"actor": {},
"device": {
"type_id": "Integer"
},
"process": {},
"command_uid": "String",
"reg_value": {
"name": "String",
"path": "String"
},
"finding_info": {
"title": "String",
"uid": "String"
},
"src_endpoint": {},
"dst_endpoint": {},
"scan": {
"type_id": "Integer"
},
"privileges": "String",
"win_resource": {
"type_id": "Integer"
},
"web_resources": {},
"module": {
"load_type_id": "Integer"
},
"state_id": "Integer",
"connection_info": {
"direction_id": "Integer"
},
"entity": {},
"direction_id": "Integer",
"email": {
"from": "Email Address",
"to": "Email Address"
},
"peripheral_device": {
"name": "String",
"class": "String"
},
"kernel": {
"name": "String",
"type_id": "Integer"
},
"vulnerabilities": {},
"network_interfaces": {
"type_id": "Integer"
},
"group": {},
"driver": {
"file": {
"name": "String",
"type_id": "Integer"
}
},
"compliance": {
"standards": "String"
},
"name": "String",
"win_service": {
"name": "String"
},
"api": {
"operation": "String"
},
"app": {
"vendor_name": "String"
},
"finding": {
"title": "String",
"uid": "String"
},
"http_request": {},
"package": {
"name": "String",
"version": "String"
},
"version": "String",
"service": {},
"url": {},
"http_response": {
"code": "Integer"
}
}
{
"authentication": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"email_file_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"email_uid": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"file": {
"name": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer"
},
"folder_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"folder": {
"name": "String",
"type_id": "Integer"
},
"activity_id": "Integer"
},
"job_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"job": {
"name": "String",
"file": {
"name": "String",
"type_id": "Integer"
}
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"incident_finding": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"status_id": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"finding_info_list": {
"title": "String",
"uid": "String"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"session_query": {
"session": {},
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"win/registry_key_activity": {
"cloud": {
"provider": "String"
},
"reg_key": {
"path": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"process_remediation_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"process": {},
"command_uid": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"event_log": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"win/registry_value_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"reg_value": {
"name": "String",
"path": "String"
},
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"detection_finding": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer",
"finding_info": {
"title": "String",
"uid": "String"
}
},
"authorize_session": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"account_change": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"network_file_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"src_endpoint": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"file": {
"name": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"tunnel_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"ftp_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"file_hosting": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"src_endpoint": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"file": {
"name": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"scan_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"scan": {
"type_id": "Integer"
},
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"user_access": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"privileges": "String",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"win/resource_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"win_resource": {
"type_id": "Integer"
},
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"file_remediation_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"command_uid": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"file": {
"name": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"user_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"ssh_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"file_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"file": {
"name": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"datastore_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"src_endpoint": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"web_resources_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"web_resources": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"module_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"process": {},
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"module": {
"load_type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"network_connection_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"process": {},
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"state_id": "Integer",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"connection_info": {
"direction_id": "Integer"
},
"activity_id": "Integer"
},
"entity_management": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"entity": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"scheduled_job_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"job": {
"name": "String",
"file": {
"name": "String",
"type_id": "Integer"
}
},
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"win/registry_value_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"reg_value": {
"name": "String",
"path": "String"
},
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"email_activity": {
"direction_id": "Integer",
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"email": {
"from": "Email Address",
"to": "Email Address"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer"
},
"peripheral_device_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"peripheral_device": {
"name": "String",
"class": "String"
},
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"kernel_object_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"kernel": {
"name": "String",
"type_id": "Integer"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"vulnerability_finding": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"vulnerabilities": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer",
"finding_info": {
"title": "String",
"uid": "String"
}
},
"rdp_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"network_remediation_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"command_uid": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"connection_info": {
"direction_id": "Integer"
},
"activity_id": "Integer"
},
"network_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"module_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"module": {
"load_type_id": "Integer"
},
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"networks_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"network_interfaces": {
"type_id": "Integer"
},
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"file_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"file": {
"name": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"memory_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"process": {},
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"admin_group_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"group": {},
"activity_id": "Integer"
},
"base_event": {
"time": "Timestamp",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"type_uid": "Long",
"activity_id": "Integer",
"class_uid": "Integer",
"category_uid": "Integer",
"cloud": {
"provider": "String"
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
}
},
"kernel_extension": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"driver": {
"file": {
"name": "String",
"type_id": "Integer"
}
},
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"compliance_finding": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"compliance": {
"standards": "String"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer",
"finding_info": {
"title": "String",
"uid": "String"
}
},
"win/prefetch_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"name": "String",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"win/win_service_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"win_service": {
"name": "String"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"api_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"src_endpoint": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"api": {
"operation": "String"
},
"activity_id": "Integer"
},
"application_lifecycle": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"app": {
"vendor_name": "String"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"security_finding": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"state_id": "Integer",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"finding": {
"title": "String",
"uid": "String"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"web_resource_access_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"web_resources": {},
"http_request": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"data_security_finding": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer",
"finding_info": {
"title": "String",
"uid": "String"
}
},
"remediation_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"command_uid": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"process_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"process": {},
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"win/registry_key_query": {
"cloud": {
"provider": "String"
},
"reg_key": {
"path": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"software_info": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"package": {
"name": "String",
"version": "String"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"ntp_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"version": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"user_inventory": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"user": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"group_management": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"group": {},
"activity_id": "Integer"
},
"patch_state": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"device_config_state_change": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"service_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"service": {},
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"smb_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"email_url_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"email_uid": "String",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"url": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer"
},
"kernel_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"actor": {},
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"kernel": {
"name": "String",
"type_id": "Integer"
},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"http_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"http_response": {
"code": "Integer"
},
"time": "Timestamp",
"type_uid": "Long",
"http_request": {},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"dst_endpoint": {},
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"process_query": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"process": {},
"time": "Timestamp",
"query_result_id": "Integer",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"dns_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"inventory_info": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
},
"dhcp_activity": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"action_id": "Integer",
"category_uid": "Integer",
"activity_id": "Integer"
},
"config_state": {
"cloud": {
"provider": "String"
},
"class_uid": "Integer",
"time": "Timestamp",
"type_uid": "Long",
"device": {
"type_id": "Integer"
},
"metadata": {
"version": "String",
"product": {
"vendor_name": "String"
}
},
"severity_id": "Integer",
"osint": {
"value": "String",
"type_id": "Integer"
},
"category_uid": "Integer",
"activity_id": "Integer"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment