6005 - Datastore Activity¶
CIM Data Models: All_Changes
OCSF Version: 1.1.0¶
| CIM Field | Mapping |
|---|---|
| action | case(activity_id==0, "unknown", activity_id==1, "read", activity_id==2, "update", activity_id==3, "connect", activity_id==4, "query", activity_id==5, "write", activity_id==6, "create", activity_id==7, "delete", true(), "other") |
| change_type | datastore_activity |
| command | coalesce('actor.process.cmd_line' , 'actor.process.file.name') |
| dvc | metadata.log_provider |
| dest | dst_endpoint.uid |
| object | case(type_id==1,'database.name',type_id==2,'databucket.name',type_id==3,'table.name') |
| object_id | case(type_id==1,'database.uid',type_id==2,'databucket.uid',type_id==3,'table.uid') |
| object_category | case(type_id==0,"unknown",type_id==1,"database",type_id==2,"databucket",type_id==3,"table",true(), "other") |
| result | lower('status') |
| result_id | status_id |
| src | coalesce('src_endpoint.name','src_endpoint.name','src_endpoint.hostname','src_endpoint.ip') |
| status | coalesce('status' , 'status_code' , 'status_id') |
| user_name | actor.user.name |
| user_type | coalesce('actor.user.type' , 'actor.user.type_id') |
| vendor_product | coalesce('metadata.product.name' , 'metadata.product.vendor_name') |
OCSF Version: 1.2.0¶
| CIM Field | Mapping |
|---|---|
| action | case(activity_id==0, "unknown", activity_id==1, "read", activity_id==2, "update", activity_id==3, "connect", activity_id==4, "query", activity_id==5, "write", activity_id==6, "create", activity_id==7, "delete", true(), "other") |
| change_type | datastore_activity |
| command | coalesce('actor.process.cmd_line' , 'actor.process.file.name') |
| dvc | metadata.log_provider |
| dest | dst_endpoint.uid |
| object | case(type_id==1,'database.name',type_id==2,'databucket.name',type_id==3,'table.name') |
| object_id | case(type_id==1,'database.uid',type_id==2,'databucket.uid',type_id==3,'table.uid') |
| object_category | case(type_id==0,"unknown",type_id==1,"database",type_id==2,"databucket",type_id==3,"table",true(), "other") |
| result | lower('status') |
| result_id | status_id |
| src | coalesce('src_endpoint.name','src_endpoint.name','src_endpoint.hostname','src_endpoint.ip') |
| status | coalesce('status' , 'status_code' , 'status_id') |
| user_name | actor.user.name |
| user_type | coalesce('actor.user.type' , 'actor.user.type_id') |
| vendor_product | coalesce('metadata.product.name' , 'metadata.product.vendor_name') |