categories.json

{
  "caption": "Categories",
  "description": "The OCSF categories organize event classes, each aligned with a specific domain or area of focus.",
  "name": "category",
  "attributes": {
    "application": {
      "uid": 6,
      "caption": "Application Activity",
      "description": "Application Activity events report detailed information about the behavior of applications and services."
    },
    "discovery": {
      "uid": 5,
      "caption": "Discovery",
      "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects."
    },
    "findings": {
      "uid": 2,
      "caption": "Findings",
      "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products."
    },
    "iam": {
      "uid": 3,
      "caption": "Identity & Access Management",
      "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc."
    },
    "network": {
      "uid": 4,
      "caption": "Network Activity",
      "description": "Network Activity events."
    },
    "remediation": {
      "uid": 7,
      "caption": "Remediation",
      "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects."
    },
    "system": {
      "uid": 1,
      "caption": "System Activity",
      "description": "System Activity events."
    },
    "unmanned_systems": {
      "uid": 8,
      "caption": "Unmanned Systems",
      "description": "Unmanned Systems events report the activity, existence, and/or state of unmanned systems for tracking, mission planning, and other related activities."
    }
  }
}