The Integrated Cyber Defense Schema defines objects, such as a file or a policy, that are referenced in multiple event types.
Name Description
Attack The attack object describes the technique and associated tactics related to an attack. Multiple attack objects can be added to Security Detection and System Activity events.
Certificate The certificate object describes the issuer and expiry of a certificate.
Cloud Hosted VM The cloud-hosted vm object describes the region and instance for a cloud-hosted virtual machine.
Common Vulnerability Scoring System V2 The Common Vulnerability Scoring System V2 object describes the base metrics as defined by the National Institute of Standards and Technology (NIST). See Common Vulnerability Scoring System for more information.
Compliance Rule The compliance rule object describes the type and criteria of a compliance check.
Container The container object describes image and instance information of a container.
Cyber Observable eXpression The Cyber Observable eXpression (CybOXTM) object describes pertinent observable attributes.
Email The Email object describes the email metadata such as sender, recipients, and direction.
Email Authentication The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.
Event Source The event source object describes the collection context of the event. Events that originate from a monitored logging facility contain an event source object.
File The file object describes files, directories, links and mounts, including the reputation information, if applicable.
File Content Type The file content type object describes the family and type of a file.
Fingerprint The fingerprint object describes the algorithm and value of a file fingerprint.
Job The job object describes the name, command line and state of a scheduled job.
Kernel Resource The kernel resource object describes the name and type of a kernel resource.
License Information The license information object describes the type, number, and expiry of a license.
Location The location object describes a geographical location, usually associated with an IP address.
Managed Entity The managed entity object describes the type and version of an object, such as a policy or configuration.
Module The module object describes the load attributes of a module.
Network Connection The network connection object describes the protocol, direction, source, and destination of a network connection or traffic.
Network Information The network information object describes the type, reputation, and associated addresses and service set identifiers of a network interface.
Peripheral Device The peripheral device object describes the identity, vendor and model of a peripheral device.
Policy The policy object describes the policy and rule that either triggered the event or the policy that was in effect when the event occurred.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

Printer The printer object describes the characteristics of a printer.
Process The process object describes the operating system process that pertains to the event.
Registry Key The registry key object describes a Windows registry key.
Registry Value The registry value object describes a Windows registry value.
Remote Procedure Call (RPC) The Remote Procedure Call (RPC) object describes the binding and interface of a remote procedure call.
Rule The rule object describes a rule that is ordinarily associated with a policy. The policy object contains an array of rule objects
Service The service object describes an application that can be started automatically at system startup, or by operating system-defined services controls.
Startup Application The startup application object describes an application that has associated startup criteria and configuration.
Threat The threat object describes the classification of known threats, as reported by a detection engine.
Transport Layer Security The Transport Layer Security (TLS) object describes the TLS attributes of an email .
Uniform Resource Locator (URL) The Uniform Resource Locator (URL) object describes the path and reputation of a URL. URL objects are included in Security events.
User The user object describes the identity of a user, including administrative group membership.
User Session The user session object describes the session in which the event occurred.